Fraud Prevention

SIM swap fraud explained for risk teams

SIM swap fraud is a social-engineering attack that redirects a victim's phone number to a SIM card the attacker controls. Once the number is theirs, SMS-based authentication becomes the attacker's tool rather than the customer's defence. This page explains how SIM swap works, why it remains effective against standard fintech security stacks, and what signals are available to reduce exposure.

What happens in a SIM swap

The attacker gathers enough personal information, such as name, address and date of birth, to pass a carrier's identity verification. They contact the carrier's customer support or a retail outlet and request a SIM replacement, claiming the original SIM is lost or damaged. The carrier reassigns the number. The victim's physical SIM stops working immediately.

From that point, all inbound calls and SMS messages route to the attacker's device. The victim typically notices their phone has lost signal and may attribute it to a network issue. The attacker uses the access window, often under an hour, to trigger password resets across financial accounts, receive OTPs, and drain funds or take control of high-value accounts.

Why SMS authentication is the target

SMS OTPs are the most common second factor in financial services. A SIM swap bypasses them entirely without exploiting any flaw in the authentication server, the app, or the OTP generation logic. The carrier does the work for the attacker. Any platform that relies on SMS for login, withdrawal authorisation, account recovery, or contact-detail changes is directly exposed.

The attack is particularly effective in fintech and crypto, where account access translates quickly to financial loss. It requires no technical skill, only enough social-engineering ability to pass a carrier's verification process, which in many markets remains low-friction.

Regulatory context

UK regulators have signalled that SMS-only authentication for high-risk payments is increasingly difficult to justify. The FCA's PS24/17 and FG24/6 require payment service providers to incorporate risk signals into their fraud decision engines. Telecom intelligence, including SIM swap data, is among the signals the FCA expects firms to consider for strong customer authentication compliance.

In the Netherlands and Germany, similar expectations apply under PSD2's Strong Customer Authentication requirements. Firms operating across GB, NL, DE and FR face a consistent regulatory direction: layering telecom signals into fraud decisions is expected, not optional.

The FCC adopted new SIM swap and port-out rules in the US market in 2023, effective July 2024, requiring carriers to apply multi-factor identity verification before reassigning a number. UK and EU carriers are under analogous, if not identically codified, pressure.

What risk teams can do

Three layers combine well in practice:

What Telebase returns

Telebase returns a SIM swap signal for GB, DE, NL and FR numbers via a per-query API call. The signal is in early access while carrier registration completes. Today, querying a number in those markets returns simSwap: UNKNOWN. The carrier data feed is not yet active. When live, the field returns SWAPPED, NO_SWAP, or UNKNOWN.

Live signals today: carrier, country, number type (mobile, landline, VoIP) and active status. $0.03 per query. No contract. No minimum spend. Billed via Paddle.

Early access: SIM swap detection is launching for GB, DE, NL and FR.

If your risk team is building or evaluating fraud controls that incorporate SIM swap signals, get in touch. Early access gives you the signal before general availability and the ability to test it against your specific carrier and number mix. Carrier, country, number type and active status are queryable now.

Request early access