1. Home
  2. Techniques
  3. Mobile
  4. SIM Card Swap

SIM Card Swap

Adversaries may gain access to mobile devices through transfers or swaps from victims’ phone numbers to adversary-controlled SIM cards and mobile devices.[1][2]

The typical process is as follows:

  1. Adversaries will first gather information about victims through Phishing, social engineering, data breaches, or other avenues.
  2. Adversaries will then impersonate victims as they contact mobile carriers to request for the SIM swaps. For example, adversaries would provide victims’ name and address to mobile carriers; once authenticated, adversaries would request for victims’ phone numbers to be transferred to adversary-controlled SIM cards.
  3. Once completed, victims will lose mobile data, such as text messages and phone calls, on their mobile devices. In turn, adversaries will receive mobile data that was intended for the victims.

Adversaries may use the intercepted SMS messages to log into online accounts that use SMS-based authentication. Specifically, adversaries may use SMS-based authentication to log into banking and/or cryptocurrency accounts, then transfer funds to adversary-controlled wallets.

ID: T1451
Sub-techniques:  No sub-techniques
Tactic Type: Without Adversary Device Access
Tactic: Initial Access
Platforms: Android, iOS
MTC ID: STA-22
Contributors: Jennifer Kim Roman; Karim Hasanen, @_karimhasanen
Version: 2.0
Created: 25 October 2017
Last Modified: 12 February 2025
Version Permalink

Procedure Examples

ID Name Description
G1004 LAPSUS$

LAPSUS$ has used SIM swapping to gain access to victims’ mobile devices.[3][4]

G1015 Scattered Spider

Scattered Spider has used SIM swapping to bypass MFA and to maintain persistence on mobile carrier networks and SIM cards.[5][6][7][8]

Mitigations

ID Mitigation Description
M1012 Enterprise Policy

Enterprises should monitor for SIM card changes on the Enterprise Mobility Management (EMM) or the Mobile Device Management (MDM).

M1011 User Guidance

The user should become familiar with social engineering tactics that ask for Personally Identifiable Information (PII). Additionally, the user should include the use of hardware tokens, biometrics, and other non-SMS based authentication mechanisms where possible. Finally, the user should enable SIM swapping protections offered by the mobile carrier, such as setting up a PIN or password to authorize any changes to the account.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0658 Detection of SIM Card Swap AN1747

The OS may show a notification to the user that the SIM card has been transferred to another device.
AN1748

The OS may show a notification to the user that the SIM card has been transferred to another device.

References

  1. AT&T. (n.d.). UPDATE: Secure Your Number to Reduce SIM Swap Scams. Retrieved January 27, 2025.
  2. Verizon. (n.d.). SIM Swapping. Retrieved January 27, 2025.
  3. Krebs, B. (2022, March 23). A Closer Look at the LAPSUS$ Data Extortion Group. Retrieved January 27, 2025.
  4. Microsoft Incident Response, Microsoft Threat Intelligence . (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved January 27, 2025.
  1. Mphasis. (2024, April 17). Scattered Spider conducts SIM swapping attacks. Retrieved February 3, 2025.
  2. Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.
  3. Counter Adversary Operations. (2025, July 2). CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries. Retrieved October 13, 2025.
  4. Check Point Team. (2025, July 7). Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation. Retrieved October 13, 2025.