THE MEDIA GLEN PUBLISHING | INVESTIGATIVE SERIES: DIGITAL CRIME
Your phone number is not yours. The carrier owns it. And for about three hundred dollars, a stranger with a grudge — or no grudge at all, just greed — can take it from you in the time it takes to drink a coffee.
THE PHONE GOES DEAD
It starts quietly. You're doing something ordinary — buying groceries, watching television, arguing with your kids about something that already doesn't matter. Your phone is in your pocket. You pull it out to check a message and the signal bars are gone. Not low. Gone. Where the carrier name used to sit there's a phrase you've probably never noticed before: No Service. Or SOS Only, which sounds more alarming than it is until you realise it means exactly the same thing. You have been cut off.
You figure it's a tower problem. You've seen it before. You move to a window. You walk outside. The bars don't come back.
Somewhere across town — maybe across the country — somebody else's phone just woke up with your number on it.
That's all it takes. That's the whole mechanism. Whoever now holds that number can receive every text message sent to you. Every phone call. Every two-step verification code that your bank, your email provider, your brokerage, your cryptocurrency exchange sends to "your" phone as proof that you are who you say you are. None of those codes reach you anymore. They all go to the person who just stole your identity at the carrier level — and they have been waiting, prepared, for exactly this moment.
WHAT A SIM CARD ACTUALLY IS
Most people think of a SIM card as the little chip that makes a phone work. That's not wrong, but it's incomplete in a way that turns out to matter enormously.
A SIM — Subscriber Identity Module — carries a unique identifier called an IMSI, International Mobile Subscriber Identity. Your carrier's network keeps a database that maps your phone number to whichever IMSI is currently authorised to use it. When a call comes in to your number, the network checks that database, finds the IMSI, routes the call to whichever device holds that IMSI.
Changing which IMSI your number points to is a completely routine procedure. You get a new phone. You crack your screen. You upgrade your plan. Millions of times a day, carriers move phone numbers from one SIM to another. The process is called a SIM swap. It is a normal, legitimate, necessary thing. It is also the door that criminals walk through.
"Your phone number has become a master key. It unlocks your email. Your email unlocks everything else."
THE SOCIAL ENGINEERING PLAY
Here is what the attack actually looks like from the outside, stripped of jargon.
Before anything else happens, the attacker needs to know things about you. Your full name. Your phone number, obviously. Your date of birth. Your mailing address. The last four digits of your Social Insurance Number (or Social Security Number for Americans). Maybe your account PIN if you've set one.
This sounds like a lot. It isn't. Every single piece of that information was probably leaked in a data breach you never heard about. It's sold in bulk on dark web marketplaces for pennies per record. A package of personal data — name, address, date of birth, Social Insurance Number, email addresses, account credentials — is called a "fullz" in the criminal trade. A fullz costs roughly two to ten dollars. Canada has had significant data breaches at financial institutions, telecoms, government agencies, and retailers. The information is out there. It has been out there for years.
Once the attacker has your information, they contact your carrier. Three ways to do this. By phone, calling customer service directly. In person, walking into a retail store with forged identification. Or through the carrier's online account portal. Each channel has its own weaknesses and each has been exploited successfully.
The script the attacker uses varies, but the shape is always the same. They claim to be you. They say they got a new phone. They need the number moved to a new SIM. They provide whatever verification the carrier asks for — and since all that verification data was bought for ten dollars or scraped from social media, they provide it correctly. The carrier representative, working a customer service queue with a hundred calls waiting, processes the request. The database updates. Your number moves.
You feel nothing. There's no pain. No alarm. Your phone just gets quiet.
WHY CARRIERS ARE VULNERABLE TO THIS
People expect banks to be paranoid. Carriers are not banks. They were built to move telecommunications traffic, not to guard identities. The verification systems most of them use were designed in an era before mass data breaches made personal information freely available.
