SIM swapping: the SIM duplicate fraud and how to protect yourself
SIM swapping clones your number onto another card to steal your bank's text messages. We explain how they do it, the warning signs and how to shield yourself.
SIM swapping is a type of fraud in which a criminal obtains a duplicate of your SIM card and "moves" your phone number to their own mobile. From that moment on, they receive your calls and, most seriously, the text messages containing your bank's verification codes. Here we explain how they do it, the warning signs that give it away, and how to shield yourself.
Unlike the scams you already know about, here they don't trick you with a phone call. The blow is struck against your operator. That is why it is so dangerous: you can do everything right, never answer a single suspicious number, and still lose control of your line. The good news is that there are concrete defences, and many of them are free.
What exactly is SIM swapping?
Your phone number does not live inside the plastic SIM card. It lives in your operator's systems, which associate that number with a specific SIM. When you request a duplicate because you have lost your phone or your card has broken, the operator "disconnects" the old SIM and activates the new one with your same number. It is a legitimate and necessary service.
SIM swapping (also called a fraudulent SIM duplicate or SIM swap) is when a criminal requests that duplicate by pretending to be you. If they succeed, your real SIM loses service within minutes and your number starts working in the attacker's phone.
From then on, everything that depends on your number passes into their hands:
- The text messages with verification codes (the well-known 2FA or OTP) for your bank, your email or your social media accounts.
- The confirmation calls that some institutions make before an operation.
- The password recovery text messages from dozens of services.
With the code that arrives by text message, the attacker can log in to your online banking, authorise transfers or empty your account. And all of this without your password having been leaked: all they need is to intercept that second factor you thought was safe.
How do they manage to impersonate you to the operator?
The SIM duplicate is not the first step of the fraud, but the last. Beforehand, the criminal needs to gather enough of your data to convince the operator (or an employee) that they are the holder of the line. That earlier phase is pure social engineering.
They obtain the data by combining several sources:
- Data breaches: security breaches at companies that leave names, ID numbers, phone numbers and addresses exposed.
- Phishing and smishing: emails and text messages asking you to "verify" your details. If it sounds familiar, it is because it is the same mechanism we explain in our guide on smishing and SMS scams.
- Vishing: calls in which they pose as your bank or your operator to coax your ID number, your date of birth or your account number out of you.
- Social media: public information that you yourself have shared without giving it a second thought.
With that dossier assembled, they contact your operator by phone, online or even in person at a shop, and request the duplicate. That is why it helps to understand that SIM swapping is almost always preceded by another attempted scam. If you have recently received a call or a text message asking for personal details, treat it as a warning sign. Learn how to read the risk signals of a number before giving out any data.
Why did SMS stop being a secure second factor?
For years, receiving a code by text message to confirm an operation was considered enough. The logic was simple: only you have your phone, so only you receive the code. SIM swapping breaks that premise at the root. If the attacker controls your number, the code reaches them.
This connects with other frauds that exploit the same weak link. We have seen it in flash calls and ping calls to steal OTPs: one-time codes are extremely valuable to criminals, and SMS is the easiest channel to intercept.
The conclusion is not "SMS is useless", but that SMS is the weakest factor of those available. If you can choose another verification method, do so. Below we explain which ones.
What are the signs that you are being SIM swapped?
The great defensive advantage you have is that SIM swapping leaves a very visible trail: your phone stops working. The problem is that many people mistake it for a technical glitch and take hours to react. Every minute counts.
These are the signs you must not ignore:
| Sign | What it means |
|---|---|
| Sudden loss of coverage for no reason | Your SIM has been deactivated; the number may already be in another phone |
| The phone shows "No service" or "Emergency calls only" | The line is no longer associated with your card |
| You suddenly stop receiving calls and text messages | The traffic for your number has been diverted |
| You receive a text or email warning of a "SIM change" you did not request | The operator has processed a duplicate in your name |
| Bank alerts about unknown accesses or access attempts | Someone is using your number to log in to your accounts |
| You cannot access your email or social media | They have started the recovery process with your number |
The number-one sign is the unexplained loss of coverage. If you are in an area where you always have signal and it suddenly disappears, and restarting your phone does not fix it, do not put it off. Grab another phone and call your operator to confirm that your SIM is still active and that nobody has requested a duplicate.
What do I do in the first few minutes if I suspect something?
Speed is everything. If you think you are suffering a SIM swap right now:
- Call your operator from another phone and ask them to block any duplicate and reactivate your SIM. Explain that you suspect fraud.
- Contact your bank through its official channel (the app or the number on the back of your card) and ask them to freeze your access and online operations.
