The number that wasn't theirs anymore
When a fraudster ports your customer's phone number, your SMS one-time code stops protecting them — and starts protecting the attacker.
What we're seeing
SIM-swap fraud (also called SIM hijacking or port-out fraud) starts away from the bank entirely: the attacker convinces a mobile carrier to move the victim's phone number onto a SIM they control. From that moment, every SMS one-time passcode and password-reset link meant for the customer is delivered straight to the fraudster.
With the number in hand, they reset online-banking credentials, enroll a new device, add a payee, and move the money — usually within a tight window before the victim realizes their phone has gone dark.
Why your current stack misses it
- SMS one-time codes are treated as a second factor — but once the number is hijacked, that 'second factor' is in the attacker's pocket, so MFA passes cleanly.
- Device binding helps, until the attacker re-enrolls a fresh device using the intercepted codes. Every authentication checkpoint comes back green.
The signal pattern
- A credential or device reset closely followed by a new-payee add and an outbound transfer.
- A one-time code delivered to a number that was just ported to a new carrier.
- Login and profile changes from a new device or geography, then rapid money movement.
- The genuine customer suddenly unreachable by phone (their real device has lost service).
What you'd do Monday morning
- Step up to out-of-band, non-SMS verification when a credential or device reset is followed by payee changes or transfers.
- Add a short cooling-off window on high-value transfers after a SIM or device change.
- Correlate 'reset to new device to new payee to transfer' as one event, not four routine ones.
Spot the Fraud
Read the case. Make the call. See how you score against The PreCogs.
A customer logs in from a new phone after a password reset, adds a payee, and sends a large transfer. The SMS one-time code passed. Clear it, or hold it?