SIM swap fraud explained for risk teams
SIM swap fraud is a social-engineering attack that redirects a victim's phone number to a SIM card the attacker controls. Once the number is theirs, SMS-based authentication becomes the attacker's tool rather than the customer's defence. This page explains how SIM swap works, why it remains effective against standard fintech security stacks, and what signals are available to reduce exposure.
What happens in a SIM swap
The attacker gathers enough personal information, such as name, address and date of birth, to pass a carrier's identity verification. They contact the carrier's customer support or a retail outlet and request a SIM replacement, claiming the original SIM is lost or damaged. The carrier reassigns the number. The victim's physical SIM stops working immediately.
From that point, all inbound calls and SMS messages route to the attacker's device. The victim typically notices their phone has lost signal and may attribute it to a network issue. The attacker uses the access window, often under an hour, to trigger password resets across financial accounts, receive OTPs, and drain funds or take control of high-value accounts.
Why SMS authentication is the target
SMS OTPs are the most common second factor in financial services. A SIM swap bypasses them entirely without exploiting any flaw in the authentication server, the app, or the OTP generation logic. The carrier does the work for the attacker. Any platform that relies on SMS for login, withdrawal authorisation, account recovery, or contact-detail changes is directly exposed.
The attack is particularly effective in fintech and crypto, where account access translates quickly to financial loss. It requires no technical skill, only enough social-engineering ability to pass a carrier's verification process, which in many markets remains low-friction.
Regulatory context
UK regulators have signalled that SMS-only authentication for high-risk payments is increasingly difficult to justify. The FCA's PS24/17 and FG24/6 require payment service providers to incorporate risk signals into their fraud decision engines. Telecom intelligence, including SIM swap data, is among the signals the FCA expects firms to consider for strong customer authentication compliance.
In the Netherlands and Germany, similar expectations apply under PSD2's Strong Customer Authentication requirements. Firms operating across GB, NL, DE and FR face a consistent regulatory direction: layering telecom signals into fraud decisions is expected, not optional.
The FCC adopted new SIM swap and port-out rules in the US market in 2023, effective July 2024, requiring carriers to apply multi-factor identity verification before reassigning a number. UK and EU carriers are under analogous, if not identically codified, pressure.
What risk teams can do
Three layers combine well in practice:
- Signal-based detection at the action point: query a SIM swap API before committing a high-risk action. A swap detected in the preceding 24 to 72 hours is a strong indicator of elevated risk. Block the OTP path, not the account, and step up.
- Step-up authentication: when a swap is detected, route the user to an alternative channel. Push notification to a registered device, video call verification, or document re-submission are all viable. The goal is to confirm the legitimate customer is present without blocking them outright if the swap is benign.
- Defence in depth: SIM swap is one vector. Combine it with VoIP screening (nonFixedVoip numbers at authentication are anomalous), number activity status, and account behavioural signals. No single check is sufficient.
What Telebase returns
Telebase returns a SIM swap signal for GB, DE, NL and FR numbers via a per-query API call. The signal is in early access while carrier registration completes. Today, querying a number in those markets returns simSwap: UNKNOWN. The carrier data feed is not yet active. When live, the field returns SWAPPED, NO_SWAP, or UNKNOWN.
Live signals today: carrier, country, number type (mobile, landline, VoIP) and active status. $0.03 per query. No contract. No minimum spend. Billed via Paddle.
Early access: SIM swap detection is launching for GB, DE, NL and FR.
If your risk team is building or evaluating fraud controls that incorporate SIM swap signals, get in touch. Early access gives you the signal before general availability and the ability to test it against your specific carrier and number mix. Carrier, country, number type and active status are queryable now.
Request early access