A SIM-swap is the cleanest attack in the modern fraud playbook. No malware, no phishing email, no zero-day. The attacker takes your phone number, and with it your text messages, and with those your bank, your email, your exchange account. By the time your handset shows No Service, the work is already done.

The interesting question is not how it ends. It is how it begins. And the answer, in almost every case we have read, is the same: with a single people-search report that cost less than a pint.

Step one: the £5 dossier

The attacker opens Spokeo, BeenVerified, or one of the dozen near-identical American aggregators that resell UK data through loose affiliate trees. A single-person report is between five and ten pounds. There is no identity check on the buyer. Many of these sites accept prepaid cards.

The report that arrives is unnervingly complete. Current mobile number. Full date of birth. Current address with move-in date. Previous three addresses, going back roughly fifteen years. Listed household members, often including parents and adult children by name. A scattering of employers, education history, and the occasional vehicle.

Read that list again with a carrier's call-centre script in mind. What is your date of birth. What was your previous address. Can you confirm a family member named on the account. The data broker has just sold the answers.

The broker has not leaked your password. The broker has sold the security questions.

Step two: the carrier call

The attacker rings EE, O2, Vodafone, Three, T-Mobile, AT&T, or Verizon, depending on the victim. The story is always a variation of the same: lost handset, broken phone, abroad with a damaged SIM, urgent need to transfer the number to a new card that has just arrived.

The agent runs the standard verification. Name, date of birth, address on the account, sometimes a security word. Sometimes the last four digits of the bank card used for the most recent bill, which the attacker can either guess from a known issuer or simply skip in favour of another question. The agent has handled three hundred calls today. The attacker has rehearsed this one for an hour.

In most documented UK cases the verification passes inside four minutes. The port is initiated. The victim's handset will drop the network within ten to forty minutes, depending on the carrier's batching window.

Step three: the silent inbox

Now the attacker controls the number, and SMS-based two-factor codes start arriving on their device instead of the victim's. From here the sequence is mechanical.

  • Email first. Trigger a password reset on Gmail or Outlook, receive the SMS code, set a new password, lock the victim out.
  • Bank second. Trigger a reset on the banking app or web portal, receive the SMS, transfer to a money-mule account or convert to crypto.
  • Exchange third. If the victim holds crypto on Coinbase, Kraken, or Binance, the same SMS-based recovery flow empties the account.

A well-prepared attacker completes all three before the victim has finished restarting their phone in the hope that it is a network glitch. The median UK loss in reported SIM-swap cases for 2024, per Action Fraud filings, sat between £28,000 and £42,000 per victim. The 2022 incident involving a high-profile UK financial commentator, frequently cited in industry briefings, reportedly involved a six-figure attempt that was only partially blocked because the victim happened to be on a call with his bank when the port completed.

Step four: the part nobody fixes

After the money is gone, the victim does sensible things. They change passwords. They turn on app-based two-factor authentication. They speak to the carrier and add a port-out passcode. They file with Action Fraud and the FCA.

What almost no one does is the step that would have prevented the entire sequence: remove the dossier from the aggregators. The Spokeo listing is still there a year later. So is the BeenVerified one, the Whitepages one, the Spy Dialer one, the BackgroundCheck.run one. The next attacker, looking at the same victim or any of their relatives, will buy the same report for the same five pounds.

Changing your password after a SIM-swap is locking the door after the burglar has photographed the key.

Three things to do this week

None of these are novel. All of them are unevenly adopted.

  1. Move every account off SMS-2FA. Use an authenticator app (Aegis, 1Password, Authy) or, ideally, a hardware key. Banks are the slowest to migrate, but most UK challengers and all major US banks now support app-based codes. Use them.
  2. Add a port-out passcode with your carrier. EE calls it a SIM-swap PIN. O2 calls it a port-out passcode. AT&T calls it a Number Transfer PIN. Phone the carrier, set a number that is not in any database, and instruct them in writing that no port may proceed without it.
  3. Remove yourself from the people-search aggregators. The big ones in the UK orbit are Spokeo, BeenVerified, Whitepages, Intelius, Radaris, MyLife, TruePeopleSearch, and 192.com's premium tier. Each has its own opt-out form. Each requires re-checking, because many re-list on a 30 to 90-day cycle.

The third one is the tedious one. It is also the one that addresses the root cause rather than the final symptom. If you'd rather not work through 150+ opt-out forms yourself, Nox Æterna handles the full broker list in one £89 payment, with PDF proof at 30 and 90 days. One transaction, your dossier withdrawn from the shelf.

The attacker can still try. They just cannot buy the answers.