SIM swapping: what it is, how to detect it and how to protect yourself

  • SIM swapping duplicates your SIM and transfers your number to the attacker, allowing them to intercept SMS messages and calls.
  • The key sign is a sudden loss of coverage; there are also email alerts and account lockouts.
  • Protection: 2FA without SMS, strong passwords, network privacy, and carrier PIN/locks.
  • If you suspect anything, call your operator, notify the bank, change your passwords, and save evidence to report it.
Isaac

9 minutes

Illustration about SIM swapping

In recent years, we've seen mobile phones become the center of our digital lives, and it's precisely there that criminals have found a goldmine with SIM swapping. Although it's not a new technique—it's been heavily documented since 2019—it remains fully relevant and periodically makes headlines due to significant frauds. Understanding what it is, how it is detected, and how to protect ourselves. It's key to avoiding a shock with our accounts.

This type of scam exploits a simple detail: the SIM card links your phone number to a device. If someone obtains a duplicate of that SIM card in your name, they can then receive your calls and messages. And since some services still use SMS to verify transactions, the attacker can intercept security codes and gain access to your accounts. The result can range from the hijacking of social media profiles to the emptying of bank accounts., with the resulting headache.

Differences between MultiSIM and SIM card duplication-0
Related article:
Differences, advantages, and operation of MultiSIM and SIM duplication: the definitive guide

What exactly is SIM swapping?

SIM swapping (or fraudulent SIM swapping/duplication) is a form of identity theft in which a criminal convinces the operator to assign your number to a SIM card that they control. When the new SIM is activated, the original one is immediately disabled., which leaves you without coverage for calls, SMS and mobile data.

The technical basis is simple: the SIM card identifies your line to the operator's network and enables service. If someone manages to create a duplicate, Start receiving your SMS messages and calls as if it were youThat control opens the door to omitting. SMS verifications (2FA) You can now reset passwords using codes sent by text message.

This fraud does not arise from a fault in your mobile phone, but from weaknesses in the identity verification that some operators apply when processing duplicates. If the verification process is lax and the offender provides credible informationYou can leave with a new SIM linked to your number.

How do criminals operate step by step?

The attack typically begins with the collection of personal information. Criminals combine various techniques: from phishing (emails or SMS messages requesting data), social engineering calls, purchasing leaked databases, or tracking public profiles on social media. With that battery of data (ID, address, answers to security questions, last digits of accounts, etc.) They construct a convincing identity.

With the information in hand, the next step is to contact the operator. Sometimes this is by phone, and other times even in person. The scammer impersonates the victim, claims to have lost their phone or SIM card, and requests a duplicate. If identity verification is not strict or is not performed by specialized personnelThe application can slip through with a plausible story and valid data (much of it obtained from data leaks).

Once the company migrates the line to the new SIM, the victim's phone loses service: the signal bars disappear and mobile data stops working. From that moment on, the attacker controls the phone number and intercepts calls and messages.

With the duplicate active, the criminal usually goes after what's important: access to online banking or services like Bizumpurchases or even loan applications. Attacks on cryptocurrency wallets are also frequent, where SMS is still used as a verification factor in certain services. With control of the number, intercepting codes and confirming transactions is a matter of minutes..

How to identify a SIM swap in progress

The clearest sign is that your phone suddenly loses service for no apparent reason. The original SIM card is deactivated when the duplicate is activated, so you can't make calls, send messages, or use data. If there's no network issue and you haven't changed your SIM card, be suspicious. immediately.

Besides loss of coverage, there are other useful clues. For example, emails alerting you about password changes you didn't request, unexpected account lockouts, messages or calls informing you of changes to your line, and unusual posts on your social media profiles. If you notice unsolicited activity in banking or payments, act without delay..

  • Disappearance of mobile service (calls, SMS and data) for no known technical reason.
  • Email alerts password reset or account change notifications that you did not initiate.
  • Access denied or blocks in banking, email or social networks, without you having changed the password.
  • Suspicious financial transactions or notifications of unrecognized transactions.
  • Previous calls/SMS warning of changes to your mobile service that you have not requested.

An added problem is that the attacker can choose times when you are usually busy, working or sleeping, so that you don't notice the loss of coverage. That's why it's a good idea to have alerts activated and check your email frequently. associated with your critical accounts.

What is SIM swapping used for?

