The Foresight Lab
Issue 05Account takeover (SIM swap)

The number that wasn't theirs anymore

When a fraudster ports your customer's phone number, your SMS one-time code stops protecting them — and starts protecting the attacker.

Jul 13, 2026 3 min read

What we're seeing

SIM-swap fraud (also called SIM hijacking or port-out fraud) starts away from the bank entirely: the attacker convinces a mobile carrier to move the victim's phone number onto a SIM they control. From that moment, every SMS one-time passcode and password-reset link meant for the customer is delivered straight to the fraudster.

With the number in hand, they reset online-banking credentials, enroll a new device, add a payee, and move the money — usually within a tight window before the victim realizes their phone has gone dark.

Why your current stack misses it

  • SMS one-time codes are treated as a second factor — but once the number is hijacked, that 'second factor' is in the attacker's pocket, so MFA passes cleanly.
  • Device binding helps, until the attacker re-enrolls a fresh device using the intercepted codes. Every authentication checkpoint comes back green.

The signal pattern

  • A credential or device reset closely followed by a new-payee add and an outbound transfer.
  • A one-time code delivered to a number that was just ported to a new carrier.
  • Login and profile changes from a new device or geography, then rapid money movement.
  • The genuine customer suddenly unreachable by phone (their real device has lost service).

What you'd do Monday morning

  • Step up to out-of-band, non-SMS verification when a credential or device reset is followed by payee changes or transfers.
  • Add a short cooling-off window on high-value transfers after a SIM or device change.
  • Correlate 'reset to new device to new payee to transfer' as one event, not four routine ones.
Now you try

Spot the Fraud

Read the case. Make the call. See how you score against The PreCogs.

Spot the Fraud
FL-05

A customer logs in from a new phone after a password reset, adds a payee, and sends a large transfer. The SMS one-time code passed. Clear it, or hold it?

Customer44, steady direct-deposit history
Eventpassword reset 22 min ago, then login from a new device
MFASMS one-time code delivered and passed
Carriernumber ported to a new carrier earlier today
Actionnew payee added, then $12,400 transfer
Prior payeesnone external in 2 years
Callbacks2 failed branch callbacks — customer's phone unreachable
Devicenew device, geo 300 mi from home
Your call?
No noise. One sharp briefing a week.

Get the Foresight Lab in your inbox.

One fraud pattern, decoded, every week — plus the Spot the Fraud challenge. Built for fraud, BSA, and risk teams. Unsubscribe any time; we read every reply.

One email a week. No spam. Or email us at info@digsfact.com.