SIM Card Swap

Adversaries may gain access to mobile devices through transfers or swaps from victims’ phone numbers to adversary-controlled SIM cards and mobile devices.[1][2]

The typical process is as follows:

  1. Adversaries will first gather information about victims through Phishing, social engineering, data breaches, or other avenues.
  2. Adversaries will then impersonate victims as they contact mobile carriers to request for the SIM swaps. For example, adversaries would provide victims’ name and address to mobile carriers; once authenticated, adversaries would request for victims’ phone numbers to be transferred to adversary-controlled SIM cards.
  3. Once completed, victims will lose mobile data, such as text messages and phone calls, on their mobile devices. In turn, adversaries will receive mobile data that was intended for the victims.

Adversaries may use the intercepted SMS messages to log into online accounts that use SMS-based authentication. Specifically, adversaries may use SMS-based authentication to log into banking and/or cryptocurrency accounts, then transfer funds to adversary-controlled wallets.

ID: T1451
Sub-techniques:  No sub-techniques
Tactic Type: Without Adversary Device Access
Tactic: Initial Access
Platforms: Android, iOS
MTC ID: STA-22
Contributors: Jennifer Kim Roman; Karim Hasanen, @_karimhasanen
Version: 2.0
Created: 25 October 2017
Last Modified: 12 February 2025

Procedure Examples

ID Name Description
G1004 LAPSUS$

LAPSUS$ has used SIM swapping to gain access to victims’ mobile devices.[3][4]

G1015 Scattered Spider

Scattered Spider has used SIM swapping to maintain persistence on mobile carrier networks and SIM cards.[5]

Mitigations

ID Mitigation Description
M1012 Enterprise Policy

Enterprises should monitor for SIM card changes on the Enterprise Mobility Management (EMM) or the Mobile Device Management (MDM).

M1011 User Guidance

The user should become familiar with social engineering tactics that ask for Personally Identifiable Information (PII). Additionally, the user should include the use of hardware tokens, biometrics, and other non-SMS based authentication mechanisms where possible. Finally, the user should enable SIM swapping protections offered by the mobile carrier, such as setting up a PIN or password to authorize any changes to the account.

Detection

ID Data Source Data Component Detects
DS0042 User Interface System Notifications

The OS may show a notification to the user that the SIM card has been transferred to another device.

References