Here's the uncomfortable truth: your phone number is not yours. Not really. It belongs to your carrier, and it can be transferred to someone else's device with a phone call and enough social engineering. That single fact unravels the entire edifice of SMS-based two-factor authentication, and it's why SIM swap attacks have become one of the most effective account takeover vectors in circulation today.
The mechanics are almost embarrassingly simple. A threat actor gathers enough personal information about you — your name, address, date of birth, maybe even your account number from a data breach — and calls your mobile carrier pretending to be you. They claim they've lost their phone, want a replacement SIM, and need their number ported to the new device. If the carrier's verification process is weak — and most of them still rely on little more than a name and a PIN — the swap goes through. Just like that, your number lives on someone else's SIM card.
Once the swap is complete, every SMS one-time password sent to your number lands in the attacker's hands. Password resets for your email, your bank, your cryptocurrency exchange — all of it routes through a channel the attacker now controls. Torsten George, chief cybersecurity evangelist at ID Dataweb, experienced this firsthand when a threat actor conducted a SIM swap against his AT&T account two weeks before the attack came to light. By the time George noticed, the attacker already had his OTPs and was calling him pretending to be AT&T customer service, asking for the second layer of his account's passcode.
George played along, bought time, and eventually performed a parallel login on his own device. The attacker had already collected enough information to kick George out of his account, but George was fast enough to reset his password and lock the intruder out before any real damage occurred. Still, the near-miss exposed something systemic: "He no longer had access, but in that short period of time, he had lowered passcode from extra security to standard security," George told Dark Reading. That sentence alone should keep every security professional up at night.
The FBI's data backs this up. Complaints from users aged 60 and over jumped from 174 in 2023 to 222 in 2025, and losses rose again in 2025 to $6.7 million. Cifas, the UK's fraud prevention arm, reported a 38 percent increase in unauthorized SIM swaps in 2025, driven by stolen personal data and increasingly automated attack methods. This isn't a niche threat anymore. It's mainstream.
The Polish Ring That Proved the Scale
If you thought SIM swapping was mostly opportunistic — some lone wolf calling up your carrier on a Tuesday afternoon — the Polish case should disabuse you of that notion. Authorities in Poland, working with the FBI and Homeland Security Investigations, arrested four members of what they described as an organized cybercrime group that treated SIM swapping as a regular source of income.
The operation was sophisticated in ways that go well beyond social engineering at a call center. According to the Polish Cybercrime Bureau (CBZC), the suspects used specialized software and social engineering to gain unauthorized access to the infrastructure of entities cooperating with telecommunications operators, as well as employee email accounts at those partner organizations. The data obtained through these breaches enabled mass SIM swap attacks — not targeting random individuals, but systematically cloning and taking over victims' phone numbers at scale.
The financial impact was staggering. Investigators estimated that the group stole and laundered several tens of millions of Polish złoty — at least $5 million USD based on current exchange rates — through a distributed financial network of bank accounts across multiple countries and digital wallets. The stolen funds flowed from cryptocurrency exchange accounts that the group accessed after hijacking victims' phone numbers and intercepting their SMS-based authentication codes.
Blockchain crime investigator ZachXBT identified one of the arrested individuals as Wojtek Kulisz, known online as "Merry," based on images released by Polish authorities during the raid. All four suspects are in pre-trial detention and face charges including participation in an organized criminal group, hacking into IT systems to commit theft, and money laundering — offenses carrying a maximum penalty of 25 years in prison.
What makes this case particularly chilling is the infrastructure-level access the group achieved. They didn't just call carriers and pretend to be victims. They breached telecom partners, compromised employee accounts, and used stolen credentials to access systems that could clone phone numbers directly. This is the evolution of SIM swapping from a street-level con to an industrial-scale operation, and it demonstrates why individual user vigilance alone can't solve the problem.
Why OTPs Failed as a Security Layer
The industry built an entire authentication model on the assumption that SMS messages are a reliable delivery channel for one-time passwords. That assumption was always fragile, and it's now thoroughly broken. NIST SP 800-63B explicitly deprecates SMS-based OTPs for high-assurance authentication, and the reasoning is straightforward: if an attacker controls your phone number, they control your OTPs. Period.
The problem goes deeper than just SIM swaps, though that's the headline vulnerability. SMS can be intercepted through SS7 protocol exploits, cloned through IMSI catchers, and redirected through number porting attacks that don't even require the victim's cooperation. OTPs have become what George called "standard security" — a baseline layer that everyone implements but nobody really trusts. When something becomes standard, it stops being extra security and starts being the thing that gives you a false sense of protection.