- Change the passwords for your main email and your banking from a trusted device, not from the affected phone.
- Review your accounts for transfers or changes you did not make.
- Report it. Call INCIBE on 017 (free) for guidance and file a report with the Police or the Guardia Civil.
If you have already given out data or suffered charges, follow the complete action plan we detail in what to do if you have already given out your data in a scam.
How do I protect myself before it happens? The operator PIN and other barriers
Preventing SIM swapping has two fronts: making it harder for the attacker to gather your data, and making it harder for the operator to hand a duplicate to someone who isn't you. The star measure is the operator PIN or password.
The operator PIN: your best shield
Most operators in Spain let you set up a security key or PIN linked to your account. It is a code you will be asked for in any sensitive transaction, such as a SIM duplicate. Without that key, even with your personal data they cannot authorise the change.
It does not activate on its own. You have to request it explicitly:
- Call your operator or log in to your customer area.
- Request the activation of a security key or PIN for SIM transactions.
- Choose a code that is not guessable (no dates of birth or ID numbers).
- Store it somewhere you don't store everything else.
It is free and it is the most effective barrier that exists against the fraudulent duplicate. If you don't know whether your operator offers it or exactly what it is called in your case, check our operators section or ask customer service directly.
Swap SMS for stronger verification methods
Even if they SIM swap you, if your critical accounts do not depend on SMS, the attacker is left without the key piece. Compare the options:
| 2FA method | Resistance to SIM swap | Convenience |
|---|---|---|
| Code by SMS | Low: it is intercepted with the duplicate | High |
| Authenticator app (TOTP) | High: the code lives on your device, not on the number | Medium |
| Physical security key (FIDO/passkey) | Very high: requires the physical device | Medium |
| Bank push notification | High: tied to the device, not to SMS | High |
The practical recommendation: migrate the second factor for your bank, your email and your social media to an authenticator app or to security keys/passkeys whenever the service allows it. Reserve SMS only for services where there is no alternative.
Reduce the data footprint that can be stolen from you
The SIM swap starts with your data. The less of it circulates, the harder you make it for them:
- Never give out personal data by phone or text to whoever calls or writes to you unless you initiated the contact. The golden rule is the same as always: hang up and verify through the official channel.
- Be wary of urgency. The pressure to act "right now" is the hallmark of fraud.
- Check what you post on social media. Your date of birth, your hometown or your pet's name can be answers to security questions.
- Watch out for breaches. If you are notified of a breach at a service you use, change that password and enable robust 2FA.
Enable alerts and strengthen your email
Your email account is the master key: from there almost all your other passwords can be recovered. Protect it with the best possible verification and 2FA that does not depend on SMS. Also enable your bank's notifications for any access or transaction: they are your early warning system, because they alert you to suspicious activity even if the attacker already controls your number (push notifications go to the device, not the line).
How does SIM swapping differ from other phone scams?
It is easy to confuse them, so let's make it clear. In vishing and caller ID spoofing, the criminal deceives you directly, pretending to be your bank so that you hand over your data or authorise something. In SIM swapping, the deception is aimed at the operator, and you don't even take part in the conversation.
Another key difference: in most phone frauds the defence is not answering and not giving out data. In SIM swapping that is not enough, because the attack happens behind your back. Here the defence is structural: the operator PIN, SMS-free 2FA and keeping an eye on your coverage.
That said, they share a common initial link: gathering data through phishing, smishing or vishing. That is why shielding yourself against those first attempts also protects you from the SIM swap. If you tend to receive many suspicious calls, review how to identify and block the most reported numbers and check the spam trends in Spain to find out which patterns are circulating.
In short: your anti-SIM swap plan
If you take away four ideas, let them be these:
- Activate the operator PIN today. It is free and it is the most effective barrier.
- Take SMS out of your 2FA for your bank, email and social media. Use authenticator apps or passkeys.
- Treat a sudden loss of coverage as an emergency, not as a technical glitch.
- Protect your email above all else and enable bank alerts.
SIM swapping is frightening because it attacks a service you thought was inviolable: your own number. But it is one of the frauds that is best prevented if you take the right measures in time. You don't need to be a security expert; you need a call to your operator and half an hour changing settings.
And remember that the community is your best radar. Many SIM swaps begin with a call or a text message harvesting data. If you receive a suspicious one, look it up and report it in the NoCall spam number directory: you help someone else recognise the threat before taking the bait. To keep learning, drop by our guides and the rest of the blog.
Received a suspicious call?
Look up the number in NoCall before sharing data, calling back, or clicking any link.
Search a phone number or a company name (Iberdrola, Telstra and Optus...) to check if it has been reported as spam.