Experts are warning mobile phone users to be extra vigilant over a fresh wave of SIM-swap fraud, which has doubled in the space of a year.
The dodgy practice – which counts Twitter founder Jack Dorsey among its victims –is when criminals remotely transfer your phone number to their own SIM card.
This gives them control of your phone number, so they can receive your calls and texts.
It means they can use two-factor authentication (2FA) codes that are send by text to access your personal accounts – including bank accounts.
SIM-swap fraud has doubled year-on-year, according to consumer champion Which?, citing data from Action Fraud.
It went from 558 cases in 2022 to 1,070 in 2023 and reached 2,037 at the end of November 2024, having previously fallen during the pandemic.
One woman lost more than £2,000 to a SIM-swap scam – but was told by PayPal and Klarna that she was liable for the money.
‘SIM-swap fraud can be traumatising for victims, who might see their private accounts being hijacked and drained of large sums of money in a matter of a few hours,’ said Gurpreet Chhokar, consumer law expert at Which?
According to Which?, it can be ‘staggeringly easy’ for a scammer to steal your phone number without getting physically near to you or your phone – although there are some cases of in-person SIM theft too.
The scammer convinces your network operator – whether it’s Vodafone, Three or EE – to switch your number to a new SIM card that they possess.
Firstly, the criminal starts by collecting personal information about you, from your social media accounts, previous data breaches, or phishing messages and phone calls.
In some cases, scammers will start by calling a random mobile phone number and gaining information from whoever is on the other end – such as name, address, birthdate and passwords.
These details may even be gained through dodgy emails claiming to be from your smartphone provider inviting you to complete a questionnaire.
Other scammers trick you into clicking on email links that fill your computer with malware that records your keystrokes, including any passwords or security question answers you type, according to security firm Norton.
Once they have enough details about you, the scammer will contact your mobile network provider posing as you – either over the phone, online or in-store.
The scammer convinces the provider to switch your number to a new SIM card that they possess, using the personal information they gathered to pass any security checks.
They may stick with the same network, pretending the old SIM is missing or damaged, or ask to switch to a new network by requesting the porting authorisation code (PAC).
Usually, a PAC – normally nine characters long and in the format ‘ABC123456’ – lets people take their old number with them when they change service providers, from EE to Vodafone, for example.
Once your number is linked to their own SIM, anyone calling or texting this number will contact the scammers’ device, not your smartphone.
Usually, the first sign that you could be a victim of SIM swapping is when your phone calls and text messages aren’t going through.
Crucially, the perpetrator can get into your banking, email and social media accounts, knowing that logins often require one-time passwords or passcodes (OTPs) sent by text.
For example, logging in to a Barclays online account involves getting a one-time code sent in a SMS text to your phone.
Depending on how much money you have in your bank account, they can quickly spend thousands of pounds or transfer your funds to another account.
One victim – referred to by Which? as Ellie – faced debts of £2,200 after criminals attempted to take over her phone number in September (case study below).
Her Klarna and PayPal accounts were compromised, but was told she would remain liable for the repayments.
It was only when Which? stepped in to speak to both providers on her behalf that the debts were written off and marked as fraud.
According to Which?, the best way to prevent SIM-swap fraud is to set up a mobile PIN or password with your network provider, if you haven’t already.
This process is different depending on the network and not all networks offer this option, so consumers should contact their providers for more information.
‘To protect yourself from falling victim to this scam we’d recommend setting up a unique PIN or password on your mobile account which must be provided to approve any account changes,’ said Ms Chhokar.
‘If you receive an unexpected message about your SIM being ported or a PAC request, or you unexpectedly lose phone service, contact your mobile network immediately.
‘If you’ve fallen victim to a SIM-swap scam, warn your bank so they can freeze your account and report this to Action Fraud or the police if you live in Scotland to investigate.’
Ms Chhokar also said to ensure multi-factor authentication (MFA) is set up for social media, banking and email apps.
Which? said: ‘The weakness of SMS-based security checks is clearly exposed in cases of SIM-swap fraud, however, any MFA is better than none at all (passwords alone are extremely weak).’
To tackle the root of the issue, you should also be very wary of what personal information you post on social media, especially if you have public accounts.
For example, avoid sharing details such as your phone number, date of birth and answers to common security questions – such as name of first pet or mum’s maiden name – on X (Twitter) or on Facebook groups.
Which? also advises mobile phone users to sign up for its scam alert service for free on its website.
These emails will alert you to scams doing the rounds and provide practical advice to keep you safe from fraudsters.
