Mobile networks must step up to prevent Sim-swap fraud

Criminals tricking mobile phone providers into transferring phone numbers to a Sim card they control – known as Sim-swap fraud – is on the rise.

Fraud prevention service Cifas says that Sim-swap attacks grew by 38% last year. It detailed the spike in its Fraudscape 2026 report and says unauthorised Sim swaps are being fuelled by widespread reliance on mobile-based authentication, such as text messages containing one-time passwords (OTPs). 

Criminals know that your phone number is the key to unlocking your finances. By stealing it, they could intercept OTPs to access your bank accounts, social media profiles, emails and any other online accounts that use SMS-based identity checks. 

First, they need to persuade your network provider to switch your number to a new Sim card (or a digital eSim) that they control. They could try to do this over the phone or in-store, but most are choosing to do this online instead. 

Once the swap is complete, your phone loses network connectivity, and the fraudster receives all your calls and texts.

Here, we look at three cases of Sim-swap fraud, explain what we think mobile networks should be doing and share our tips on how to protect yourself from these scammers. 

Lebara fooled by scammers who failed its ID checks

Last summer, scammers targeted Beth (not her real name) and used online ‘chat’ to change sensitive account details, despite repeatedly failing to answer security questions correctly.

On one occasion, the scammers didn’t know the correct registered home address, and on another they claimed they had lost their phone and couldn’t remember the online password. The third time was a charm, though – despite entering the last four digits of a frequently dialled number incorrectly, Lebara agreed to delink Beth’s email address from the account.

Beth noticed a message confirming a Sim swap, which she hadn't asked for, and spoke to a Lebara chat adviser to query it. But she was told it was a ‘glitch' and to ignore it. The criminals were unleashed, taking over two bank accounts and her PayPal, spending around £3,500. 

The money they spent was refunded, but the criminals continued to target various accounts for nearly a month.

‘I had to keep confirming that they were not my payments via multiple stressful phone calls and in-person visits. It was so traumatising,’ says Beth. ‘The other institutions involved were supportive and helpful. But Lebara was slow to respond, lacked understanding and offered no reassurance about my personal data security, which added to my distress and despair.’

Lebara told Which? it doesn't comment on individual customer accounts, although it explained that it uses industry-standard security practices to help protect customers' accounts and prevent unauthorised access. It said: ‘Where a customer's email account is compromised, it becomes particularly challenging for customers to ensure the security of their accounts across multiple channels, including their mobile provider.’

‘It took 10 days for Vodafone to recover my number’

Despite how swiftly Sim-swap fraudsters can drain bank accounts, recovering your phone number isn’t necessarily straightforward or speedy. 

Joanne from Weybridge had her number stolen in late September 2025. She reacted immediately when she saw a text message thanking her for requesting a Sim swap – by calling Vodafone to alert it to its error – yet she didn’t get her number back for another 10 days.

'During this time, the scammers intercepted the security codes sent by her bank and email provider, temporarily locking her and her husband out of these accounts. The fraudsters were exploiting a major and critical flaw with modern banking, which is the use of OTPs linked to mobile phone numbers,’ says Joanne. 

‘The stress and trauma are, in many ways, worse than if we had been physically burgled. If that had happened, it would actually be a crime actionable by the police and not something that disappears into a black hole.’

Vodafone initially told Which? there was ‘no indication that it took 10 days to retrieve the number’. However, when we pressed it for exact timings, it confirmed it had indeed taken this long. Timings for recovering a number moved to a different network can vary due to a number of factors, including cooperation of the receiving network and how far along the porting process is. 

VodafoneThree said: ‘Our dedicated fraud teams offer customers enhanced checks like multi-factor authentications for Sim swaps, whilst spotting and blocking fraudulent SMS calls. We are constantly evolving our defences, including investing in new technology, training our teams and establishing partnerships across the industry and with government and law enforcement where needed to continue to protect our customers.’

Why your emails might be targeted first

Which? warned in May 2025 about an escalation in Sim-swap scammers exploiting weak email security. This is how Ian was targeted at the beginning of the year, which resulted in criminals stealing £500 from his bank account and buying more thab £2,500 of Apple equipment via his PayPal account. 

He was called by the ‘Vodafone fraud department’ asking if he had requested a Sim swap. Even though Ian said that he hadn't, he received a text confirming the transfer shortly before his phone died. 

It transpired that fraudsters had got into his emails first, meaning they could receive the OTP to reset his Vodafone password and complete the Sim swap by asking for the PAC (Porting Authorisation Code) to transfer his number to a new provider by email. It’s likely the scammers wanted to keep the phone line busy so that Ian didn’t have time to alert Vodafone to the danger before the transfer completed.  

Vodafone said all fraudulent changes were changed back and steps were taken to update Ian’s credit file and provide him with additional support and protection against further fraud scams. 

Which? advised Ian to add two-factor authentication to protect his email account in the future. 

• Read more: How to create secure passwords

What can be done to stop Sim-swap fraud?

We think that the unauthorised Sim-swaps described by these customers could have been prevented. 

If our phones are a gateway to our finances, networks must beef up their defences. Mobile networks should check the location of users before they allow Sim swaps via email, for example, and flag requests linked to unusual IP addresses for additional checks.

Failed or persistent attempts to change sensitive account information should be another warning sign, particularly when users don’t provide the correct answers to basic security questions. 

Ofcom, the telecoms regulator, says networks will consider the location of the user before they will allow Sim swap via email. 

We think it’s unacceptable that a fraud victim might wait as long as 10 days to recover their mobile number. However, Ofcom said it doesn't set timeframes for networks to recover phone numbers in Sim-swap fraud cases, as every individual case is different.

All staff must be trained to recognise social engineering tactics and signs of an attack. And, if Sim-swap fraud is increasingly AI-powered, network defences should be too, for example, using machine learning to differentiate between rogue activity and legitimate customers.