SIM Swap Fraud

How Does SIM Swap Fraud Work?

SIM swap fraud represents a sophisticated threat to digital security. This attack occurs when cybercriminals persuade a user’s mobile carrier to transfer the user’s phone number to a device they control, either through a new physical SIM card or an eSIM, mainly to bypass two-factor authentication.

These transfers can occur through various channels, including phone calls where scammers impersonate an employee or through online support chats.

The consequences are immediate and severe. Once your number is transferred, all communications intended for you, including calls, text messages, and, critically, one-time security codes (2FA), are diverted to the fraudster's device. This gives them potential access to your email accounts, sensitive business information and business portals that rely on phone verification.

The recent M&S breach highlights the escalating threat posed by this type of attack. Cybercriminals apparently exploited SIM swap techniques to infiltrate the company's systems, bypassing security protocols and gaining unauthorised access to sensitive internal processes.

This high-profile incident reveals a critical vulnerability: numerous organisations continue to use phone numbers as a verification method for employee authentication, inadvertently exposing themselves to the same tactics that have proven effective against individual consumers.

This increasingly common attack methodology demands immediate attention and proactive security measures from businesses of all sizes.

What is Croft Doing About SIM Swap Fraud?

We have strengthened identity verification practices to mitigate the risk of SIM swap fraud.

If your business mobile services are managed by Croft we have added an extra step to the verification process when requesting a SIM swap.  You can opt in to setting up a password for your account, which you will need to provide when requesting a SIM swap on your business account. The password will change monthly to add an extra layer of security.

To opt in, please fill out the form on this page to protect your account against this threat.

Other Ways to Reduce the Risk of SIM Swap Fraud

There are additional steps your organisation and employees can take to reduce the risks of SIM swap fraud, these include:

Be selective about sharing personal information online. Limit where you share your business phone number, invoice information, and other personal identifiers that could help criminals impersonate an employee to service providers.

Security Awareness Training. Understanding how phishing attempts work enables you and your team to identify suspicious communications and avoid submitting sensitive information to fraudulent websites. Deploy security awareness training in your organisation to educate your employees about phishing attacks.

Upgrade your authentication methods. Whenever possible, move beyond SMS-based verification to more secure options like Google Authenticator, Microsoft Authenticator, Duo, or Authy—none of which rely on your mobile number. Croft can assist your organisation in setting these up.

Protecting your business requires partnership between you and your service providers. At Croft MSP, we're committed to helping you implement comprehensive security strategies that address evolving threats.