It starts with a phone that suddenly goes silent. No calls. No texts. No data. You assume it's a network glitch and carry on with your day. By the time you realise something is seriously wrong, a criminal on the other side of the country — or the other side of the world — has already called your bank, passed their security checks using your number, and emptied your current account.
This is SIM-swap fraud, and it's happening to thousands of people across the UK every year. The numbers are difficult to pin down precisely because many cases get absorbed into broader fraud statistics, but Action Fraud reports consistently show that mobile number hijacking is among the fastest-growing vectors for financial crime in Britain. The losses are staggering — individual victims have reported losing anywhere from a few thousand pounds to well over £50,000 in a single attack.
How the Scam Actually Works
Understanding the mechanics is the first step to protecting yourself, so let's walk through it plainly.
Your mobile phone number is, in the eyes of most banks and online services, a form of identity verification. When you log into your banking app from a new device, or request a password reset, many services send a one-time code to your registered phone number. This is two-factor authentication (2FA), and it's supposed to be a safety net. SIM-swap fraud turns that safety net into a trap door.
Here's the process a fraudster follows. First, they gather your personal information — your name, address, date of birth, possibly your bank account details. This data is often harvested from previous breaches, phishing emails, or simply scraped from social media. Then they contact your mobile network, either by calling customer services or visiting a store, and claim to be you. They say they've lost their phone, or that they've bought a new handset, and request that your number be transferred to a new SIM card they control.
If the network's identity verification process is weak — and as we'll explore, it often is — the request gets approved. Your phone loses signal. Their phone, with your number, starts receiving your calls and texts. They then trigger password resets on your email, your banking apps, and any other accounts tied to that number. The authentication codes land on their device. Within minutes, your digital life belongs to someone else.
The Networks' Dirty Secret
You might assume that transferring a phone number to a new SIM requires robust verification. You'd be wrong.
Under-cover investigations by consumer groups and journalists over the past few years have repeatedly demonstrated that UK network customer service staff can be manipulated into approving SIM swaps using only basic personal information — the kind of data that's trivially available to anyone who's spent ten minutes looking at your social media profiles or purchased a cheap data dump from the dark web.
The verification questions typically asked — date of birth, address, perhaps the last four digits of a payment card — provide a false sense of security. A determined fraudster who has done their homework can answer all of them correctly. Some investigations found that persistent callers who failed initial checks could simply call back, reach a different agent, and succeed on a second or third attempt.
In-store verification is theoretically more secure because it requires physical ID. But criminals have used fake driving licences and forged documents to pass these checks too, particularly at independent franchise stores where staff training may be less rigorous than at company-owned outlets.
The networks are aware of the problem. EE, O2, Vodafone, and Three have all introduced additional security measures in recent years, including extra verification steps and delays on SIM swap requests that can give customers time to notice and intervene. But implementation has been inconsistent, and fraudsters adapt quickly.
Real Victims, Real Losses
Behind the statistics are real people whose lives have been turned upside down.
Take the experience of a Manchester-based teacher — we'll call her Sarah — who lost £18,000 in a single afternoon last year. She noticed her phone had lost signal around midday and assumed it was a temporary outage. By 4pm, when she still had no service and tried to log into her banking app, she found her password had been changed. Her savings account had been emptied in a series of rapid transfers. The fraudsters had also accessed her email, changed her recovery details, and ordered three new credit cards in her name.
Sarah's bank eventually reimbursed her under the Contingent Reimbursement Model (CRM) code, but the process took four months, during which she had to manage on a single income with frozen accounts. The emotional toll, she says, was worse than the financial hit. 'I felt violated. Someone had been inside every part of my life.'
Her case isn't unusual. The Financial Ombudsman Service has seen a steady increase in complaints related to SIM-swap-facilitated fraud, and while the Payments Systems Regulator's mandatory reimbursement rules — which came into force in October 2024 — have improved victims' chances of getting money back from banks, the process remains stressful and far from guaranteed.
How to Protect Yourself: A Practical Checklist
The good news is that there are concrete steps you can take to make yourself a much harder target.
Add a SIM lock or port freeze to your account. Contact your network directly and ask them to add a verbal password or PIN to your account that must be provided before any SIM swap or number port can be processed. All four major UK networks offer this in some form — it's sometimes called an 'account PIN' or 'security password.' It's not foolproof, but it adds a meaningful extra hurdle.
Switch to an authenticator app for 2FA. Apps like Google Authenticator, Microsoft Authenticator, or Authy generate time-based codes on your device that don't rely on your phone number at all. Wherever a service offers app-based 2FA as an option, choose it over SMS codes. Your banking app, email provider, and social media accounts should all be configured this way if possible.
Use a separate email address for financial accounts. If your main email is compromised alongside your phone number, the damage multiplies rapidly. A dedicated email address — one you don't use for anything else and don't publicise — for banking and financial services limits the blast radius of any attack.
Be cautious about what you share publicly. Fraudsters build profiles from social media. Your date of birth, your address, your mother's maiden name — these are the building blocks of identity theft. Review your privacy settings and think carefully about what personal information is visible to strangers.
Act immediately if your phone loses signal unexpectedly. Don't wait to see if it comes back. Call your network from a landline or another device straight away and ask whether a SIM swap has been requested on your account. Simultaneously, log into your banking apps and email — if you still can — and change your passwords. Speed is everything.
What Happens If You're Already a Victim
If the worst has already happened, here's the order of play.
Call your mobile network immediately to reverse the SIM swap and restore your number. Then contact your bank's fraud team — most have 24-hour lines — and report the compromise. Under the PSR's mandatory reimbursement rules introduced in late 2024, banks are now required to reimburse victims of authorised push payment fraud in most circumstances, though there are caps and exclusions. File a report with Action Fraud (actionfraud.police.uk) and request a crime reference number, which you'll need for insurance and reimbursement claims.
Also notify CIFAS, the UK's fraud prevention service, and ask them to add a protective registration to your credit file. This flags to lenders that you've been a fraud victim and requires them to take extra steps before approving any credit in your name.
The Bigger Picture
SIM-swap fraud is a systemic problem, not a personal failing. The vulnerability exists because the mobile networks that hold the keys to our digital identities haven't been held to a high enough standard on identity verification. Until Ofcom mandates specific, robust verification requirements for SIM swap and number porting requests — rather than leaving it to individual operators to set their own standards — the fraud will continue.
In the meantime, the burden falls on consumers to protect themselves. It's not fair, but it is the reality. Know the risks, take the precautions, and don't wait until your phone goes silent to start paying attention.
