SIM Swap Fraud: How It Works, Red Flags, and How to Detect It

What is SIM Swap Fraud?

SIM swap fraud is a social engineering and identity fraud attack in which a criminal convinces a mobile carrier to transfer a victim's phone number to a SIM card the attacker controls. Once the port completes, the attacker intercepts every SMS message and voice call destined for the victim, including one-time passwords, transaction approval codes, and account recovery messages from financial institutions.

The attack belongs to the fraud category, with direct downstream money laundering potential. Stolen funds frequently move through money mule networks or get layered across multiple accounts before reaching the criminal's withdrawal point.

The scale is significant and growing. The FBI's Internet Crime Complaint Center recorded 2,026 SIM swap complaints in 2022 with adjusted losses of $72 million, up from $68 million in 2021. The real figure is higher. Many victims don't identify SIM swapping as the root cause and report it simply as account takeover or unauthorized transfer.

The attack works because SMS-based two-factor authentication is still the dominant second factor across retail banking, crypto exchanges, and payment platforms. A single successful port can give an attacker access to every financial account tied to that phone number. It's not a sophisticated technical exploit. It requires a convincing phone call and some basic personal data, which is precisely why it scales and why organized criminal rings have industrialized it.

How does SIM Swap Fraud work?

The mechanics are straightforward. A criminal first collects personal data on the target: name, date of birth, address, account numbers, and the last four digits of a Social Security Number or national ID. This data comes from phishing, previous data breaches, dark web purchases, or direct social engineering of the victim.

Armed with that data, the attacker calls the victim's mobile carrier (or walks into a retail store) and impersonates the account holder. They claim a lost or damaged handset, request a SIM replacement, and ask for the number to be ported to the new card. Carriers with weak identity verification authorize the port. The legitimate SIM goes dead. The attacker's SIM starts receiving everything.

From that moment, the sequence is fast. The attacker navigates to the bank's login page, enters credentials purchased or previously phished, and triggers an SMS OTP. The OTP arrives on the attacker's phone. They complete login, change the account password and MFA settings, and initiate outbound transfers before the victim even notices the loss of service.

Illustrative scenario:

A customer at a regional bank in New Jersey has their phone go dead on a Tuesday morning. Within 20 minutes, an attacker uses intercepted SMS OTP codes to log into the customer's bank account, primary email, and a crypto exchange account. They transfer $47,000 from the bank via two wire transfers to overseas accounts, and liquidate $31,000 in crypto holdings. The customer calls their carrier to report no service. The carrier confirms a SIM swap was processed that morning using the customer's home address and last four digits of their SSN. Total time from SIM port to fund extraction: 34 minutes.

The subsequent laundering often routes through authorized push payment fraud structures or through mule chains before the funds are withdrawn. Some proceeds pass through layering via crypto conversions to complicate tracing.

Red flags and indicators

Detection depends on correlating telco events with banking behavior, ideally in near real time. No single signal is definitive. The combination is.

Transaction-level signals

• Large outbound wire or ACH transfer within 60 minutes of a password reset or contact detail change
• Rapid peer-to-peer payments to first-time recipients immediately after a new device login
• Crypto purchase or external wallet transfer placed within 30 minutes of an MFA method switch
• Card-not-present transactions in an unfamiliar geography coinciding with a carrier-reported port event

Account-level signals

• Phone number changed and then used to trigger a password reset in the same session
• MFA method switched from an authenticator app to SMS shortly before a high-value transaction
• Trusted device list wiped and replaced with a new device fingerprint
• Security question answers changed and immediately used to unlock the account

Network-level signals

• The newly ported number appears across multiple flagged accounts at the institution
• Receiving accounts for funds match payees in previously filed SARs
• Login device fingerprint or IP shared with accounts in known fraud clusters
• Multiple accounts targeted at the same institution within a 24-hour window, consistent with an organized ring

Behavioral signals

• Victim calls customer service to report loss of mobile service at the same time unauthorized account activity is posted
• Account holder's typical login cadence breaks abruptly with no prior travel notification
• Inbound authentication requests to the victim's registered device go unanswered during the attack window
• Customer disputes transactions within hours of a port event they did not authorize

Notable real-world cases

FBI Internet Crime Complaint Center, 2022 The FBI's IC3 documented 2,026 SIM swap complaints in 2022, with adjusted losses of $72 million. That's an increase from 1,611 complaints and $68 million in losses in 2021. The IC3 notes that losses per victim are rising as attackers shift focus toward high-value crypto accounts and brokerage platforms. The full data is in the FBI IC3 2022 Internet Crime Report.

FinCEN Advisory FIN-2020-A002, February 2020 FinCEN issued an advisory directly linking SIM swapping to impersonation fraud and business email compromise schemes. The advisory instructed financial institutions to file SARs using the keyword "FIN-2020-A002" when suspicious activity is consistent with these patterns. This is the primary U.S. federal compliance document on the typology. FinCEN Advisory FIN-2020-A002.

