Anatomy of a SIM-swap: how fraud crews actually do it
After running adversary emulations against carriers, the SIM-swap kill chain is depressingly consistent. It almost never starts with the technical attack everyone braces for. Here's what actually happens, and the controls that stop it.
Every couple of months, a high-profile SIM-swap story makes the front page — usually because somebody lost a meaningful amount of crypto or had a public account hijacked. The reaction from the security press is the same every time: "telecom infrastructure is broken," "SS7 is insecure," "the carriers won't fix it." Some of that is true. None of it is what's actually happening in the attack chain.
After running adversary-emulation engagements against more than one Tier-1 carrier, the kill chain is depressingly consistent. It almost never starts with SS7. It starts with a phishing email — usually targeted at a regional customer-care office, often timed to hit during a shift change, frequently impersonating an internal IT or HR system. The phishing is rarely sophisticated. The targets are not security-conscious. The clickthrough rate is uncomfortably high.
From the foothold, the attacker pivots into the office VPN with the captured credentials, frequently surviving MFA because of an over-permissive "trusted device" policy or because the carrier hasn't enforced phishing-resistant MFA on customer-care endpoints. From there, they go shopping in the CRM. The CRM is where the actual SIM-swap happens — not at the radio layer, not in SS7 — in a customer-care application that allows a logged-in agent to associate a new device with an existing subscriber number.
The controls that actually stop this are unglamorous. Phishing-resistant MFA on every customer-care login. Step-up authentication on porting and SIM-swap actions specifically — not on login, on the action that matters. Behavioral signals in the SIEM that flag an agent who suddenly performs ten swaps after months of doing none. Just-in-time access elevation rather than standing privileges on porting. And a meaningful out-of-band confirmation to the subscriber before the swap takes effect, not a SMS to the new number.
Carriers know this. The reason it doesn't get fixed faster isn't ignorance — it's that customer-care UX changes touch revenue, churn, and partnership contracts. Security teams that want to move the needle on SIM-swap fraud need to bring product and customer-care leadership into the room from day one, not show up at the end with a list of mandated changes and wonder why nothing ships.