What is SIM Swapping?
Cybercriminals attack systems either directly or via people. They are successful with people because they are good at deception. What appears on the screen may not be what the user expects it to be, and of course users should be vigilant.
New methods of conning the user are constantly being developed, and that has recently been gaining traction is SIM swapping. While many businesses focus on traditional aspects of security such as firewalls, endpoint protection, and employee awareness, they often overlook a potential vulnerability: the SIM.
We all know what a SIM is: the small chip that confers a telephone number to a mobile phone.
What is SIM swapping?
SIM swapping/hijacking, is a technique where attackers take control of a victim’s phone number by tricking or bribing a mobile carrier regarding confidential details. Once they gain control of a user’s voice and text messaging, they can bypass SMS-based security measures.
SIM Swapping and the Business
Many associate SIM swapping with personal banking fraud. This is bad enough for a personal user, but, if it’s a business, the hacker can enable access to corporate accounts! They can then authorize fraudulent financial transactions. This is a very worrying development.
Why have businesses now become prime targets?
Interception of Two-factor authentication (2FA) codes sent via SMS
Account recovery texts for email, banking, and corporate platforms
Phone calls and voicemails intended for the victim
With this access, attackers can reset passwords, steal money, and impersonate high-level executives — posing a significant threat to businesses
How Attackers Carry Out SIM Swapping
How can criminals convince a mobile carrier to transfer a phone number to a new SIM card under their control? Deception… (or social engineering) these are professionals! Attackers choose a victim. They then impersonate that victim. They often phish a prospective victim in advance to obtain the details they’ll need to pass carrier security checks. These will include:
· Fake emails and texts pretending to be from the mobile carrier.
· Phone calls posing as tech support to extract personal details.
· Social media scraping to find personal answers to security questions.
After due practice, they impersonate the victim and contact the mobile carrier’s customer service, claiming:
· They lost their phone and need a new SIM activated.
· They’re traveling abroad and need assistance reactivating their number.
· They’re in an urgent business situation and need immediate help.
To make their request more convincing, they may:
· Provide stolen personal details (name, address, last payment amount).
· Try multiple customer service agents until they find one who approves the request.
· Use deepfake voice technology to sound like the real victim.
Once they have persuaded the carrier representative that they are “the victim”, and details have been transferred to the fraudulent SIM, they will have taken over all aspects of the victim’s number. For example:
Worse still, a hacker could become an “insider” at a mobile carrier or compromise an employee to become than “insider” for them. The effect would be the same. Most hacking activity (about 90%, in fact) involves some aspect of insider activity.
These insiders could:
· Process unauthorized SIM swaps for the attacker.
· Disable security alerts so the victim isn’t notified of changes.
· Modify account details, such as linked emails and backup numbers.
Without an insider, it is more difficult for the hacker, but they can still exploit inconsistent or weak security policies, making the mobile carrier an easier target. For example:
· asking only for basic account details (which hackers can easily obtain).
· allowing account PIN resets via email, which can be hijacked first.
· bypassing verification for "VIP customers" (a popular con for executives).
What could happen to a business with a compromised SIM?
SIM swapping can have severe consequences, especially for executives, IT admins, and finance employees. Examples:
1. Unauthorized Access to Corporate Accounts
· Many businesses still use SMS-based 2FA for:
· Email platforms (Google Workspace, Microsoft 365)
· Cloud services (AWS, Azure, Dropbox)
· CRM and customer databases
· Finance and payroll systems
Also, if an attacker hijacks an employee’s phone number, they can reset passwords and gain full access to these platforms, leading to:
· stolen customer, employee, or intellectual property data.
· ransomware attacks – Encrypting company files and demanding a ransom.
· the serious matter of BEC (business email compromise).
The wily hacker armed with information can impersonate an executive and tricks an employee into making fraudulent financial transactions.
· online banking logins
· wire transfer approvals
· payment processing and invoice changes
Example Scenario: A CFO’s number is hijacked, allowing an attacker to approve a £250,000 fraudulent wire transfer.
It gets worse! With access to an executive’s phone number, attackers can:
· Reset corporate email passwords and impersonate leadership.
· Send fraudulent emails to employees or clients.
· Approve fake transactions via intercepted 2FA codes.
Example: A cybercriminal hijacks a CEO’s phone number, resets their email password, and sends an urgent email to the finance team requesting a wire transfer of a large sum of money.
It doesn’t end there! There may well be regulatory & legal consequences. A SIM swap attack leading to a data breach could put businesses in violation of:
· GDPR - Fines up to 4% of annual revenue for mishandling customer data.
· PCI DSS (Payment security compliance - Increased regulatory scrutiny.
Example: A financial firm experiences a SIM swap attack that compromises client banking details, leading to a major fine and reputational damage.
Still more to come: a compromised business! Employees who lose access to their business phone number could:
· Be locked out of corporate accounts requiring SMS authentication.
· Miss critical transactions or approvals, delaying operations.
· Be unable to communicate with partners and clients.
· Example: An IT manager loses control of their phone number, locking them out of the company’s cloud infrastructure and delaying security updates.
What can the business do to prevent all this? Read on…
How Businesses Can Protect Themselves from SIM Swapping
Businesses were advised to take 2FA (two factor authentication) on board to supplement username/password authentication. The second factor either involved an authenticator program for a code sent using SMS. Several years later, due to the unexpected rise of the phenomenon of SIM swapping, the latter is now known to be a potentially flawed technique.
Thankfully, much can be done.
Some mitigation options:
· Avoid SMS-Based 2FA where Possible, and use authenticator apps instead (Google Authenticator, Microsoft Authenticator).
· Deploy hardware security keys (YubiKey, Titan Security Key).
· Require a PIN or passphrase for account changes.
· Educate Employees about SIM swap risks.
· Train staff to never share mobile account details over the phone.
· Warn employees about phishing emails posing as mobile carriers.
· Limit SMS-Based account recovery.
· Ensure email and financial accounts don’t allow SMS recovery alone.
· Set up multi-layered authentication for sensitive systems.
Final Thoughts
Businesses need to accept that the security landscape is constantly evolving, and their defences need to constantly evolve in response. Yes, businesses were encouraged to use 2FA authentication because it was more effective than username/password for security reasons, and SMS codes were a viable component of the technique.
SIM swapping has turned this “solution” into yet another potential cybersecurity threat for businesses. From data breaches to financial fraud and executive impersonation, attackers are exploiting weak phone security to bypass traditional defences.
As well as from replacing SMS-based authentication with authenticator applications, businesses need to strengthen internal security policies, and educate, educate, educate. If your business still relies heavily on SMS authentication, it’s time for a rethink of security strategy before it’s too late.
Further Reading:
Sim Swapping:
SMS 2FA alternatives:
Regola article on importance of employee training:
Regola article on 2FA:
Comments