Blog

SIM Swapping and How to Prevent it

January 9, 2025 | 5 MIN READ

by John Dasher

A stylized pair of sim cards with a circular arrow between them on a dark blue and light blue background, bisected diagonally.
API Security
LinkedIn

SIM swapping attacks have been a threat for years, but gained mainstream attention in 2019 when hackers took over the cellular account of Twitter CEO Jack Dorsey. Because we use our cell phone number as an authentication method for a variety of online services and applications, this type of attack is far more insidious than it might initially seem. SIM swapping continues to be a serious problem as sophisticated attackers improve their tactics, so it’s critical for telecoms to provide multi-faceted defenses including tools as well as best practices.

What is SIM Swapping?

If you’ve heard of SIM swapping, you likely heard about it in the context of a celebrity or politician being hacked and having their private text messages or photos shared publicly. SIM swapping, also known as simjacking or SIM splitting, is a type of account takeover (ATO) attack that enables attackers to transfer a victim’s phone number to another SIM card or eSIM without their consent. At first glance it may seem as if the attacker is attempting to access the victim’s contacts, text messages, or voicemails, but there are also other – very serious and costly – potential impacts. With access to the victim’s phone service, attackers can respond to forgotten password and two-factor authentication (2FA) requests intended for the victim and access the victim’s accounts and services such as email, banking, social media, and even business accounts. This, of course, can lead to identity theft, fraud, and financial theft.

SIM swapping attacks typically occur in one of two ways:

  • Through social engineering – In this case, the attacker may call the telecom’s customer service team pretending to be the intended victim and requests a SIM swap under the pretext of a phone upgrade, lost phone, or something similar. This method is manual and potentially time consuming. Not only does the attacker need to actually call the telecom, but they also need to do some reconnaissance to gather information about the victim in order to authenticate themselves as the victim.
  • Through web applications and APIs – Electronic attacks are executed using web apps and APIs that trigger a SIM swap automatically, without talking to anyone. This method can be automated, dramatically increasing the scale, and therefore risk, at which this attack can be performed.

Impacts of SIM Swapping

Successful SIM swapping attacks can result in several potential impacts, including:

  • Access to private information – once attackers have access to the victim’s phone service, they can access text messages, contacts, and other sensitive data.
  • Account takeover (ATO) of other accounts – attackers can use the victim’s phone number to reset passwords and access to other online accounts such as social media, retail, medical, and banking.
  • Financial fraud – attackers can use the victim’s phone number to access their email account and bypass two-factor authentication, potentially providing them access to the victim’s bank accounts, which can then be drained electronically.
  • Personal reputation damage – beyond financial loss, attackers could make the victim’s personal and private information public, harming their personal reputation and career.

Notable SIM Swapping Cases

SIM swapping continues to be a concern, with horror stories and statistics easily found through a simple web search. Here are a just a few of the notable SIM swapping cases that gained media attention:

  • Jack Dorsey, former CEO of Twitter – attackers took over Jack Dorsey’s Twitter account after a successful SIM swap and retweeted pro-Nazi messages.
  • U.S. Securities and Exchange Commission – attackers took over the SEC’s X (formerly Twitter) account to issue a fake announcement that Bitcoin ETFs were finally approved on security exchanges.
  • Selena Gomez, actress and singer – attackers accessed Selena Gomez’s Instagram account and posted explicit photos of her ex-boyfriend, Justin Bieber.
  • Matthew Prince, Cloudflare CEO – attackers used the CEO’s email account to access a Cloudflare customer account and change the customer’s DNS records to redirect the site to Twitter.
  • Jacy Erin, social media influencer – attackers successfully SIM swapped her phone and her parents’ phone and spent almost $40,000 on their credit card.

Regulatory Response

Regulations and guidelines related to SIM swapping require providers to enable improved processes to protect consumers. In November 2023, The Federal Communications Commission adopted a Report and Order that implemented new rules protecting cellular consumers from SIM swapping attacks. In this update to the Customer Proprietary Network Information (CPNI) and Local Number Portability rules already in place, the Report and Order requires providers to “adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider.”

How Cequence Protects Against SIM Swapping

The sophistication and potential volume of SIM swapping attacks that utilize web applications and APIs requires an automated defensive approach. Telecom providers need a solution that can analyze network traffic flows, map the user journey, and identify API flows necessary for a successful SIM swap. Mapping the user journey and API flows enables detection of deviations from normal user flows, potentially indicating non-human or malicious pathways.

Cequence Unified API Protection maps these flows and uses machine learning to identify bad actors through a behavioral fingerprint, which is a combination of factors such as tools used to launch the attack, user agents, proxies in use, and IP reputation. Each API request is analyzed on its own, but also analyzed with other requests and compared against the behavioral fingerprint to identify patterns that may suggest an attack.

There are several steps for a SIM swap that use web applications and APIs, such as phone number or IMEI (International Mobile Equipment Identity) verification, number porting eligibility, and SIM swap execution. Cequence can monitor API requests through each of these steps and offer mitigation options including logging, tagging, header injection, rate limiting, and blocking.

Cequence protects two of the top three U.S. telecoms, the largest telecommunications corporation in the Gulf Cooperation Council, and the largest wireless carrier in New Zealand. Reach out to us today to learn more about how we can help your business.

John Dasher

Author

John Dasher

Vice President of Product Marketing

John Dasher, Cequence VP of product marketing, has extensive cybersecurity experience having held leadership roles contributing to 9 successful startup exits. Firms include Banyan Security, RiskSense, Niara, Good Technology, McAfee, PGP, and 11 years at Apple developing award-winning hardware and software products.

Related Articles

Comprehensive Application and API Protection with Cequence and Vercara

April 2, 2024 | 3 MIN READ

Read Blog
Protecting Open Banking APIs: Best Practices

November 19, 2024 | 7 MIN READ

Read Blog
Automotive API Security for Connected Vehicles

April 12, 2023 | 7 MIN READ

Read Blog
Cequence Security
5201 Great America Parkway
Suite 240
Santa Clara, CA 95054

+1 650 437 6338
Contact Us
Book a Demo
FOLLOW US
Twitter LinkedIn Youtube
PRODUCTS & SERVICES
INDUSTRIES
RESOURCES
SOLUTIONS
PARTNERS
COMPANY
© 2018-2025 Cequence Security, Inc. All rights reserved.
Privacy Policy | Cookie Policy | Responsible Disclosure Policy.