A customer service representative at a mobile carrier earns somewhere around fourteen dollars an hour. They handle dozens of calls per shift. Their job is to solve problems quickly and keep the customer satisfied. The metrics they're measured on are speed and resolution rate. They are not security analysts. They are not trained to distinguish between a legitimate customer who forgot their PIN and an attacker who bought that PIN's equivalent off a data broker.
The knowledge-based questions carriers rely on — what's your date of birth, what are the last four digits of your SIN, what's your billing address — are exactly the questions that data breaches answer. The security model assumes that only you would know these things. That assumption has been false for years.
"The security model assumes only you know these things. That assumption has been false for years."
Online portals introduce a different vulnerability. Some carriers allow SIM changes through self-service web interfaces that rely on account passwords and, occasionally, SMS-based verification. The irony of using SMS to verify a SIM change request is not subtle. If the attacker already has access to the account, they can often complete the swap without speaking to a human being at all.
THE INSIDER PROBLEM
There is a second way in that requires no social engineering of the victim's information whatsoever.
Carrier employees and retail store staff have direct access to account management systems. A single keystroke by someone with the right access level can move a phone number from one SIM to another. No questions asked. No verification required. Because from the system's perspective, the verification has already happened — the employee is trusted.
Criminals know this. They recruit insiders.
The recruitment is not subtle. Employees at carrier retail stores receive unsolicited text messages offering several hundred dollars in cryptocurrency per swap performed. Some receive LinkedIn messages. Some are approached directly. The offer is simple: use your access to transfer this phone number to this SIM card, and collect your payment. In documented cases, a single corrupt employee performed dozens of unauthorised swaps before being caught.
An employee making fourteen dollars an hour who performs two swaps per week can double their income. The fact that it's a serious crime is offset, for some, by the fact that it's nearly impossible to catch in the moment and the proceeds are immediate.
This threat does not require a sophisticated hacker. It requires one person in one store making a bad decision.
WHAT HAPPENS IN THE FIRST FIVE MINUTES
Once the swap is complete, the attacker moves fast. Everything that follows is scripted and practiced.
The first target is email. Your email account is not just for correspondence. It is the recovery mechanism for almost everything else you own online. Forgot your banking password? Reset link goes to your email. Locked out of your investment account? Verification code goes to your phone or email. An attacker who controls both your phone number and your email address controls the keychain.
They go to your email provider's login page. They click "Forgot Password." The reset code — a six-digit number that expires in minutes — lands in a text message on their phone. They type it in. They change the password. You are now locked out of your own email account. They then change the recovery phone number and backup email so you can't get back in.
This takes roughly three minutes.
Then the financial accounts. Banks. Cryptocurrency exchanges. Investment platforms. Each one follows the same pattern: Forgot Password, SMS code received, password changed, account locked. Funds transferred or withdrawn.
The attacker is not improvising. They have already spent time studying which accounts you hold based on your email history, your public social media, your leaked data. They know where the money is before the swap begins. When the swap completes, it's not a search — it's a harvest.
WHY TEXT MESSAGE VERIFICATION WAS ALWAYS A BAD LOCK
Two-factor authentication was supposed to solve the problem of stolen passwords. The idea is straightforward: even if someone gets your password, they still need a second thing — something you physically possess, like your phone — to log in. A code sent via text message seemed like an elegant implementation. Almost everyone has a phone. Almost everyone knows how to read a text message. It would be impossible for an attacker to intercept a temporary code sent to your device.
Except the code isn't tied to your device. It's tied to your phone number. And your phone number can be moved.
There's a second problem that runs even deeper. The global telephone network runs on a signalling protocol called SS7, developed in the 1970s when the network was a closed system used only by a handful of trusted telecoms. SS7 was never designed for a world where the network has thousands of participants, many of them untrustworthy. It has no built-in authentication between network nodes. Anyone with access to the SS7 network can, in principle, intercept or redirect text messages.
