ACG-CYBER SECURITY BULLETIN NR 391: How SIM Swapping Lets Threat Actors Hijack a Phone Number

Posted on May 15, 2025

Reference Number ACG-CSB 050625391

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

A mobile phone number is often used to receive important security codes when logging into apps, online accounts, or bank services. Many people don’t realize that this number can be stolen, without losing the phone itself. This type of attack is called SIM swapping, and it allows cybercriminals to take control of someone’s mobile number by tricking a telecom company into moving it to a different SIM card. Once they have control, attackers can break into email accounts, steal money from digital wallets, and lock the real owner out of their own services.

The process typically begins when an attacker collects personal information about a target. This information may include the target’s full name, date of birth, mobile number, and even copies of identification documents. Cybercriminals often obtain this data through phishing scams, fake websites, public social media profiles, or previous data breaches. Using these details, the attacker contacts the victim’s mobile provider and pretends to be the legitimate owner of the number. They then request that the number be transferred to a new SIM card, claiming the original was lost or damaged. If the telecom representative does not perform proper verification checks, the number can be transferred to the attacker’s SIM card.

One common scenario involves a target suddenly noticing that their mobile device has lost all signal. In many cases, this is assumed to be a network outage. However, in a SIM swap attack, the signal loss occurs because the telco has deactivated the target’s SIM and activated a new one controlled by the attacker. From that point on, the attacker receives all incoming calls and SMS messages, including critical one-time passwords (OTPs) used for two-factor authentication on various platforms. With these OTPs, attackers can reset passwords, access banking apps, and transfer funds—often before the victim realizes what has happened.

In more sophisticated incidents, cybercriminals have used SIM hijacking to gain access to cryptocurrency wallets, business communication apps, and cloud storage services. Once access is obtained, attackers may change security settings and lock the real owner out of their own accounts. Because many digital services rely on SMS verification, the potential impact of such attacks is significant, resulting in financial loss, privacy violations, and long-term security issues.

Preventing SIM swap attacks requires proactive steps from mobile users and service providers alike. Relying solely on SMS for identity verification is no longer considered safe. Instead, adopting alternative two-factor authentication methods—such as mobile authenticator apps or physical security keys—can provide a higher level of protection. Additionally, telecom companies should strengthen their identity verification processes and provide SIM lock features to prevent unauthorized number transfers.

RECOMMENDATION

The public is advised to follow these tips to avoid being a victim of SIM swapping attacks:

Ensure the SIM card is registered according to national regulations to add an official identity layer to mobile services;
Exercise caution when clicking links received through email, text messages, or unfamiliar websites, as these may lead to phishing sites that steal personal information;
Refrain from posting or sharing sensitive personal details that could be used for identity verification, especially on unsecured or public internet forums;
Immediately report any signs of suspicious activity, such as lost service or unrecognized account activity, to the mobile carrier to mitigate further damage;
Be cautious with telecom-related messages that urge immediate action, such as “verify your account now” or “your number will be deactivated.” These are often smishing attempts; and
Consider using a separate mobile number for banking and sensitive transactions that is not widely known or shared publicly.

For additional information, please refer to the following websites:

https://www.globe.com.ph/help/sim-swap-scam#gref
https://www.verizon.com/about/account-security/sim-swapping
https://www.metrobank.com.ph/articles/fight-fraud/sim-swap-scam

POINT OF CONTACT

Please contact PLTCOL JERRY V EMPIZO, Acting Chief, Cyber Security Unit, thru e-mail address csradacgroup@gmail.com or contact us by telephone number (632) 723-0401 local 7488 for any inquiries related to this CYBER SECURITY BULLETIN.