1. Home
  2. Techniques
  3. Mobile
  4. SIM Card Swap

SIM Card Swap

Adversaries may gain access to mobile devices through transfers or swaps from victims’ phone numbers to adversary-controlled SIM cards and mobile devices.[1][2]

The typical process is as follows:

  1. Adversaries will first gather information about victims through Phishing, social engineering, data breaches, or other avenues.
  2. Adversaries will then impersonate victims as they contact mobile carriers to request for the SIM swaps. For example, adversaries would provide victims’ name and address to mobile carriers; once authenticated, adversaries would request for victims’ phone numbers to be transferred to adversary-controlled SIM cards.
  3. Once completed, victims will lose mobile data, such as text messages and phone calls, on their mobile devices. In turn, adversaries will receive mobile data that was intended for the victims.

Adversaries may use the intercepted SMS messages to log into online accounts that use SMS-based authentication. Specifically, adversaries may use SMS-based authentication to log into banking and/or cryptocurrency accounts, then transfer funds to adversary-controlled wallets.

ID: T1451
Sub-techniques:  No sub-techniques
Tactic Type: Without Adversary Device Access
Tactic: Initial Access
Platforms: Android, iOS
MTC ID: STA-22
Contributors: Jennifer Kim Roman; Karim Hasanen, @_karimhasanen
Version: 2.0
Created: 25 October 2017
Last Modified: 12 February 2025
Version Permalink

Procedure Examples

ID Name Description
G1004 LAPSUS$

LAPSUS$ has used SIM swapping to gain access to victims’ mobile devices.[3][4]

G1015 Scattered Spider

Scattered Spider has used SIM swapping to bypass MFA and to maintain persistence on mobile carrier networks and SIM cards.[5][6][7][8]

Mitigations

ID Mitigation Description
M1012 Enterprise Policy

Enterprises should monitor for SIM card changes on the Enterprise Mobility Management (EMM) or the Mobile Device Management (MDM).

M1011 User Guidance

The user should become familiar with social engineering tactics that ask for Personally Identifiable Information (PII). Additionally, the user should include the use of hardware tokens, biometrics, and other non-SMS based authentication mechanisms where possible. Finally, the user should enable SIM swapping protections offered by the mobile carrier, such as setting up a PIN or password to authorize any changes to the account.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0658 Detection of SIM Card Swap AN1747

A defender correlates a sudden carrier identity/service state change (SIM/line identifier change or unexpected loss of cellular service) with near-term device messaging/telephony disruption and a concurrent shift in authentication traffic patterns—such as a spike in SMS-based verification flows or account recovery activity from the same user’s identities—indicating the user’s number may have been transferred to a different SIM/device (SIM swap impact).
AN1748

A defender correlates an unexpected change in cellular subscription state (eSIM/SIM profile change, carrier/operator change, or sudden persistent loss of cellular service) with near-term disruption signals and a rapid increase in authentication-related network activity consistent with SMS verification or account recovery flows, suggesting the user’s number has been ported to an adversary-controlled SIM/device (SIM swap impact).

References

  1. AT&T. (n.d.). UPDATE: Secure Your Number to Reduce SIM Swap Scams. Retrieved January 27, 2025.
  2. Verizon. (n.d.). SIM Swapping. Retrieved January 27, 2025.
  3. Krebs, B. (2022, March 23). A Closer Look at the LAPSUS$ Data Extortion Group. Retrieved January 27, 2025.
  4. Microsoft Incident Response, Microsoft Threat Intelligence . (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved January 27, 2025.
  1. Mphasis. (2024, April 17). Scattered Spider conducts SIM swapping attacks. Retrieved February 3, 2025.
  2. Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.
  3. Counter Adversary Operations. (2025, July 2). CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries. Retrieved October 13, 2025.
  4. Check Point Team. (2025, July 7). Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation. Retrieved October 13, 2025.