SIM swap fraud is a social engineering attack in which cybercriminals take control of a victim’s phone number by convincing their mobile carrier to transfer it to a new SIM card.

Once the fraudster has access to the victim’s number, they can intercept SMS-based one-time passwords (OTPs), security alerts, and password reset codes, enabling them to break into banking accounts, email, social media, cryptocurrency wallets, and other sensitive platforms.

Before executing a SIM swap attack, fraudsters collect personal details about their target, including:

• Full name
• Phone number
• Address
• Email account details
• Date of birth
• Banking information
• Answers to security questions (e.g., mother’s maiden name, first pet’s name)

Hackers obtain this information through:

• Phishing attacks (fake emails or texts tricking victims into revealing data)
• Social engineering (posing as customer service agents, bank representatives, or even the victim’s friends)
• Data breaches (buying stolen information from the dark web)
• Malware and keyloggers (stealing login credentials from compromised devices)
• Publicly available data (social media, data aggregation sites, leaked databases)

Using the stolen information, the attacker calls or visits the victim’s mobile carrier and pretends to be them. They claim:

• Their phone was lost or stolen, and they need a replacement SIM.
• They are switching to a new device and need their number transferred.

The attacker may use various methods to bypass the carrier’s security:

• Providing stolen personal details (to answer security questions)
• Bribing or coercing telecom employees into issuing a new SIM
• Exploiting weaknesses in customer service protocols (some carriers lack strong verification processes)

If successful, the carrier deactivates the victim’s original SIM card and activates the fraudster’s SIM with the same phone number.

Now that the hacker controls the victim’s number, they can:

• Receive all calls and SMS messages intended for the victim
• Intercept OTPs and 2FA codes to reset passwords for banking, email, and social media accounts
• Lock the victim out by changing account passwords and recovery settings
• Steal money by transferring funds from bank accounts or cryptocurrency wallets
• Commit fraud by impersonating the victim to scam their contacts

If you’re unable to make calls, texts, or use mobile data, that’s a sign that something’s seriously wrong with your network connection. The problem could be a simple service outage, or it could be because a SIM card swap has transferred your cell service and phone number to somebody else.

Many services will notify you if they detect unusual account activity. If you start getting emails about suspicious activity on your accounts, there might be a SIM swap hack in progress. Likewise, your cell carrier may send you a confirmation message that your phone number has been activated on a new device.

A SIM card hackers’ first move is often to lock you out of your accounts by changing the passwords. Some accounts also will also automatically block access as a security measure after too many questionable login attempts. So, losing access is a clear signal that someone has — or is attempting to — compromise your accounts, and you should take immediate steps to secure them.

The ultimate goal of a SIM swap attack is often to drain a victim’s bank account. If you get notifications about transactions you didn’t make, it could be due to SIM swapping. In this case, as well as disputing the unauthorized charges and securing your financial accounts, it’s vital that you regain control of your phone number as soon as possible.

A Delhi high court advocate fell victim to SIM swap fraud, losing a significant sum from her bank account despite never sharing her OTP, passwords, or banking details. The fraud began when she received three missed calls from an unknown number. Later, when she called back from another number, she was told it was related to a courier delivery. She shared only her home address, believing she was receiving a package from a friend, which she eventually received.

Soon after, she received alerts about unauthorized withdrawals from her bank account. Upon investigation, the Cyber Cell found phishing messages sent to her, including one related to UPI registration. Her browser history also showed visits to suspicious websites she never accessed.

Later, she received a call from someone impersonating an IFSO officer, asking for her bank statement, but she did not share any details.

Police suspect that fraudsters exploited contacts within mobile companies to obtain her personal information and used insider connections to swap her SIM card. Once in control, they intercepted OTPs and accessed her bank account.

This case is one of several recent SIM swapping and phone hacking incidents in Delhi. A cyber fraud investigation is underway, but no suspects have been identified yet.

A 44-year-old woman from Noida, who works in a private company, became the victim of a cybercrime. The woman, residing in Sector 82, reported that over Rs 27 lakh was stolen from her account. Following the fraud, she complained to the Noida Sector 36 Cybercrime Police Station. A case has been registered under sections 318 (4) and 319 (2) of the IT Act.

How did the fraud happen?

According to the woman’s statement to the police (which was filed on August 31, 2024), she stated that she received a WhatsApp call from someone who claimed to be from the customer care of a telecom company. The fraudster convinced her about the benefits of switching her number to an eSIM. Believing it to be genuine (by mistake), the woman shared a verification code which was sent to her phone. After this, her mobile number was deactivated.

