• Home
  • /Learn
  • /SIM Swapping: An IT Security Blind Spot
background image


SIM Swapping: An IT Security Blind Spot


With the FBI recording 1,121 SIM-swapping complaints in 2021 alone— and that number only growing by the year— SIM swapping is finally getting widespread recognition for the IT security blind spot that it is.

But what exactly is SIM swapping, and why is it threatening organizations like yours?

Read on to find out.

What is SIM Swapping?

SIM swapping is a type of targeted physical or social engineering. More specifically, it is an account takeover attack wherein an attacker can access a mobile SIM card, giving them access to a victim's cellular connection... including voice and SMS data connections. Although the attack can involve physically swapping out the victim's SIM card, it is often accomplished by convincing a victim's mobile carrier to transfer their mobile phone number to a SIM card under the attacker's control. 

Upon gaining access, an attacker can often access sensitive online accounts that use SMS or voice as a multi-factor(MFA) method, such as email inboxes, online banking accounts, or even cryptocurrency trading systems. From there, the destructive impact depends on several factors, including how agile and savvy the attacker is, how long it takes the victim to become aware of the attack and rectify the situation, and whether the victim has implemented contingency security controls (often referred to as defence in depth.)

Who is the NullCrew, and How Did They Shine a Spotlight on the Risks of SIM Swapping?

The first SIM swapping attack was reported in 2011 by a group of hackers known as the "NullCrew" and targeted a California-based network security firm. Since then, SIM-swapping attacks have become increasingly common, sophisticated, and more high-profile; this includes targets such as social media influencers, banks, medium-to-large organizations, and cryptocurrency investors. In 2023 alone, thousands of dollars worth of personal assets has already been stolen via SIM swapping. 

This attack tactic has also been implicated in large-scale corporate data breaches. In 2022, the LAPSUS$ cybercrime group demonstrated that SIM-swapping attacks could penetrate enterprise networks. When LAPSUS$ breached mobile telecommunications giant T-Mobile, they targeted customer data hoping to gather the information that could enable future SIM swapping attacks against its customers. T-Mobile admitted in a press release that SIM swaps are a "common industry-wide occurrence" and tech giant Microsoft has warned organizations against using SMS and mobile voice for multi-factor authentication.

So, why is SIM swapping such an IT security blind spot? What can companies do to protect themselves?

The SIM Swapping Security Gap

Penetration testing is the de facto methodology for identifying elusive IT security risks in an organization's people, processes, and technology. It assures an organization that it is cyber-resilient and can maintain continuous business operations. Penetration testing may include tactics and techniques to attest an organization's physical, technical, and administrative controls by simulating real-world attacks.

But penetration testing activities are also subject to legal limitations, and this legal barrier can result in "blind spots" where IT security cannot be assessed or verified. For example, cloud Infrastructure as a Service (IaaS) providers lease out virtual private servers (VPS) to customers for various purposes, such as hosting websites or running applications. However, customers are contractually restricted from penetration testing the leased infrastructure itself. They may pentest their web applications and hosted services, but attempts to escape the VPS or test system restrictions are usually disallowed in a standard acceptable use policy.

Customers who violate these policies may face legal consequences, termination of their service, and potential liability for any damages caused. This creates a blind spot where organizations cannot reliably assess the level of protection from attacks that would seek to gain access to their resources through VM escape.

SIM swapping attacks present the same security blind spot for organizations because they cannot legally pursue identity theft attacks against mobile carriers. Instead, they must rely on mobile carriers to follow their own security assessments. A 2020 body of research showed that depending on mobile carriers to secure themselves isn't a safe bet, as five major US mobile providers were vulnerable to SIM swapping attacks.

What Can Organizations Do To Close The SIM Swapping Security Gap?

SIM swapping attacks have the potential to give an attacker unauthorized access to sensitive online accounts and assessing an organization's real risk to this vulnerability is difficult. So, what can organizations do to protect themselves against SIM-swapping attacks?  

Here is a list of security best practices for proactively defending against SIM swapping:

  • Use alternative forms of MFA:  Do not rely on SMS or cellular voice for multi-factor authentication. Instead, use other forms of MFA such as hardware security keys, biometric authentication, or mobile authenticator apps.

  • Choose a mobile carrier demonstrating IT security compliance: Considering a data leak against a mobile carrier could provide attackers with customers' personal data, it's a good idea to choose a mobile carrier demonstrating IT security compliance such as ISO-27001 and SOC-2. These compliance standards ensure that the carrier has implemented best practices for IT security and is regularly audited.

  • Assess a mobile carrier's verification procedures: Some large banks have started using voice recognition to detect and prevent identity theft and fraud. It's worthwhile to contact your mobile carrier and ask about what they are doing to prevent fraud and SIM swapping attacks proactively. Before transferring a phone number to a new SIM card, you can also assess your mobile carrier's identity verification procedures to ensure they are sufficiently strong, such as requiring a password or PIN. 

  • Ensure each account has multiple contacts: Organizations can ensure that each account has numerous contacts listed for the account. This can ensure that if an attacker can hijack an account, you can quickly regain control of the account.

  • Monitor and detect suspicious activity: SMS may be better than no MFA at all, so if you absolutely must use SMS as an MFA option be sure to monitor accounts and systems for suspicious activity, such as failed login attempts or changes to account information. This can help detect SIM swapping attacks early and prevent further damage.

By implementing these best practices, organizations can protect themselves and their customers against SIM-swapping attacks and reduce the risk of data breaches.


While SIM swapping is undoubtedly becoming a more prominent threat for organizations around the globe, taking a preventative approach will mitigate existing and potential threats for you and your business.

Get a custom quote today to tackle your security threats before they occur... and avoid late-night phone calls and security incidents for good.

Cloud Penetration Testing

Uncover vulnerabilities within your AWS, Azure, and Google cloud environments that can undermine your security posture.

By conducting a Cloud-based Penetration Test, you will:

  • Pinpoint security issues that could be preventing you from meeting compliance standards, including PCI DSS, SOC2, FedRAMP, ISO27001, MPA
  • Receive robust testing against AWS, Azure, and Google cloud service infrastructure that includes cloud virtual infrastructure, containers and pods, identity and access management (IAM) and externally accessible exposures
  • Go beyond a vulnerability assessment to identify what an attacker could do with valid access keys or tokens and the techniques they could use to breach sensitive information
  • Be able to compare current cloud configurations against security best practices
  • Receive industry-leading expertise from a GIAC Certified Cloud Penetration Tester