In a SIM swapping attack, the attackers bribe or trick mobile service providers into transferring a target’s mobile phone number to their SIM card. Once the phone number has been transferred, the attacker has control and can intercept any one-time passwords sent to the victim via SMS or phone call. They can also then reset the password for any online account that allows password resets via a link sent over SMS.
SIM swapping does not require a cybercriminal to have physical access to the phone being targeted. Usually the attacker will claim to have lost or damaged their SIM card and ask the customer service representative to activate a new SIM card. They will use data collected through phishing emails, credentials leaked in data breaches, malware or social media to answer any security questions and convince the carrier to switch the number to a new SIM card.
After gaining access to and control over the number, the attacker has control over the number as an authentication verification source. For example, any OTPs will be sent to their phone, allowing them to bypass two-factor or multi-factor authentication methods tied to that number.