The primary objective is financial gain: gaining access to online banking for transfers, purchases, or even applying for loans. Attacks on cryptocurrency wallets are also common, where SMS messages are still used as a verification factor in certain services. With control of the number, intercepting codes and confirming transactions is a matter of minutes..

In other cases, the goal is social media control and reputational blackmail. Stealing profiles allows for extortion, the dissemination of offensive content, or the acquisition of contact lists to further the fraud. They can even impersonate you to deceive colleagues and family members. with plausible messages sent from “your” number.

The magnitude of the problem is significant. Estimates cited by US law enforcement agencies speak of tens of millions of dollars stolen in a single year using this method, a notable increase compared to previous periods. The impact can be economic, personal, and professional.and drag on for months.

Good practices to protect yourself

Prevention involves reducing your public data footprint and strengthening verification processes with your mobile carrier and online accounts. While not everything is within your control—duplicate validation depends on the provider—there's a lot you can do. The more layers of security you add, the harder it is for the attacker..

  • Be careful what you post On social media: restrict privacy, avoid sensitive data (address, date of birth, pet name, etc.) that could be used to answer security questions.
  • Be wary of links and attachments in emails, SMS messages, or messaging apps. Do not share personal or banking information with strangers.
  • Use unique and strong passwords Use a password manager. Regularly change credentials for critical services.
  • Activate second factor without SMS (Authentication apps like Microsoft or Google Authenticator, physical keys). If a service allows a choice, avoid SMS as 2FA.
  • Avoid public Wi-Fi networks For sensitive operations, do not install apps from outside official stores; review the permissions you grant.
  • Set up alerts in your bank to detect suspicious movements and logins instantly.

Also strengthen your security with your mobile operator. Many companies allow you to add an account PIN, a password, or a specific lock for number transfers and duplicates. Call your operator and ask about measures such as PIN requirement to make changes and additional verification in store.

At the industrial level, network-based anti-fraud integrations are emerging, such as Open Gateway's initiatives with its SIM Swap API. These solutions allow entities (e.g., banks) to check for recent SIM or device changes before authorizing a transaction. If your bank or operator uses them, the system can detect a recent change and add friction to suspicious transactions..

What to do if you suspect your SIM card has been duplicated

Where to find the PUK code if you lose your SIM

First things first: stay calm and act quickly. If you suddenly lose service without explanation, treat it as if it were a SIM swap until proven otherwise. Contact your operator immediately from another phone to check the line status and request the blocking or reversal of the duplicate.

Explain that you suspect fraud and request the deactivation of any newly issued SIM cards, as well as information about the last change made. Request instructions to recover your number with the highest priorityeither by reactivating the legitimate SIM or by giving you a new one with strict in-person verification.

Next, contact your bank (or banks). Request a temporary freeze on your cards and transactions, as well as transaction monitoring. Check your accounts for any unrecognized transfers or charges. and requests to initiate the processes of reversal or claim if appropriate.

Once you've regained control of the number, change your email, banking, and other passwords. social media and any critical services. Prioritize accounts that use your phone for 2FA or recovery. Migrate SMS two-factor authentication to authentication apps or physical keys.and updates recovery methods so as not to depend on the mobile number.

Keep all evidence: notification emails, screenshots, SMS messages, incident numbers, as well as any records provided by the operator. Report the fraud to the State Security Forces and CorpsIn cases of cyber fraud, you can seek guidance and, if applicable, report it to specialized channels. It is also advisable to consult the resources of the Internet User Security Office (OSI).

The role of social media and social engineering

Attackers often start by looking at what you post online. Birthdays, addresses, jobs, hobbies, or your pet's name can be the key to answering security questions or convincing a support agent. The less public exposure, the fewer pieces the con artist will have to piece together their story..

Review your privacy settings, limit who sees your activity, and reduce the information visible in your bios and older posts. Avoid revealing information that is often used as passwords or recovery answers. If a service requires you to use security questions, answer with fictitious information and save it in your password manager..

In a world where almost everyone carries a smartphone and many processes still rely on SMS, it's wise to remain vigilant. From monitoring coverage and login alerts to using 2FA without SMS, setting up a PIN with your carrier, and reviewing your public profile, The sum of small barriers is what makes the differenceIf one day you notice your mobile phone goes silent for no reason, don't take any chances: call your operator from another phone and activate the emergency plan; the sooner you cut off access, the better. The easier it will be to regain control and minimize damage..