Mobile & IoT Security

SIM Swap Attack

About 4 min read

Last updated: 2026-03-22

What Is a SIM Swap Attack

A SIM swap attack (also known as SIM hijacking) is an attack technique where the attacker tricks a mobile carrier into transferring the victim's phone number to a SIM card controlled by the attacker. By seizing control of the phone number, the attacker intercepts two-factor authentication codes sent via SMS and gains unauthorized access to bank accounts, cryptocurrency wallets, email accounts, and more.

This attack is not technically sophisticated hacking but primarily uses social engineering. The attacker contacts the mobile carrier's customer support using personal information obtained through phishing or data breaches (name, address, date of birth, account number, etc.) and requests a number transfer by claiming "I lost my SIM card" or "I want to change my phone."

In Japan, cases of fraudulent transfers through SIM swap attacks have been reported since 2022, and the Ministry of Internal Affairs and Communications has requested mobile carriers to strengthen identity verification.

Specific Techniques of SIM Swap Attacks

  1. Collecting personal information: The attacker gathers the target's name, address, date of birth, phone number, and account information from phishing emails, publicly available SNS information, data leaked in past breaches, and personal information sold on the dark web.
  2. Contacting the mobile carrier: Using the collected personal information, the attacker contacts the mobile carrier's customer support and impersonates the victim. They claim "I lost my SIM" or "I want to switch to a new device" and request the number be transferred to a new SIM.
  3. SIM transfer: Once the mobile carrier passes the identity verification, the victim's phone number is transferred to the attacker's SIM. At this point, the victim's smartphone goes out of service and can no longer receive calls or SMS.
  4. Account takeover: The attacker receives SMS authentication codes on the victim's phone number and logs into bank accounts, email accounts, cryptocurrency exchanges, etc. Password resets can also be performed via SMS, so accounts can be taken over even without knowing the password.

The entire attack process is often completed within a few hours, and by the time the victim notices something is wrong, funds have already been transferred.

Defenses Against SIM Swap Attacks

Specific measures to protect yourself from SIM swap attacks.

  • Move away from SMS authentication: The most effective measure is to stop using SMS-based two-factor authentication. Switching to TOTP (authenticator apps like Google Authenticator or Authy) or passkeys means authentication codes cannot be intercepted even if the phone number is stolen.
  • Set a PIN/password with your mobile carrier: Many mobile carriers allow setting an additional PIN or password for SIM changes and number portability. NTT Docomo, au, and SoftBank all verify PINs during in-store procedures.
  • Minimize public personal information: Avoid publishing your date of birth, address, and phone number on social media. Reducing information attackers can use for identity verification lowers the success rate of social engineering.
  • Early detection of anomalies: If your smartphone suddenly goes out of service or stops receiving SMS, suspect a SIM swap attack and immediately contact your mobile carrier. The longer you wait, the more damage expands.
  • Email notifications for important accounts: Set up email notifications for login alerts and transfer notifications on bank accounts and cryptocurrency exchanges. This helps with early detection of unauthorized access.

SMS Authentication Risks and Alternatives

The fundamental problem with SIM swap attacks is that SMS is vulnerable as an authentication method. NIST (National Institute of Standards and Technology) designated SMS-based authentication as "deprecated" as early as 2016.

SMS authentication is vulnerable for reasons beyond just SIM swapping.

  • SS7 protocol vulnerabilities: The SS7 protocol underlying the telephone network has design vulnerabilities that make SMS interception technically possible.
  • SMS interception by malware: Malware installed on Android devices can read SMS messages and forward them to attackers.

Recommended alternatives in order of preference:

  1. Passkeys: Phishing-resistant and the most secure. Works with device biometrics for high convenience.
  2. TOTP authenticator apps: One-time passwords generated on the device. Not dependent on communication channels, so unaffected by SIM swaps.
  3. Hardware security keys: Physical devices like YubiKey. Phishing-resistant and widely adopted in enterprise environments.

Not all services support authentication methods other than SMS, but it is strongly recommended to prioritize migration for important accounts such as banking, email, and cryptocurrency.

To learn more about this topic, see Two-Factor Authentication (2FA): The Best Defense for Your Accounts.

Common Misconceptions

SIM swap attacks only target celebrities and wealthy individuals
Regular users who hold cryptocurrency or rely on SMS authentication for online banking are also targeted. Attackers can cheaply obtain large amounts of personal information on the dark web and attack multiple targets simultaneously with automated tools.
Japanese mobile carriers have strict identity verification so SIM swaps don't happen
Multiple cases of SIM swap attack damage have been reported in Japan since 2022. Techniques using forged identification documents to have SIMs reissued at carrier shops have been confirmed. While mobile carriers are strengthening countermeasures, the risk is not zero.
Share

Related Terms

Two-Factor Authentication (2FA) A security method that requires an additional authentication factor beyond a pas… Social Engineering An attack methodology that exploits human psychological weaknesses rather than t… Phishing An attack method that impersonates legitimate organizations, banks, or individua… TOTP (Time-Based One-Time Password) An algorithm defined in RFC 6238 that generates a new 6-digit one-time password … Passkey A passwordless authentication technology based on the FIDO2/WebAuthn standard th… Digital Identity Theft A criminal act involving the unauthorized acquisition and misuse of someone's pe…

Related Articles

Two-Factor Authentication (2FA): The Best Defense for Your Accounts Understand how 2FA works, the different types (SMS, TOTP, FIDO2), how to set it up, and why password… Smartphone Privacy Settings: 8 Often-Overlooked Items Discover the personal information your smartphone may be leaking and the essential privacy settings … How SIM Swapping Attacks Work and How to Defend Against Them A technical breakdown of SIM swapping attack phases, SMS authentication vulnerabilities, and practic…
← Glossary