Skip to content
Back to Security Center

SIM Swapping Attacks Explained

What Is a SIM Swap?

A SIM swap, also known as SIM hijacking or SIM splitting, is a type of attack where a criminal convinces your mobile phone provider to transfer your phone number to a new SIM card that they control. Once the transfer is complete, the attacker receives all calls and text messages intended for you, including one-time verification codes sent by banks, email providers, and social media platforms.

This attack is particularly dangerous because many services rely on SMS messages as a second factor of authentication. If a criminal already knows your password (perhaps from a data breach) and can intercept your SMS codes, they have everything they need to access your accounts.

How SIM Swap Attacks Work

The attack typically follows a predictable pattern:

  1. Information gathering: The attacker collects personal information about you. This might come from social media profiles, data breaches, phishing attacks, or data broker websites. They need enough details to impersonate you convincingly, such as your full name, date of birth, address, and account number.
  2. Contacting your carrier: Armed with your personal details, the attacker contacts your mobile provider, either by phone, through online chat, or by visiting a store in person. They claim to be you and request a SIM replacement, citing a lost or damaged phone.
  3. Verification bypass: The attacker answers security questions using the information they have gathered. If the customer service representative is insufficiently thorough, the transfer is approved.
  4. Number transfer: Your phone number is moved to the attacker's SIM card. Your phone will lose signal and display "No Service" or "Emergency Calls Only".
  5. Account takeover: The attacker immediately uses your phone number to reset passwords, intercept verification codes, and access your email, banking, cryptocurrency, and social media accounts.

Why SMS Two-Factor Authentication Is Vulnerable

SMS-based two-factor authentication (2FA) was once considered a strong security measure. However, it relies on the assumption that you, and only you, receive messages to your phone number. SIM swapping breaks this assumption entirely. Once your number is compromised, every account that uses SMS verification is at risk.

Beyond SIM swapping, SMS messages can also be intercepted through vulnerabilities in the SS7 protocol, the system that mobile networks use to route calls and texts globally. Whilst these attacks are more sophisticated and less common, they further demonstrate that SMS is not a reliable channel for security-critical communications.

The National Cyber Security Centre (NCSC) recommends using authenticator apps or hardware security keys instead of SMS-based verification wherever possible.

Setting Up Carrier PINs

Most UK mobile providers allow you to set a PIN or passcode on your account that must be provided before any changes can be made, including SIM swaps. This is one of the most effective defences against SIM swapping:

  • Contact your provider: Call your mobile network's customer service line and ask to set an account PIN or port protection password.
  • Choose a strong PIN: Do not use obvious numbers like your date of birth or sequential digits. Choose something random that you can remember.
  • Confirm protection is active: Ask the representative to confirm that no SIM changes or number ports can be processed without this PIN.
  • Set up alerts: Some providers can notify you by email when changes are requested on your account.

Switching to Authenticator Apps

Authenticator apps generate time-based one-time passwords (TOTP) directly on your device, with no reliance on your phone number or network connection. Even if an attacker takes control of your SIM, they cannot access codes generated by an authenticator app on your physical device.

Popular authenticator apps include Google Authenticator, Microsoft Authenticator, and Authy. To set up an authenticator app:

  1. Download and install the app on your phone.
  2. Go to the security settings of each account you want to protect.
  3. Select the option to enable two-factor authentication using an authenticator app.
  4. Scan the QR code displayed on screen with your authenticator app.
  5. Enter the generated code to confirm the setup.
  6. Save the backup recovery codes provided by the service in a secure location.

On KF.Social, you can switch from SMS-based verification to an authenticator app through your account security settings. We strongly recommend making this change to protect your account from SIM swap attacks.

What to Do If You Suspect a SIM Swap

If your phone suddenly loses signal for no apparent reason, especially if you then receive notifications about password changes or login attempts, act immediately:

  1. Contact your mobile provider from another phone and report a suspected SIM swap.
  2. Change passwords on your most critical accounts: email, banking, and any platforms connected to your phone number.
  3. Report the incident to Action Fraud and your bank.
  4. Check your accounts for unauthorised transactions or changes.

Speed is essential. The window between a SIM swap and an account takeover can be very short, sometimes just minutes.

What Is Identity Theft and How to Prevent It

Identity theft occurs when someone uses your personal information without your consent, typically for financial gain. Understanding how it works is the first step to protecting yourself.

Read article

Credential Stuffing: Why Reusing Passwords Is Dangerous

Credential stuffing is an automated attack where criminals use stolen username and password combinations from one breach to access your accounts on other platforms.

Read article

What to Do After a Data Breach

If your personal data has been exposed in a breach, taking swift action can significantly limit the damage. Follow these steps to protect yourself immediately.

Read article
Back to Security Center