SS7 attacks are technically sophisticated and require network access that most criminals don't have. But the point stands: the protocol that carries your "secure" verification code was designed before anyone was thinking about security. SIM swapping doesn't even need SS7 access. It's a simpler, blunter instrument. Just move the number.
The American standards body NIST — the National Institute of Standards and Technology — has been warning about SMS-based verification since 2016. In their 2025 guidelines, they require that any authentication system claiming a meaningful security level must offer a phishing-resistant option. SMS codes don't qualify.
THE ESIM ERA MAKES IT FASTER
The physical SIM card, the small chip you pop out of your phone with a paperclip, is going away. Its replacement is the eSIM — embedded SIM — a programmable chip built into the device that can be activated remotely by scanning a QR code. No physical card. No store visit required.
For consumers, eSIMs are convenient. For criminals, they compress the attack timeline from hours to minutes.
A traditional SIM swap required either visiting a store or convincing a phone representative to mail a new SIM card or activate one on file. With an eSIM, a carrier customer service agent can generate a QR code during a phone call and send it to whatever email address the attacker provides. The attacker scans it. The number transfers. Done.
In the United Kingdom, where eSIM adoption is advanced, reported SIM swap cases rose by more than a thousand per cent between 2023 and 2024 — from 289 incidents to nearly 3,000 in a single year. That number will keep climbing as eSIMs become standard. In Australia, regulators noted that ninety per cent of recent SIM swap incidents occurred without any direct interaction with the victim at all.
CAN IT STILL BE DONE TODAY?
Yes.
The short answer is yes, it can absolutely still be done, and it is being done every day in Canada, the United States, the United Kingdom, South Africa, Australia, and everywhere else smartphones and mobile banking coexist.
The regulatory landscape has shifted. In November 2023, the American Federal Communications Commission adopted rules specifically targeting SIM swap fraud, requiring carriers to use stronger authentication before moving a number, to notify customers immediately when a SIM change is requested, and to offer account locking features. The rules were adopted unanimously. The original compliance deadline was July 2024. As of early 2026, full enforcement remains pending regulatory review. The rules exist on paper. They are not yet fully enforced.
In Canada, the regulatory framework governing telecoms does not yet include specific SIM swap rules equivalent to the FCC order. The Canadian Radio-television and Telecommunications Commission oversees the industry. Consumer protections exist under the Wireless Code. But the specific procedural requirements around SIM authentication that the FCC has mandated do not yet have a Canadian equivalent.
Carriers have introduced optional protections. The key word is optional.
All three major American carriers now offer some form of SIM lock or number lock — a setting that blocks unauthorised SIM changes and port-outs. Canadian carriers have similar features, marketed under various names. None of them are enabled by default. They must be activated deliberately, which means most customers have no idea they exist.
A 2025 arbitration case in the United States produced a $33 million award against T-Mobile. The victim had an eight-digit PIN on their account. The attacker talked a call centre representative into issuing a remote eSIM QR code anyway. The lock was set. The swap happened regardless. The point is not that protections are useless. The point is that a determined attacker with a cooperative insider or a gullible representative can defeat them.
WHAT YOU CAN ACTUALLY DO
The bad news first: there is no single setting, no single tool, no magic purchase that makes you immune. If someone wants your number badly enough and has access to a corrupt carrier employee, they will get it. Accept that.
The good news: most attacks are opportunistic. They target the easiest available victim. Hardening your account doesn't need to be perfect — it needs to be harder than the next person.
Step One: Call your carrier and set a SIM lock.
Do this today, not next week. In Canada, contact your carrier directly and ask specifically about SIM swap protection, number lock, or port-out protection. Bell, Rogers, Telus, and their subsidiaries offer variants of this. The feature blocks SIM changes and number transfers until the lock is manually removed — which requires you, in person or over the phone with additional verification.
While you are on that call, also set a separate PIN or passcode for account changes if you haven't already, and ask that it be required for any SIM-related request. Write the PIN down and store it somewhere that is not in your email or your phone.
