A SIM swapping attack, also known as a SIM swap scam or SIM hijacking, is a form of identity theft in which an attacker manipulates a victim’s phone carrier into transferring the victim’s phone number to a SIM card controlled by the attacker. This malicious act is achieved through social engineering techniques or by exploiting personal information that may have been exposed in data breaches.
The attacker usually starts by gathering as much personal information as possible about the victim. They may then contact the victim’s mobile carrier, posing as the legitimate account holder, and claim that they have lost or damaged their SIM card, or that they are switching phones and need to transfer the phone number to a new SIM card โ which is actually in the possession of the attacker.
Once the carrier is duped into transferring the phone number to the attacker’s SIM card, the attacker gains control over the victim’s phone number. This includes receiving all incoming calls and text messages, which can be particularly damaging if the victim uses SMS-based two-factor authentication (2FA) for additional security on their accounts. The attacker can use this access to intercept 2FA codes sent via SMS, reset passwords, and ultimately gain unauthorized access to the victim’s online accounts, including email, banking, and social media platforms.
The impact of a SIM swapping attack can be devastating, leading to identity theft, financial loss, and a significant breach of personal privacy. It underscores the importance of using more secure methods of 2FA, such as authentication apps or hardware tokens, and being cautious about sharing personal information that could be used in such attacks.