Your weekly dose of scam-proofing in 3 minutes or less. No fluff, just the latest hacks, scams, phishing attacks, and cyber cons you actually need to know about.

Your phone goes quiet.

No signal. No texts. No data. You figure it's a network blip. Maybe you're in a dead zone. You restart the phone. Still nothing.

Meanwhile, on the other side of town, someone is logging into your bank account. Resetting your email password. Clearing out your crypto wallet. All authenticated by the MFA codes that are now going to their phone instead of yours.

They didn't need your phone. They didn't need your password. They didn't install anything, click anything or touch any of your devices.

They just called your mobile network, said they were you, and asked to move your number to their SIM.

And the call centre said yes.

1️⃣ They gather your details.

Name, date of birth, address, and the last four digits of your account number. Most of this is sitting in old data breaches, on your social media, or available for a few quid on the dark web. Over 1.7 billion credentials were found on dark web markets during 2024 alone. Your details are probably already out there. The attacker just needs enough to sound convincing.

2️⃣ They call your network.

They ring your mobile provider's customer service line. They say their phone was lost or stolen. They quote back your personal details to pass the security checks. They ask to transfer your number to a new SIM – the one they already have in their hand.

Global telcos have trimmed costs by shifting Tier-1 support offshore, with agents juggling time-to-answer targets statistically more prone to verification bypass fatigue. Translated: the call centre agent is overworked, underpaid, and trying to close the call quickly. Your life savings are the collateral damage.

3️⃣ Your phone dies.

Your number is now theirs. Your phone shows no service. You have no idea why. 90% of SIM swap incidents occur without any interaction from the victim whatsoever. You find out the same way most people do – when the password reset emails start arriving for accounts you didn't try to access.

4️⃣ Everything unravels at once.

With your number, they intercept every MFA code sent to you by SMS. Your bank. Your email. Your crypto exchange. Every account that sends a verification text is now wide open. They move fast – usually draining accounts within minutes of getting the number.

The average SIM swap victim lost $26,400 in 2024. Not because they did anything wrong. Because a call centre agent believed a stranger who knew their postcode.

Here is the part that should make you genuinely angry.

Your bank spent years and millions building security systems to protect your money. Strong passwords. Multi-factor authentication. Fraud detection algorithms. All of it.

And it can be completely bypassed by someone making a phone call.

42% of UK banks and 61% of crypto exchanges were still using SMS as their default MFA method in 2024. That means for most people, the final line of defence between a fraudster and their savings is a text message – a text message that can be redirected to anyone who can sweet-talk a call centre.

The scam doesn't require technical skill. It requires knowing your name, your birthday, and enough patience to stay on hold. That is the entire barrier to entry.

UK, 2024: Cifas reported a 1,055% increase in unauthorised SIM swaps in a single year – jumping from 289 cases in 2023 to nearly 3,000 in 2024. Nearly half of all account takeover cases involved mobile phone accounts. This is not a niche attack. It is an industry.

🚩 Your phone suddenly loses all signal with no obvious reason. 

🚩 You receive a text from your network saying your SIM has been activated on a new device. 

🚩 You stop receiving calls or texts unexpectedly – friends say they can't reach you. 

🚩 Password reset emails or texts arrive for accounts you didn't touch. 

🚩 You get locked out of bank or email accounts without trying to log in.

The cruel irony: by the time you notice any of these, the damage is usually already done.

✔ Ditch SMS-based MFA wherever you can.

This is the root of the problem. SMS codes can be intercepted the moment your number is swapped. Replace them with an authenticator app – Google Authenticator, Microsoft Authenticator, Authy – for every account that matters. An authenticator app generates codes on your device. Swapping your SIM does nothing to it. The NCSC specifically recommends app-based MFA over SMS for exactly this reason.

✔ Set up a SIM swap PIN or verbal password with your network.

Most mobile providers will let you add an extra PIN or passphrase to your account that must be quoted before any changes can be made. Call your network and set one up. Make it something that is not your date of birth, your mother's maiden name, or anything else that is one data breach away from being public knowledge.

✔ Freeze or lock your number with your carrier.

Some networks now offer number lock or port freeze features that prevent your number from being transferred without you physically visiting a store with ID. Ask your carrier if this is available. It should be the default. It is not.

✔ Act immediately if your phone loses signal unexpectedly.

Do not wait to see if it fixes itself. Call your network from another phone straight away and ask if any changes have been made to your account. Every minute matters – attackers work fast once they have your number.

✔ Use a password manager and unique passwords everywhere.

SIM swap attacks often succeed because the attacker already has your password from a breach and just needs to bypass MFA. A unique password on every account means even if one is compromised, the others are not. A password manager does the remembering for you.

Your bank built a vault. Then left the key with a call centre agent on their fourth hour of a Monday shift.

That's it for this week.

SIM swap fraud is not clever. It is not sophisticated. It is a phone call to an overworked customer service agent and a plausible story. The technology your bank relies on to keep your money safe can be undone by someone who knows your date of birth and is willing to stay on hold for twenty minutes.

The fix is straightforward: stop using SMS as your MFA method wherever you can, and put a PIN on your mobile account today. Neither takes long. Both matter more than most people realise.

Catch you next time,

Dan & the Goldphish Team

📌 P.S. Still getting your bank's security codes by text? That's the thing to change this week. Not next week. This week.