SIM-Swap Fraud Is Rising in the UK: What It Is and How to Protect Yourself
SIM-swap fraud grew 38% last year according to Cifas. Here is what it is, how criminals use it to drain bank accounts, and five practical steps UK consumers can take right now.
Direct answer
SIM-swap fraud happens when a criminal convinces your mobile network to transfer your phone number to a SIM card they control. Once they have your number, they can intercept the one-time passwords (OTPs) banks and other services send by text, giving them access to your accounts. Fraud prevention service Cifas reported a 38% rise in SIM-swap attacks in its Fraudscape 2026 report.
SIM-Swap Fraud Is Rising in the UK: What It Is and How to Protect Yourself
SIM-swap fraud — where a criminal tricks your mobile network into handing over your phone number — is growing fast in the UK. Fraud prevention service Cifas recorded a 38% rise in SIM-swap attacks in 2025, according to its Fraudscape 2026 report. Once a fraudster controls your number, they can intercept the security codes your bank sends by text and access your accounts without ever knowing your password.
This is not a niche or technical threat. Real UK consumers have lost thousands of pounds, and in some cases it took their mobile network more than a week to return their stolen number — time during which the fraud continued.
What's happening
SIM-swap fraud works by convincing a mobile network to transfer your phone number to a new SIM card or eSIM that the criminal controls. In plain English: they steal your phone number without touching your phone.
Cifas links the rise in attacks directly to how widely banks and online services rely on one-time passwords (OTPs) sent by text message. An OTP is a single-use code sent to your phone to confirm your identity — for example, when you log in to online banking or authorise a payment. If a fraudster has your number, they receive those codes instead of you.
Most SIM swaps are now carried out online rather than in-store or over the phone, making identity checks harder. Fraudsters may also target your email account first: if they can access your inbox, they can request a password reset for your mobile account and then use a PAC (Porting Authorisation Code) to move your number to a different network entirely.
Which? published detailed findings on 30 April 2026, including three real cases involving UK consumers and the networks Lebara and Vodafone.
Why it matters
The consequences go well beyond a lost phone signal. In one case reported by Which?, a woman identified only as Beth had her Lebara account compromised after scammers failed her network's security questions multiple times — yet the network still allowed sensitive account changes. The criminals then accessed two bank accounts and her PayPal, spending around £3,500. Although the money was refunded, the fraud continued for nearly a month.
In a separate case, Joanne from Weybridge alerted Vodafone immediately when she received an unexpected SIM-swap confirmation text in late September 2025. Despite acting quickly, it took 10 days for Vodafone to return her number. During that time, fraudsters intercepted security codes from her bank and email provider.
Ofcom, the telecoms regulator, does not set mandatory timeframes for networks to recover stolen numbers. Which? considers a 10-day wait unacceptable, but there is currently no regulatory requirement to do better.
A third case showed how email compromise can be the entry point: fraudsters called the victim posing as Vodafone's fraud team — likely to keep the line busy — while simultaneously using access to his email to reset his Vodafone password and complete the SIM swap. He lost £500 from his bank account and more than £2,500 in Apple purchases made via PayPal.
Who is affected
Anyone who uses a UK mobile phone number as part of their online security is potentially at risk. That includes:
- Online banking customers who receive OTPs by text
- Email account holders using SMS-based two-factor authentication
- PayPal and other payment platform users linked to a mobile number
- Social media account holders using phone-number verification
The risk is higher if your mobile account has a weak password, if you use the same password across multiple services, or if your email account is not protected by two-factor authentication.
What to do next
Which? sets out five practical steps, and consumer security guidance supports them:
- Secure your mobile account now. Set a strong, unique password for your network account. Ask your provider whether it can add an extra PIN or password that must be provided before any sensitive changes — such as a SIM swap — are approved.
- Switch away from SMS authentication where you can. SMS is better than nothing, but passkeys (supported by Apple, Google, Microsoft, and Samsung) are tied to a physical device rather than your phone number, making them much harder to hijack. Use an authenticator app as a minimum. You can check which services support stronger 2FA at 2fa.directory/gb.
- Protect your email account first. As the third case above shows, your inbox can be the door that lets fraudsters into everything else. Enable two-factor authentication on your email using an app or passkey, not SMS.
- Tidy up your online profile. Set strong, unique passwords across all accounts. Restrict who can see your social media profiles, and avoid publicly sharing your date of birth, pet names, or phone number — details commonly used in security questions.
- Act immediately if something feels wrong. If you receive an unexpected SIM-swap confirmation, or your phone loses signal without explanation, contact your network at once via webchat or another device. Simultaneously, call your bank to freeze your accounts. Change passwords on any sensitive accounts and disable SMS as an authentication method where possible.
If you are reviewing your mobile plan as part of a broader look at your household bills, Taupia lets you compare mobile and other household bill options in one place.
Sources
- Which? – Mobile networks must step up to prevent SIM-swap fraud (30 April 2026)
- Cifas Fraudscape 2026 — cited for the 38% rise in SIM-swap attacks
Key takeaways
- Cifas recorded a 38% rise in SIM-swap attacks in 2025, detailed in its Fraudscape 2026 report.
- Once a fraudster controls your phone number, they can intercept bank OTPs and access financial accounts without needing your password.
- Which? found cases where networks approved SIM swaps even after callers failed basic security questions, and where recovery took up to 10 days.
- Ofcom does not set mandatory timeframes for networks to return stolen numbers to victims.
- Using passkeys or an authenticator app instead of SMS codes significantly reduces your exposure to this type of fraud.
Frequently asked questions
How do I know if I have been a victim of SIM-swap fraud?
The most common warning sign is your phone suddenly losing all network signal — calls, texts, and mobile data stop working. You may also receive an unexpected text confirming a SIM swap you did not request. If either happens, contact your mobile network immediately using another device or webchat, and alert your bank.
Are mobile networks required to recover my number quickly?
Ofcom, the telecoms regulator, does not currently set timeframes for networks to recover phone numbers in SIM-swap fraud cases. Which? reported one case where it took Vodafone 10 days to return a stolen number, during which time fraudsters continued to intercept security codes.
Is SMS two-factor authentication safe to use?
SMS-based authentication is better than no two-factor authentication at all, but it carries risk because your codes are tied to your phone number rather than a physical device. Where possible, use passkeys or an authenticator app instead. Passkeys are supported by Apple, Google, Microsoft, and Samsung.
Can fraudsters complete a SIM swap online without visiting a store?
Yes. According to Which?, most SIM-swap fraudsters now choose to carry out the swap online rather than over the phone or in-store, making it harder for networks to verify identity through face-to-face checks.