NIST recommends AAL2+ authentication for sensitive accounts, which means hardware security keys using FIDO2 or WebAuthn protocols, or biometric-based authenticators that can't be intercepted over a telecom network. These solutions don't depend on your phone number at all. A YubiKey sitting in your pocket is immune to SIM swap attacks, and it's also immune to phishing in most practical scenarios because the hardware key validates the domain before releasing the credential.
The resistance to moving away from SMS is partly inertia, partly cost. Some telecom providers opt out of implementing stronger verification for high-risk transactions like number porting because of the extra costs or concerns about usability. But here's the thing: the cost of a SIM swap attack — whether it's $6,700 from an elderly victim or $5 million laundered through crypto exchanges — vastly exceeds the cost of implementing proper verification. Carriers are essentially choosing to absorb the reputational risk rather than invest in the fix.
What Carriers Got Wrong
George's experience with AT&T reveals a pattern that repeats across the industry. When he reported the fraud, he was disappointed with the lack of responsibility from the carrier. His phone number had been cancelled without his knowledge — a level of access that suggested the threat actor had penetrated beyond his individual account into AT&T's broader systems. "The threat actors were able to impersonate me in front of AT&T, that means that AT&T didn't do a geolocation check and didn't send an OTP," George said. "So they just relied on someone telling them it had to be changed. They need a multi-layer approach for such a high-risk transaction."
AT&T responded to Dark Reading by pointing to Wireless Account Lock, a free feature launched in 2025 that disables several types of account changes including SIM swaps and port-outs. The feature works, but it's not enabled by default. And historically, getting users to opt into security features they don't fully understand is unlikely to happen at any meaningful scale.
This is the carrier problem in a nutshell: security features exist, they're free, and almost nobody uses them because carriers don't enable them by default and don't make the risk visceral enough to drive adoption. Meanwhile, the verification process for a number port — one of the highest-risk actions in telecommunications — still often comes down to a name, a date of birth, and whoever happens to be manning the support line that day.
The joint government advisory issued last year by cybersecurity authorities in the U.S., UK, Australia, and Canada specifically warned about Scattered Spider, a threat group that conducted SIM swaps during their campaigns to steal OTPs, credentials, and security answers. MITRE confirmed the group used SIM swapping to maintain persistence on mobile carrier networks. These are not amateur operators. They're well-resourced, methodical, and they've mapped the verification gaps in telecom infrastructure down to the specific questions that trigger a successful port.
Shinyhunters, the ransomware gang, operates from the same playbook. Impersonation is its primary attack methodology, according to George. And attackers rely on people being desensitized to OTPs popping up on their screens — it's become a habit to automatically respond, which makes social engineering attacks against users far more effective.
How to Actually Protect Yourself
The defensive playbook falls into two buckets: what you can do right now with the tools available, and what enterprises need to implement at a systemic level. Neither is optional.
For individuals, the first step is to enable Wireless Account Lock or its equivalent on your carrier. AT&T offers it for free. Check with yours — the feature exists at most major carriers, even if they won't tell you about it proactively. Second, move away from SMS-based OTPs entirely for any account that matters. Use an authenticator app that generates codes expiring within minutes or seconds, or better yet, a hardware security key. Your email account, your bank, your crypto exchange — these should all be on app-based or hardware-based authentication by now.
Third, develop a habit of suspicion around unsolicited OTPs. If a code pops up on your phone and you didn't request it, don't respond to it. Don't give it to anyone who calls. Verify account changes through alternate channels — call your carrier from a known number, not one provided by the person on the other end. George's attack hinged on him trusting a caller who claimed to be AT&T, and that trust was exploited because he'd been conditioned to treat OTPs as routine.
For enterprises, the approach needs to be risk-based authentication. George recommends that companies look at geolocation signals, device status and distance, IP address anomalies, and a host of other risk factors before allowing sensitive actions. Factor those in before making decisions. Some telecoms opt out because of extra costs or concerns over usability, but the cost of a breach far exceeds the cost of implementation.
The rise of AI-powered social engineering is making pretext calls to telecom support faster and harder to detect. The attackers don't need a human on the line anymore — they can automate the impersonation, gather data from breaches, and execute SIM swaps at scale. The window for defense is closing, and the only thing that works is layering multiple authentication factors that don't depend on a single point of failure.
Your phone number is not a security boundary. It never was, and treating it like one is what got us here.