SIM swap detection: catch number theft before the bank loses money

Scenario

The attacker gathers the victim’s data (passport, number, date of birth), comes into a dealer point, declares a lost SIM. Gets a new SIM on the same number. Thirty minutes later SMS OTPs from the bank arrive on the attacker’s SIM. The victim is left without service and without money in the account.

This is a growing fraud vector everywhere banks and wallets use SMS OTP as the sole 2FA. The operator finds itself in the role of the source of risk and the point of defence at the same time.

Detection signals

Network signals:

• IMEI change on the new SIM (attacker uses a different phone).
• Immediately after swap — calls to bank IVR numbers.
• Geolocation diverges from the customer’s usual area.

Customer behaviour signals:

• In the 24 hours before the swap — a spike in failed login attempts in the customer’s banking apps (attacker trying passwords).
• A recent phishing incident in the customer’s area (per threat intel).

Operational signals:

• Dealer with a history of suspicious swaps.
• Customer documents — copies from public leaks (if the operator has access to threat intelligence).

Action

Do not block the swap automatically — high risk of false positives.

Step-up authentication: under suspicious signals require additional verification (video call with an agent, biometric, visit to a branded store).

Customer notification through an alternative channel (email, push in the banking app through partnership) about the swap request.

Quarantine period — 24 hours after the swap, bank partners receive a warning “do not trust SMS OTPs from this MSISDN”.

What is measured

SIM swap incidents per month — total volume.

Detection rate — what share of swap attempts is classified as suspicious.

False positive rate — how many legitimate swaps fell under suspicion (UX deterioration).

Fraud loss prevented — estimate of monetary damage that would have occurred without detection.

Time from swap to detection — minutes/hours.

What not to do

Do not block swap for legitimate customers — they lose service, trust, and move to a competitor.

Do not pass a “suspicious list” to partners without a legal framework.

Do not make step-up too heavy — customers in an emergency (phone lost) will not get through.

Do not ignore the dealer channel — a large share of swap fraud runs through dealer collusion.

How SamaraliSoft engages

Sprint SIM Swap Use Case — 6-8 weeks. Analysis of historical swap cases, detection rule design, integration with bank partners, pilot with measurement of fraud prevented.

Related

• /en/solutions/telecom-fraud-platform/ — fraud platform
• /en/insights/telecom-sim-swap-fraud/ — sim swap fraud detail
• /en/architecture/telecom-ekyc-architecture/ — eKYC
• /en/solutions/telecom-trust-platform-cornerstone/ — trust platform