The next day, when the woman did not receive her eSIM, she contacted the official customer service of the telecom provider. There, she was advised to visit a nearby store to get a new SIM card. After receiving the new SIM, she noticed multiple messages on her number, revealing that more than Rs 27 lakh had been withdrawn from her account.

A South Delhi-based businessman was duped of more than Rs 50 lakh by some unknown scammers through a series of missed calls, the police said on Tuesday, adding that the victim had not shared any OTP or personal details with the accused.

The man, in his complaint, said he had received several missed calls and when he picked up one of the calls, there was no response from the caller’s side. Later, he found out that multiple transactions were made from his bank account and he lost nearly Rs 50 lakh.

A case has been registered at the Delhi Police’s cyber crime unit. According to a senior police officer, initial inquiry suggested the victim was duped using a SIM-swap technique.

A SIM-swap fraud is an account takeover scam in which criminals gain access to a victim’s phone. They manage to get personal information of a potential target through phishing (fake mails), vishing (fraudulent phone calls), smishing (fake text messages), etc. They then use all personal information to create a fake ID, impersonate the victim, and trick the telecom service provider to issue a duplicate SIM card – mostly on the pretext of losing the phone, or the old SIM card getting damaged. Once the duplicate SIM starts functioning, the original SIM gets blocked, the officer said.

With the help of the duplicate SIM, they can get a one-time password (OTP) and other alerts required to carry out financial transactions through the victim’s bank account.

1. Financial Loss:

• Hackers can empty bank accounts, steal cryptocurrency, or make fraudulent transactions.
• Victims may struggle to recover stolen funds, especially in crypto cases.

2. Identity Theft:

• Attackers can impersonate victims to scam their contacts, apply for loans, or commit fraud.

3. Loss of Account Access:

• Victims may be locked out of their email, banking, and social media accounts.

4. Reputation Damage:

• Cybercriminals can post malicious content on social media, harming the victim’s online presence.

Contact your cell provider as soon as possible if you suspect a SIM swap. Your cellular service provider may not be able to catch the crook, but they can put an end to their scheme by cutting off their access to your mobile network.

Next, contact your bank to advise them of the situation. Their support team will walk you through what you need to do to protect your finances, but you should certainly freeze your accounts to block all transactions until you’re sure they’re secure. unauthorized transactions have already gone through, start the dispute process to see if they can be canceled or refunded.

Until you’re 100% certain the SIM swap scammer no longer has access to your texts and calls, prevent them from locking you out of any more accounts by logging in, disabling 2FA in your account settings, and then choosing a new, strong password for good measure.

As well as re-enabling 2FA once your cell service is restored to a SIM card you control, make sure you have all account security features and notifications turned on to help you detect and prevent SIM swap attacks and other hacks in the future.

Hackers often take control of social media accounts to spread scams, impersonate victims, or demand ransoms. Check all your accounts, including Facebook, Instagram, Twitter, LinkedIn, and others, for signs of unauthorized access. If you can still log in, reset your passwords immediately and log out of all active sessions to force any unauthorized users out of your account.

Enable multi-factor authentication (MFA) using an authenticator app like Google Authenticator or Authy, which is more secure than SMS-based 2FA. Remove any unauthorized phone numbers or email addresses from your account settings, as these may have been added by the hacker to regain access later. Finally, inform your friends, family, and colleagues about the attack to prevent them from falling for scams that may be sent from your compromised accounts.

SIM swap fraud is often the result of personal data leaks. To check if your phone number or email has been exposed in a data breach, visit Have I Been Pwned at https://haveibeenpwned.com. If your data is found in a breach, immediately change all associated passwords and remove publicly visible phone numbers from sensitive accounts.

Reporting the fraud is crucial for both legal and financial recovery. Contact your country’s cybercrime unit or law enforcement agency to report the SIM swap fraud. In the United States, report the crime to the Federal Trade Commission (FTC) at https://reportfraud.ftc.gov or the FBI’s Internet Crime Complaint Center (IC3) at https://www.ic3.gov.

In the United Kingdom, file a complaint with Action Fraud at https://www.actionfraud.police.uk, and in India, report to the Cyber Crime Cell at https://cybercrime.gov.in. If you lost money due to the attack, file a fraud claim with your bank or mobile provider to request reimbursement.