Sim-swap scammers exploit weak email security, warns Which? 

Unsecured email accounts are being targeted by Sim-swap scammers, but a worrying escalation in cases suggests mobile networks should be doing more to protect customers.

Sim swapping involves criminals hijacking your mobile number, which allows them to hack into online accounts and intercept text messages from your bank. At the beginning of the year, we published exclusive data showing that reports of Sim-swap scams to Action Fraud had doubled year-on-year. 

New figures from fraud prevention service Cifas found that its members – including mobile networks and other telecom providers – reported an astonishing 1,055% increase in cases of unauthorised Sim swaps, up from 289 in 2023 to almost 3,000 in 2024. It's believed that Sim swapping was one of the tactics used by the recent Co-op and M&S cyberattackers. 

So what’s going on? Recent cases point to weak email security opening the door to fraudsters, but we spoke to two victims who feel that their mobile network providers let them down.

Sign up for scam alerts

Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.

Sign up for scam alerts

‘Giffgaff took eight hours to respond’

Giffgaff tells customers it offers 24/7 online support, which is why it doesn’t need a call centre. However, this meant Sarah, a theatre producer from London, was left waiting for eight hours when scammers stole her phone number. 

She had received a text from Giffgaff about her Sim being transferred and quickly sent an online message to explain that the request wasn’t from her. Within an hour, her phone stopped working, and the scammers immediately went to town. 

They hacked into her accounts with Amazon, Argos, eBay and Nectar, receiving the one-time passcodes (OTPs) sent to her phone to pass security checks. They managed to steal her Nectar points but, fortunately, her bank was on the ball and blocked her card when they attempted to buy iPhones and other pricey goods. 

Sarah told us: ‘If Giffgaff had given me the time to contact them to say "this wasn't me", the fraud wouldn't have been able to go ahead. Instead, they sent a text at 7pm, and because it's online only, no one from Giffgaff picked up or responded to my messages until eight hours later. The scammers kept changing my password to block me out of my Giffgaff account, making it extremely difficult to contact the customer service team and read their replies.’

‘I didn’t even know there was such a thing as an eSim’

If you get a text from your network about your Sim being transferred, or a PAC (Porting Authorisation Code) request, don’t ignore it — this could be your only chance to stop scammers in their tracks.

Caterina, a manager from Lincolnshire, learned this the hard way. She was in Italy last October when her mobile was abruptly cut off. She wasn't able to contact her O2 network until several hours later, when she could use a friend's phone. She discovered that someone had called customer services posing as her, asking to switch her Sim card to an electronic one (known as an eSim). 

‘I didn’t even know there was such a thing as an eSim and I’d never heard of Sim-swap fraud,’ says Caterina. ‘I had received a text from O2 the day before my phone was cut off, but I thought this was a scam message, so I didn’t follow up.’

Once they had switched her phone number to their own eSim, the scammers attempted to spend £800 at B&Q using her card details, passing the security check by triggering an OTP sent via SMS. Thankfully, her bank blocked the transaction and froze her card, but she was locked out of her emails and spent the rest of her trip terrified about what they might try next. 

She told us: ‘None of this could be dealt with until my return to the UK. It made me ill and messed with my wellbeing. I feel that O2 should give customers more time before sending security codes out for people to change anything on their account, in the event of it being a potential scammer.

‘It was so overwhelming trying to prove my identity to O2 and my bank without access to my mobile, which has everything on it. I’ve had no closure from O2, which won’t tell me how it happened or what I could have done to prevent it.

‘My O2 app still refers to a pending installation notification for an eSim. I've been told that it's unable to request to have it removed, so every time I see this, I momentarily get a shot of anxiety.’

How did the scammers do it?

When Which? warned about Sim-swap fraud back in 2020, most of the attacks reported to us involved scammers gathering details about their victims to pass network security checks via the phone or in store. But both Sarah and Caterina had their emails compromised first, which weren't secured with two-factor authentication (2FA).

While mobile networks do make their own 2FA security checks at login, customers can request that OTPs are sent to their email address instead of their phone. There are legitimate instances where a Sim card may stop working, and the customer needs to request a replacement via email. However, this can also open the door to fraudsters. 

Once Sarah’s email account had been hijacked, the scammers could reset her Giffgaff password by triggering an OTP to her registered email address, then log in as ‘Sarah’ and request to swap her number to an unactivated Sim they controlled. 

In Caterina’s case, gaining access to her emails first meant they could get into her online O2 account, before calling customer services to swap her number to their own eSim, clearing security armed with a significant amount of her personal details. 

• Take action: 7 ways to protect your social media and email accounts

Action Fraud insight into Sim-swap scams

We spoke to Action Fraud about the spike in cases, asking for any additional insight into the tactics being used. It shared some key findings with us:

• Scammers have focused on online attacks Based on analysis of a representative sample of 1,000 reports across the five years, 2024 has seen a substantial rise in the use of cyber-dependent means to access an online mobile account and commit a Sim-swap. 
• You still need to watch out for scam callers Alongside cyber-dependent Sim swapping, social engineering methods remain prevalent through targeting networks directly and individual victims. In particular, victims report receiving vishing calls impersonating their mobile provider.
• References to eSIMs have significantly increased In 2022, only 18 reports referenced an eSIM, compared to 763 in 2024, an increase of over 600%. However, there's no indication that victims who have an eSim are uniquely vulnerable. 
• Losses have remained fairly stable While overall reporting increased substantially beginning in 2023, this has not been reflected in victims reporting increased financial losses. Reported losses increased by just 26% between 2023 to 2024 to a total of £5.4m compared with an increase in reporting of 129%.

The networks respond

Giffgaff told us: ‘When these cases occur, we recognise this is a stressful time for the member. We aim to resolve fraud cases within 24 hours, but this often depends on several factors, including the complexity of the case and the available information.

‘On this occasion, due to the specific facts of this case, additional time was required in resolving the case, and we're sorry for any inconvenience that this may have caused. To help prevent future activity like this from happening, we recommend that customers use unique passwords for each account and account recovery as additional layers of security.’

O2 told us: ‘When the fraudulent activity was reported to us, we took swift action to restore service to her Sim and resolved the case within six hours. This fraud was only able to occur because of a security breach on the email account, which served as a gateway for the scammer to try to access other accounts. To help protect themselves against fraud, it's essential that customers use strong, unique passwords for each important account.’