SIM swapping: how to protect yourself

A sudden network loss, suspicious account activity, or an unknown text message from your phone provider can all be signs of a SIM swapping attack. But what does it actually involve? And above all: how do you protect yourself against it? 

SIM swapping allows criminals to steal your phone number to gain access to online banking, email accounts, and other sensitive services. Those affected often don’t notice the attack until it’s too late – and then not only personal data is at risk, but also their finances. You should therefore deal with this type of cyber attack so that you can recognize the signs at an early stage and take the right countermeasures.

What is SIM swapping?

SIM swapping is a new method of cybercrime. In this particularly perfidious scam, criminals try to transfer a victim’s phone number to a new SIM card. This gives them access to text messages, calls, and often even to sensitive accounts that use two-factor authentication via mobile phones, such as online banking or email services. 

How a SIM swapping attack works

Criminals use different methods to take control of a phone number: 

• Phishing and social engineering: perpetrators, for example, pretend to be employees of a mobile phone provider or use phishing e-mails to gain access to personal data. 
• Data leaks and identity theft: personal data already in circulation is used to falsify proof of identity. 
• Manipulation of the mobile phone provider: using the looted information, fraudsters request a new SIM card for the victim’s phone number. If this is activated, the actual owner loses control of the number. 

Why is SIM swapping dangerous?

As soon as fraudsters have control over a phone number via SIM swapping, they can theoretically gain access to accounts that are protected with the phone number via SMS TAN or security code via SMS. By taking over the phone number, they can log into the relevant accounts. The impact of this move may then vary depending on the account. Some examples are listed below: 

• Email accounts (e.g. Gmail, Outlook): accessing email communication via password reset and intercept the second authentication factor 
• Social networks (e.g. Facebook, Instagram, LinkedIn): spreading phishing messages or other scams using the victim’s name and phone number 
• Bank accounts or payment services (e.g. Paypal, Twint): making payments by linking the victim’s bank account to the phone number under the fraudster’s control. 
• Cloud services (e.g. Google Drive, iCloud): accessing stored documents, photos and personal data via password reset and intercept the second authentication factor. 

Signs of SIM swapping

A SIM swapping attack usually comes unexpectedly – and that’s exactly what makes it so dangerous. But there are some warning signs that you should look out for. 

Suddenly no mobile phone reception:

• your smartphone will show “No network” or “Emergency calls only”, even though there is no known interference with your mobile phone provider. Phone calls and text messages are no longer received. 

Unusual account activity:

• you receive e-mail notifications of attempted or successful login attempts to online services that you have not made yourself. Password resets or unknown changes to your accounts are reported. 

Unexpected messages from the phone provider:

• you receive an SMS or e-mail confirming the “new SIM card” or “card activation” even though you have not applied for a new SIM card. 

Suspicious text messages or emails from banks and online services:

• you receive alerts about new devices connected to your account, or receive notifications about failed login attempts. 

What are the consequences of SIM swapping?

A successful SIM swapping attack can have serious consequences. Because many online services use the phone number to verify identity, fraudsters gain extensive access to sensitive data and financial accounts by controlling their victims’ SIM cards. The consequences range from financial losses to identity fraud. 

Financial losses

• Fraudsters may be able to log into their victims’ online banking, as they are now able to intercept SMS TANs or mobile verification codes. This enables them to make transfers to third-party accounts or make online purchases at the victim’s expense. 

Identity theft

• Criminals use the stolen phone number to gain access to social networks, email accounts or Cloud services. Personal data can also be misused to conclude contracts or subscriptions. The identity of the victims can also be used to create fake profiles or send fraudulent messages. 

Permanent damage to your online security

• Compromised accounts are often hard to get back, especially when attackers change settings such as email addresses or phone numbers. Access to email accounts allows fraudsters to reset more passwords and take over additional online accounts. 

Legal and organizational consequences

• If cybercriminals commit fraud using your name, you could run into legal trouble. The account recovery process is often time-consuming and requires a lot of coordination with banks, phone providers and affected platforms. 

Measures to protect against SIM swapping 

Since many online services use the phone number as a security feature, effective protection against SIM swapping is particularly important. Fortunately, there are several measures you can take to protect yourself. 

Use alternative authentication methods 

• Use secure two-factor authentication (2FA): use an app like Google Authenticator or Authy to further protect your logins. A stolen password alone is no longer enough. 

• Ask your bank for secure alternatives: many banks now offer pushTANs or special devices (hardware tokens). With these, you are much better protected than with a text message. 

Secure your mobile phone account

• Activate a security code for your SIM card: many telecommunications companies offer a block against SIM swap. How to prevent someone from transferring your SIM to another device without your consent 

• Set PIN for customer service: this personal PIN protects you against identity theft – it is always requested whenever you call your provider. 

Protect personal data 

• Do not disclose your phone number publicly: do not post your number on social networks, forums or comments. This will prevent it from falling into the wrong hands. 
• Beware of attempted fraud: don’t click carelessly on links in emails or text messages. Don’t give out any personal details when you are called without verification, even if the caller appears to be trustworthy. 

Carry out regular security checks

• Keep an eye on your bank and online accounts: regularly check your account movements to identify suspicious or unknown transactions at an early stage. 
• Use strong, individual passwords: use a separate, secure password for each account. It’s best to use a password manager that stores your access data securely. 
• Set up alerts: activate notifications of suspicious activity, for example, new logins or changes to your account settings. This way you will be informed immediately if something is wrong. 

After SIM swapping – what can you do?

If SIM swapping is suspected, quick action is crucial. The earlier you take measures, the more you can usually minimize the damage. 

1. Contact your phone provider immediately

• Call your provider’s customer service and explain the situation. 
• Have the unknown SIM card blocked and request a new SIM card. 

2. Change passwords immediately

• Reset passwords for affected email accounts, online banking and social media profiles and choose unique, long and complicated passwords. 
• If you use SMS TANs for online banking, inform your bank directly about the attempted fraud. 

3. Inform the bank and affected providers

• Have your cards and online banking access checked. 
• Report the incident to all affected online services and have accounts secured. 
• If your phone number was used for two-factor authentication (2FA), update it with a new method. 

4. File a complaint

• Report the fraud to the police. 
• Document any suspicious emails, text messages, or login attempts as evidence. 
• If financial losses have been incurred, check with your bank or insurance company for possible compensation.