What is SIM swap fraud?

SIM swap fraud is when a criminal persuades a mobile provider to move your number to their SIM so they can receive your calls and texts.

Can SIM swap bypass SMS two-factor codes?

Yes. If one-time codes are delivered via SMS, a hijacked number can receive those codes and be used to access accounts.

What should I do if my phone suddenly loses service?

Treat it as urgent: contact your provider, secure your email and banking, and check your accounts for unusual sign-ins or changes.

Why focus on email security too?

Email is commonly used for password resets; if it's compromised, attackers can often take over other accounts.

SIM Swap Fraud: Protect Your Mobile Number

By Dr Alex J Martin-Smith

Prevent SIM-swap account takeovers by reducing reliance on SMS codes, tightening account recovery, and treating sudden loss of mobile service as an urgent security incident.

This guide explains how SIM swapping (number porting or hijacking) enables interception of one-time codes and account resets, and provides a UK-centric prevention and response checklist. It targets consumers and micro-business owners who rely on mobile numbers for banking, email, and social logins. The content emphasises safer authentication routes and rapid, structured response to minimise financial and identity harm.

Quick checklist

Contact your mobile provider using a known number if your phone loses service.
Secure your email first: change password and enable two-factor verification.
Secure banking and key accounts: change passwords and review sign-in activity.
Force log out other sessions and devices where possible.
Replace SMS codes with app-based or stronger authentication where available.
Report fraud if money is lost and monitor accounts.

What SIM swap fraud is

SIM swap fraud (also called number porting or SIM hijacking) is when a criminal persuades your mobile network provider to move your phone number to a SIM card they control. Once they have your number, they receive all calls and texts sent to it—including one-time codes, password reset links, and verification messages. This allows them to take over your email, banking, social media, and other accounts that use your mobile number for authentication or recovery.

Why SMS codes can be risky

SMS-based two-factor authentication sends a one-time code to your phone. If an attacker has redirected your number to their SIM, they receive that code instead of you. Industry standards such as NIST SP 800-63B note that attackers can redirect a victim's phone and receive SMS out-of-band secrets. NIST treats PSTN/SMS out-of-band authentication as restricted and highlights SIM change and number porting as risk signals. Where possible, prefer app-based or stronger multi-factor methods.

Warning signs to act on immediately

Your phone suddenly loses all signal—no calls, texts, or data—especially if it happens without explanation.
Unexpected "SIM change" or "number porting" notices from your provider.
Unusual login notifications for email, banking, or social accounts you did not trigger.
Unexpected account recovery emails or password reset confirmations.

If any of these occur, treat them as urgent and follow the response steps below.

Prevention checklist

Lock down recovery paths: Ensure account recovery does not rely solely on your mobile number. Use recovery codes, backup emails, or security questions where appropriate.
Strengthen email security: Your email is often the "master key" for resets. Use a strong, unique password and enable two-factor authentication with an app where possible, not SMS.
Prefer app-based or stronger MFA: For banking and important accounts, use authenticator apps (e.g. Google Authenticator, Authy) or passkeys instead of SMS codes.
Use a password manager: Generate and store unique passwords so one breach does not cascade across accounts.
Contact your provider: Ask if they offer a PIN or additional security to block SIM changes or porting. Some providers let you add extra verification.

What to do if you suspect a SIM swap

Act quickly to limit harm. Follow this order:

Contact your mobile provider using a number from their official website or your bill—not a number from a text or email. Explain you may have been SIM swapped and ask them to suspend or restore your number.
Secure your email first: From a trusted device (e.g. a computer with internet), change your email password and enable two-step verification. Check for unfamiliar forwarding rules or connected apps.
Secure banking and key accounts: Change passwords for banking, investment, and any high-value accounts. Review recent transactions and sign-in activity.
Force log out other sessions: Use "sign out of all devices" or similar where available to invalidate existing sessions.
Document evidence: Note dates, times, and what happened. Keep screenshots of unusual activity and provider communications.
Report appropriately: If money has been lost, report to your bank and to Action Fraud (England, Wales and Northern Ireland) or Police Scotland.

After recovery

Once you have restored control:

Rotate credentials: Change passwords for any account you think could have been accessed or reset.
Review devices and sessions: Check authorised devices and logged-in sessions in email, banking, and social accounts. Revoke anything you do not recognise.
Remove SMS as a critical dependency: Where possible, switch to app-based 2FA or passkeys so future SIM compromises are less damaging.

Frequently asked questions

What is SIM swap fraud?: It's when a criminal convinces a provider to move your number to their SIM, letting them receive your calls and texts.
Can SIM swap bypass SMS two-factor codes?: Yes—if codes are delivered via SMS, a hijacked number can receive them.
What should I do if my phone suddenly loses service?: Treat it as urgent: contact your provider, secure your email and banking, and review sign-in activity.
Why focus on email security too?: Email is commonly used for password resets; losing it can cascade into other account takeovers.