Telecom fraud has become a major vector for identity-based attacks. In one case, a fraudster convinced a carrier to transfer a Bank of America customer’s number to a new SIM card, then intercepted one-time passcodes to steal $38,000 from his account. Because phone numbers now function as digital keys, they can be exploited to access banking, email, and other sensitive accounts.
Businesses treat phone numbers as unique identifiers, using them to deliver one-time passwords (OTP) and anchor everything from social media logins to online banking sessions. Banks and credit unions often rely on SMS for two-factor authentication (2FA) because it’s familiar and convenient. However, this approach assumes the person receiving the code is the legitimate owner – an assumption that fails to account for telecom-based fraud.
Two Common Telecom Fraud Vectors
Both SIM swaps and recycled phone numbers exploit weaknesses in telecom systems and can lead to account takeover (ATO) fraud, where unauthorized parties gain control of victims’ accounts.
SIM Swap Fraud
SIM swap fraud highlights the vulnerability of carrier identity verification. In these scams, a fraudster tricks a provider into porting into porting a victim’s number to a SIM under their control. The victim suddenly loses service (“No Signal”), while the attacker’s device begins receiving all calls and texts – including OTPs – meant for the victim. This allows the attacker to bypass multi-factor authentication (MFA) and reset passwords.
SIM swapping is appealing because it requires only basic social engineering and leaked personal data. When carrier agents rely on static, knowledge-based questions, fraudsters can easily pass. A 2020 Princeston University study found that 80% of fraudulent SIM swap attempts across five major U.S. carriers succeeded on the first try, revealing widespread weaknesses in over-the-phone authentication and MFA processes.
Recycled Phone Number Fraud
Another major telecom risk comes from recycled phone numbers, a standard industry practice. The Federal Communications Commission (FCC) reports that about 35 million U.S. numbers are recycled annually. Carriers routinely disconnect inactive numbers, hold them briefly, and then reassign them to new customers.
What seems like routine housekeeping now carries serious cybersecurity implications. Because phone numbers serve as digital identifiers, a reassigned number can unlock accounts belonging to its previous owner. Fraudsters who acquire recycled numbers can trigger password resets or OTP logins to hijack those linked accounts.
Most organizations don’t verify phone number ownership before sending OTPs. As long as the text delivers, systems assume the right user received it. Some companies attempt basic tenure checks – how long a number has been active – but even that can be fooled. A fraudster can obtain a recycled number with long history, making it appear “safe” despite a recent ownership changeWhy financial institutions are especially vulnerable
Banks and credit unions have long viewed SMS verification as a strong “something you have” factor. However, as phone-centric fraud rises, this dependency poses a significant risk. Fraud rings frequently target banking and payment app users via SIM swaps, knowing that once they control a victim’s number, they can approve transfers, add payees, and reset credentials.
Regulators and industry bodies now flag SMS-based authentication as inherently risky. Guidance from the FBI and CISA warns against using SMS as the sole factor in high-risk contexts. Yet, removing phones from authentication entirely isn’t practical — users value their convenience. The smarter path forward is to strengthen verification by detecting SIM swaps, porting events, and recycled number risks in real time.
Making Phone Verification Intelligent
Identity threat detection and risk mitigation technologies enable organizations to verify that a phone number is in the rightful owner’s possession, not merely capable of receiving a text.
By layering telecom data with broader identity and risk signals, enterprises can confirm phone number ownership at a given moment. Instead of blindly sending an OTP to “the number on file”, they can ask:
- Has this number been active on the same SIM and account, or was it recently ported?
- Is it a prepaid or high-risk number type?
- Has the carrier recently suspended or deactivated the number?
ID Dataweb MobileMatch addresses this need by cross-checking users phone numbers against authoritative carrier data in real time. When a user registers or logs in, MobileMatch queries telecom data to verify that the number is still active and still tied to the legitimate user. If anomalies appear – such as a recent SIM swap – it flags the event and can block the OTP, triggering a step-up authentication through another channel, or requiring additional ID.
Number Deactivation Monitoring adds another layer. Because telecom operators record when numbers are disconnected and reassigned, MobileMatch can detect whether a number was recently recycled and flag recovery attempts tied to it as suspicious.
Balancing security and user experience
These telecom-based checks can be combined with adaptive verification workflows.
- Low risk: A customer with a long-tenured number and no SIM activity proceeds with normal OTP.
- High-risk: A recently ported or deactivated number triggers a stronger step-up, such as biometric or call-in verification.
This dynamic approach keeps friction low for legitimate users while stopping imposters in real time.
The same principles can also enhance in-person security. Fraudsters increasingly present expertly forged driver’s licenses at branches – complete with holograms and barcodes. With MobileMatch, a bank teller can use the customer’s mobile device as a second factor, validating that the phone number is active and linked to the presented identity.
Canadian Imperial Bank of Commerce (CIBC), for example, employs this kind of in-branch multi-factor authentication. Customers must present both their debit card and a second factor – either a verified mobile device or a scannable government ID – for transactions.
A safer path forward
Mobile-based verification isn’t going away – it’s too convenient and familiar. But as fraudsters exploit SIM swaps and recycled numbers, businesses must make phone verification smarter, not simpler.
By incorporating telecom intelligence – such as SIM swap alerts, subscriber status, and disconnection history – organizations can treat phone numbers as dynamic identity data that require validation. This enables stronger protection without degrading the user experience.
For security and fraud prevention teams, that means fewer false positives and faster detection of genuine threats. It’s a shift from reactive fraud response to proactive fraud prevention, using richer, real-time data to stay ahead of attackers.