Europol SIM Swap Arrests, 2021 Europol coordinated the arrest of 26 individuals across multiple European countries targeting a SIM swap ring that had defrauded customers at several major banks across Spain, Romania, and Austria. Losses exceeded €3 million. The operation revealed that organized rings recruit carrier insiders to bypass standard port-out verification, raising the success rate well above what social engineering alone achieves. Europol newsroom.

FATF Digital Payments Typologies Report, 2020 FATF's report on money laundering risks in digital payments addresses SIM swapping explicitly as an emerging typology linked to both retail fraud and crypto asset theft. The report calls on member jurisdictions to ensure that financial institutions assess authentication method vulnerabilities as part of their technology risk frameworks. FATF Digital Transformation and Financial Crime.

How to detect SIM Swap Fraud

The detection challenge is that the critical event, the carrier port, happens outside the bank's direct view. Institutions that wait to observe the financial transaction are already behind. The most effective detection programs fuse telco signals with banking activity in near real time.

Telco feed integration. When a carrier-reported number transfer event reaches the detection system in real time, the institution can freeze outbound transactions for a short cooling-off period. The UK Fraud Intelligence Sharing System and the U.S.-based Early Warning Services network both facilitate this type of signal sharing. Institutions with direct carrier data partnerships detect attacks in under 5 minutes. Those without them detect them after the funds have moved.

Rule-based triggers. Time-proximity rules are the baseline. Any outbound payment, contact detail change, or MFA method switch occurring within a configurable window (30 to 120 minutes) of a known port event should trigger a hold for human review. Threshold alerting on transaction velocity post-login from a new device adds a second layer.

Behavioral analytics. Each customer has a transaction baseline: typical amounts, timing, device, payee set. When a customer's behavior suddenly diverges from that baseline and co-occurs with an authentication event change, the risk score rises sharply. Peer-group comparison catches the cases that absolute thresholds miss.

Graph and network analysis. Organized SIM swap rings use the same downstream mule accounts and receiving wallets across multiple victims. Network analysis that maps fund flows can identify shared receiving infrastructure and flag concurrent attacks across the customer base. This approach also surfaces connections to synthetic identity fraud clusters, where fraudsters combine SIM swapping with fabricated account holders.

Cooling-off periods (blocking outbound transactions for 30 to 60 minutes after any contact detail change) are a simple operational control that stops most opportunistic attacks. Determined rings learn to plan around them, but they still reduce overall fraud volume.

Which regulations cover SIM Swap Fraud

SIM swap fraud sits at the intersection of fraud prevention and anti-money laundering regulation, so multiple frameworks apply simultaneously.

FATF Recommendations 10, 15, and 16 require financial institutions to conduct customer due diligence, monitor transactions for suspicious activity, and maintain controls over wire transfers. Recommendation 15 specifically calls for technology risk assessments that cover new authentication methods. FATF's 2020 digital payments typologies report names SIM swapping explicitly.

The Bank Secrecy Act and FinCEN's Customer Due Diligence Rule (31 CFR Part 1010) require SAR filings when institutions detect unauthorized access or fraud patterns. FinCEN Advisory FIN-2020-A002 provides specific filing instructions for SIM swap-related activity, including the required SAR keyword.

The FCA's Payment Services Regulations 2017 (implementing PSD2 in the UK) require strong customer authentication for payment initiation. The FCA has stated that SMS OTP alone may not satisfy those requirements for high-risk transactions. Institutions relying on SMS as the sole second factor face supervisory scrutiny.

EBA Guidelines on ICT and Security Risk Management (EBA/GL/2019/04) require EU-regulated institutions to assess authentication method vulnerabilities. SMS-dependent two-factor authentication is explicitly within scope.

PSD2 Article 97 mandates strong customer authentication across the EU for transactions above defined thresholds. Institutions that allow SMS OTP as the sole authentication factor without compensating controls have direct regulatory exposure when a SIM swap leads to an unauthorized payment claim.

How FluxForce detects SIM Swap Fraud

Nova Sentinel monitors authentication events in real time. Any contact detail change, MFA method switch, or new device login that coincides with high-value transaction activity within a configurable window triggers an immediate alert. Aiden Flux runs behavioral analytics across each account's transaction history, scores deviations from a 90-day baseline, and correlates those scores with network signals from downstream payee accounts.

When a SIM swap pattern is confirmed, FluxForce generates a complete evidence package for the analyst: the authentication event chain, the transaction sequence, and graph connections to any shared mule infrastructure. Automated SAR drafting is available for confirmed cases.

Request a demo to see how FluxForce handles SIM swap detection in production environments.