SIM Swapping Attacks and How to Protect Yourself from It?

SIM swapping attacks occur when a cybercriminal convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, they can intercept all SMS-based OTPs, bypass two-factor authentication, and take over your bank accounts, email, and social media profiles—often within minutes.

What Is SIM Swapping?

SIM swapping (also called SIM hijacking or SIM porting fraud) is an identity theft attack where the attacker impersonates you with your telecom operator and requests a SIM replacement or number port. Armed with your personal details obtained through phishing, data breaches, or social engineering, they convince the carrier’s customer support agent to issue a new SIM for your number. All incoming calls and SMS—including bank OTPs—immediately route to the attacker’s device. SIM swapping is a critical attack vector that enables OTP fraud and is often preceded by BSNL/TRAI fake notice scams that collect the personal information needed to execute the swap.

How Does a SIM Swapping Attack Work?

Step 1: Intelligence Gathering

The attacker collects the victim’s personal details—full name, date of birth, Aadhaar number, registered mobile number, and telecom provider—through phishing emails, data breach records purchased on the dark web, vishing calls, or social media research.

Step 2: Contacting the Mobile Carrier

The attacker calls or visits a telecom service center posing as the victim, claiming the SIM was lost or damaged. Using the collected personal details to pass identity verification, they request the phone number be transferred to a new SIM card they control.

Step 3: OTP Interception Begins

Once the carrier activates the new SIM, the victim’s phone loses all network service. The attacker’s device receives all calls and SMS messages. They immediately initiate password resets on banking, email, and social media accounts using SMS OTP verification.

Step 4: Account Takeover and Financial Theft

With access to bank account OTPs, the attacker initiates fund transfers, applies for loans, or sells the victim’s financial account credentials. Email account access enables password resets on every other service linked to that email address.

What Are the Warning Signs of a SIM Swap?

• Your phone suddenly shows “No Service” or “Emergency Calls Only” — If you lose network service unexpectedly and cannot make calls or send SMS, contact your carrier immediately. This is the most common first symptom of a SIM swap.
• You receive an unexpected notification that your SIM has been changed — Carriers typically send an email or SMS notification about SIM changes; act immediately if you receive one you did not initiate.
• You receive OTPs for transactions you did not initiate — Someone may be attempting to access your accounts before the swap completes; freeze accounts immediately.
• You notice unauthorized transactions in your bank account — By the time you see transactions, the attacker may have already moved funds.
• Your social media accounts are suddenly inaccessible — Password resets linked to your phone number may have already locked you out.

How Can You Protect Yourself from SIM Swapping?

• Set up a SIM lock or port block with your carrier — Contact your telecom operator and ask them to add a secondary PIN or block required for any SIM replacement or number porting request.
• Use app-based authentication (Google Authenticator, Authy) instead of SMS OTPs — Authenticator apps are not affected by SIM swaps because they generate codes on-device, not via SMS.
• Minimize personal information shared on social media — Date of birth, hometown, and mother’s maiden name are commonly used by attackers to pass carrier identity verification.
• Set up real-time alerts on your bank account — Instant notifications for every transaction allow you to detect unauthorized activity within seconds.
• Immediately contact your carrier if your phone loses service unexpectedly — Request them to check for any recent SIM change requests and revert the swap.
• Use a separate email address for banking that is not linked to your primary social media accounts — This limits the attacker’s reach even if they access your primary email via an OTP.

How to Report SIM Swapping in India?

• Call the National Cyber Crime Helpline: 1930
• File an online complaint at cybercrime.gov.in
• Contact your bank immediately to freeze accounts and dispute unauthorized transactions
• Report the unauthorized SIM swap to your telecom operator’s fraud helpline and TRAI

For expert assistance investigating a SIM swapping attack or recovering compromised accounts, contact cyber expert Anuraag Singh.