The first symptom is silence. Your phone shows no service, and you assume a mast fault or a billing glitch. In the hour or two it takes to find out otherwise, someone holding a SIM card registered to your number has reset your email password, received the text codes your bank sent to confirm it was really you, and emptied whatever the daily limits allow. This is SIM swap fraud, and it works because of a design choice the whole industry made without quite deciding to: the mobile number became the master key to everything, while the process for handing that number to someone else stayed a routine retail transaction.

The mechanics are unglamorous. A fraudster gathers a victim's name, date of birth, address and account details, most of it available from old data breaches or a convincing phishing text, then contacts the victim's network claiming to have lost or broken their phone. If the call-centre agent or shop assistant is satisfied by those answers, a replacement SIM is activated and the number moves. Some gangs skip the acting and bribe or recruit staff inside networks, which is why insider access features in so many prosecutions. The spread of eSIMs has removed even the need to collect a physical card: a profile can be provisioned to a handset the fraudster already holds, entirely remotely.

Once the number transfers, the victim's handset goes dead and every call and text arrives with the attacker instead. That matters because of what the rest of the system assumes a text message proves. When the second Payment Services Directive forced strong customer authentication on UK banks, a one-time code sent by SMS counted as evidence you possessed your phone, and it was the cheapest factor to roll out at scale. Email providers made the same bet, offering the mobile number as a password recovery route. The result is circular: the number recovers the email, the email recovers the accounts, and the bank's texted codes approve the payments. Control the number and the rest follows in sequence.

The money involved is not petty. In February 2021 the National Crime Agency arrested eight people across England and Scotland as part of an international operation into SIM swap attacks on US celebrities and others, with more than 100 million dollars in cryptocurrency alleged to have been stolen. Cryptocurrency holders are favourite targets precisely because those transfers cannot be recalled, but ordinary current accounts are hit constantly, and UK victims report losses through Action Fraud running from four figures to life-changing sums.

Where the system bends, and where it does not

Britain made number transfers deliberately easy for a good reason. Ofcom's Text-to-Switch rules, in force since July 2019, let any customer text PAC to 65075 and receive a porting code within a minute, because the old regime let networks stall departing customers with retention scripts. Friction was the enemy. The trouble is that identity checking did not tighten as transfer got faster, and the person a network needs to satisfy itself about is rarely the one standing in the shop. Ofcom and the networks have since layered on checks for SIM replacements and ports, and several operators now offer a port-out PIN, a password or an in-app approval step before a number can move. None of it is universal, and none of it is on by default everywhere.

Liability, at least, mostly favours the victim. Under the Payment Services Regulations 2017, a payment the customer never authorised must generally be refunded by the bank unless it can show gross negligence, and losing your number to a fraudster who tricked EE or Vodafone is not your negligence. Recovering hijacked email, cryptocurrency or social media accounts is far harder, and the weeks of cleanup are uncompensated.

The SIM swap scam: how phone numbers became keys to everything
Photo: Dean Fleischer-Camp / Wikimedia Commons (Public domain)

Practical protection is short and specific. Ask your network to add a password or PIN to your account and to block ports without it. Move two-factor authentication for anything valuable from SMS to an authenticator app or a passkey, which stay on the device rather than following the number. Delete your mobile number as an email recovery option. And treat a phone that suddenly loses signal in an area with coverage as an incident, not an inconvenience: call your network from another line immediately, then your bank. The number stopped being just a way to reach you years ago. It is a credential now, and it deserves to be guarded like one.