Step Two: Stop using text messages as a second factor.
Every account that currently sends you a six-digit code by text message is an account that a SIM swap can compromise. Replace those codes with an authenticator app. Google Authenticator, Microsoft Authenticator, and Authy are all free. They generate codes locally on your device — not through the phone network — which means a SIM swap doesn't touch them. The codes work even when your phone has no signal.
For your highest-stakes accounts — email, banking, cryptocurrency, investment platforms — go further and use a hardware security key. These are physical USB devices (some also work by tapping on a phone's NFC chip) that authenticate you by cryptographic proof rather than a code. They cost between fifty and a hundred dollars. They cannot be phished. They cannot be redirected by a SIM swap. They are the closest thing to a real lock that the consumer authentication market currently offers.
Step Three: Secure your email first.
Your email account is the master key. If an attacker gets into your email, the rest follows. Enable the strongest available second factor on your primary email account. If your provider offers a security key option, use it. If not, use an authenticator app. Remove SMS as an option entirely if the platform allows it.
Also review the recovery options on your email account. Many people set up a backup phone number for recovery years ago and have forgotten it. If that backup number is unprotected, it's a back door.
Step Four: Reduce your data footprint.
The attack depends on the attacker knowing enough about you to pass carrier verification. Some of that information was leaked in breaches you can't control. But some of it you published voluntarily. Your full date of birth on Facebook. Your hometown and employer on LinkedIn. Your address visible through public records. Data broker websites aggregate this information and sell it.
Services like DeleteMe and others will systematically request removal of your information from data broker databases. This is not a complete solution. But it raises the cost of targeting you specifically.
If it happens to you.
The moment you notice your phone has lost service for no obvious reason, treat it as a potential SIM swap. Don't wait. Don't assume it's a tower issue.
Call your carrier immediately from a different phone — a landline, a family member's cell, anything. Tell them you suspect an unauthorised SIM swap and ask them to freeze your account and reverse any recent SIM changes. Get a case number.
While you're doing that, try to access your email and financial accounts from a computer. Change passwords before the attacker does, if there's still time. Enable the strongest available second factor.
File a report with your local police service. File a complaint with the Canadian Anti-Fraud Centre at antifraudcentre-centreantifraude.ca. If cryptocurrency was stolen, contact the exchange directly and provide transaction IDs — exchanges can sometimes freeze a destination wallet if they're contacted fast enough.
Place a fraud alert or security freeze with Equifax Canada and TransUnion Canada. A freeze prevents new credit from being opened in your name while you sort out the damage. It's free and it can be lifted when you need it.
THE LOCK ON THE DOOR
Here is what all of this adds up to.
For forty years, the telephone network has been building out infrastructure that now underpins how we prove who we are. Banks send codes to phones. Governments send notifications to phones. Employers verify identity through phones. The phone number has become a root credential — a thing from which all other digital trust descends.
And it was never designed to be that. It was designed to ring when someone called you.
The system that lets a stranger spend fifteen minutes on the phone with a carrier representative and walk away with your identity wasn't built by criminals. It was built by telecommunications companies optimising for customer convenience and low call-handling times. The criminals just noticed what was there and started using it.
The door has been in the wall the whole time. Most people have never looked at it. Now you have.
BEHIND THE STORY
This article draws on court records, FBI Internet Crime Complaint Center annual reports (2018–2024), FCC Report and Order FCC 23-95 (November 2023), the Princeton University SIM swap study (2020), NIST Special Publication 800-63-4 (2025), UK Cifas fraud statistics (2024), South African Communications Risk Information Centre reporting, and technical analysis from Intel 471, Chainalysis, Elliptic, and Merkle Science. Dollar figures are sourced from DOJ press releases, court records, and FCC filings. The FCC's enforcement timeline and the status of Canadian regulatory equivalence are accurate as of March 2026.
© The Media Glen Publishing | Synexmedia.com | All rights reserved.