Supporting Authority Page

SIM Swap Investigations

A SIM swap (SIM hijack / port-out fraud) occurs when a threat actor convinces—or compromises—a mobile carrier workflow to move a phone number to a SIM/eSIM under the attacker’s control. This page explains how it works, what to look for, what evidence matters, and practical limitations.

SIM swap port-out fraud account takeover MFA interception carrier records forensic timeline chain of custody

Want the full mobile forensics overview?

See how mobile investigations are performed, what reports include, and how evidence is preserved.

Learn More: Cell Phone Forensics

What a SIM Swap Really Is

Most SIM swap events are not “phone hacking” in the traditional sense. The phone number is the target because it is often used for password resets, one-time passcodes (OTP), and account recovery.

Attacker gains control of your phone number via SIM/eSIM change or number port-out.
SMS/voice-based verification can be intercepted.
Email, banking, social media, and cloud accounts may be reset using the number.

How SIM Swap Attacks Typically Happen

Information is gathered for carrier identity checks (often from breaches, OSINT, or social engineering).
A SIM change / eSIM activation / port-out request is initiated through carrier support or an online portal.
The victim device loses service (“No Service” / SOS), while the attacker’s device starts receiving calls/texts.
Account recovery flows are executed (email first, then downstream accounts).
Persistence is established (new recovery email/phone, trusted device, new 2FA method, or app passwords).

Common Warning Signs

Sudden loss of cellular service (especially when your bill is current).
Carrier notifications for SIM/eSIM or “number transfer” changes you did not request.
Unexpected password reset emails or security alerts.
You stop receiving OTP codes (or receive them after you already lost access).
Contacts receive strange messages “from your number.”

What to Do Immediately

Contact your carrier and request a fraud review; ask for the exact time/date of any SIM/eSIM or port change.
Secure primary email first (change password + enable app-based 2FA where possible).
Review banking/financial accounts for resets, new payees, or profile changes.
Document everything: screenshots, emails, ticket numbers, timestamps, and affected accounts.

Early documentation matters because some logs are retained for limited windows or require legal process to obtain.

Evidence That Often Matters Most

A defensible SIM swap analysis typically focuses on time-based correlation between carrier events and downstream account events.

Carrier Activity

SIM/eSIM change timestamps
Port-out request timestamps
Account change notes / tickets
Store/agent interactions (if recorded)

Email + Account Takeover Indicators

Security alerts and reset emails
New device sign-ins
Recovery method changes
Forwarding rules / mailbox rules

Timeline Correlation

Loss of service time
First suspicious reset event
First unauthorized login
Sequence of impacted accounts

In many incidents, attribution to a specific individual requires carrier records and/or third-party platform records that may only be obtainable through legal process (subpoena/court order), depending on the record type and jurisdiction.

Investigation Limitations (Important)

Carrier record access: certain records may be restricted, time-limited, or require legal process.
Attribution: linking activity to a specific person (not just a number or device) often requires additional records.
SMS-based 2FA: SIM swaps can defeat SMS verification without any malware on the phone.
Device compromise vs. account compromise: many SIM swap cases are primarily account takeovers.

How a Forensic Review Can Help

Organize events into a fact-based timeline (carrier events + account security events).
Identify patterns consistent with number takeover and downstream account compromise.
Document evidence in a user-friendly format suitable for sharing with counsel or relevant stakeholders.
Highlight investigative gaps and what records may be needed next (carrier/platform logs).

Chain of Custody + Reporting (Trust Signals)

Documented evidence handling steps and intake notes where applicable.
Shareable chain of custody forms and evidence inventories when required.
User-friendly reports that include: timeline, user activity indicators, and clearly stated findings and opinions.
Plain-English explanations of what the records do—and do not—prove.

Questions to Ask Any SIM Swap / Mobile Forensics Expert

What mobile forensic training and certifications do you hold?
What tools and extraction methods are used for this case type?
How do you preserve evidence integrity and document chain of custody?
Can you provide a sample (redacted) report format?

What limitations apply if carrier/platform records are not available?
What records typically require subpoena/court order to obtain?
Have you supported matters involving litigation or attorney review?
How do you distinguish device compromise vs. account takeover?

Continue learning

For the broader service overview and how mobile investigations work end-to-end, visit our main page.

Cell Phone Forensics Overview

Note: This page is informational and does not guarantee outcomes. Findings depend on available records, device access, and retention windows.