Recycled Phone Number Fraud & How Retired Lines Are Used in Account Takeovers

A customer has just switched telco companies and deactivated their number. Weeks later, someone else with that old number logs into their bank account and changes the password. They didn’t guess credentials or hack the bank – they simply exploited a number that still has the customer’s identity attached to it. 

This is recycled number fraud. Phone numbers are now deeply intertwined with modern authentication workflows. They function as user IDs, deliver one‑time passcodes, and anchor everything from social logins to online banking. But the life of a phone number does not end when a subscriber cancels service. 

After a cooling‑off period (typically 45–90 days), carriers reassign retired numbers to new customers. In the United States, around 35 million phone numbers are recycled each year – nearly 10% of all numbers – and some high‑turnover area codes recycle up to 20%. Every one of those reassignments is a potential doorway into somebody else’s life. 

Account takeover (ATO) fraud is already a serious and growing problem. Research published in January 2025 found that 29% of internet users have experienced account takeover. U.S. merchants lost $38 billion to account takeover in 2023 and are projected to lose $91 billion by 2028. Phone number recycling adds a new vector to these attacks by making two‑factor authentication (2FA) codes and password resets land in the wrong hands. 

This article explores how recycled numbers enable account takeovers, then shows how ID Dataweb’s new subscriber status and number deactivation signals for MobileMatch address these issues by verifying real‑time phone ownership rather than just checking that a number is active. Along the way, we’ll break down the lifecycle of a phone number, unpack the ways fraudsters exploit reassigned numbers, and offer practical guidance for mitigating these risks. 

Why numbers get recycled and why it matters 

Phone numbers are a finite resource. When a subscriber cancels service or ports their number to a different carrier, that number is deactivated and enters an aging period mandated by regulators. In the U.S., the Federal Communications Commission (FCC) requires carriers to wait at least 45 days after permanent disconnection before reassigning a number.  

After this cooling‑off period, the number returns to a pool of available numbers and is allocated to a new customer. High‑demand area codes may cycle through this process more quickly to maximize utilization. 

This simple recycling process helps carriers conserve numbering resources, but it creates an inherent weakness in identity systems built around phone numbers. When organizations rely on a phone number to deliver one‑time passcodes, reset tokens or identity verification links, they implicitly assume that the person receiving the message still controls that number.  

In many cases that assumption fails. A study by Princeton University revealed that 66% of sampled recycled numbers still had active links to accounts belonging to previous owners, meaning the new owner could request password reset codes and intercept 2FA messages. The same research found that 100 out of 259 recycled numbers were tied to accounts whose credentials had already been exposed in data breaches.

The scale of recycled number risk 

The FCC estimates that approximately 35 million numbers in the U.S. are recycled each year. A tiny fraction of these numbers falling into the wrong hands still translates into millions of vulnerable accounts. 

These vulnerabilities manifest in several ways: 

Unauthorized account access. Fraudsters who acquire recycled numbers can trigger password resets or 2FA challenges on the victim’s accounts. The Princeton study found that two‑thirds of recycled numbers still had active account associations. When the carrier redirects SMS codes to the new owner, the attacker can simply complete the authentication flow and hijack the account. 

Privacy breaches. New users often receive personal messages intended for the previous owner: banking alerts, dating messages, medical reminders, or even photos.

Financial fraud and identity theft. Phone numbers open doors to credit applications and high‑value transactions. Data compiled by Telesign notes that the Consumer Financial Protection Bureau observed a 35% increase in credit fraud cases tied to recycled numbers. The FBI’s Internet Crime Complaint Center saw a 400% increase in SIM‑swap attacks from 2020 to 2024, many of which involve recycled SIM cards. 

Malicious exploitation by bad actors. Recycled numbers are not only a vector for isolated account takeovers; they can facilitate business email compromise, ransomware campaigns, and social engineering. Proofpoint’s 2024 State of the Phish report showed that 65% of organizations experienced at least one successful phishing attack, with recycled numbers often serving as entry points for impersonation. 

Current defenses and their limitations 

Most organizations lean on one‑time passcodes sent via SMS or voice calls as their second factor of authentication. While SMS OTP adds friction for attackers, it also introduces a dependency on number ownership. When a number has been recycled, OTP codes go to the wrong person. Some companies attempt to mitigate this by checking number tenure or using simple carrier lookup services. 

Unfortunately, tenure alone is not a reliable indicator of risk. A fraudster can buy a recycled number with a long history and appear legitimate to a system that only checks number age. 

Regulatory efforts address misdirected calls but don’t eliminate the underlying vulnerability. The FCC’s reassigned numbers database allows legitimate businesses to query whether a number has been disconnected before making robocalls, but it simply returns “yes,” “no,” or “no data” and is designed for call compliance rather than real‑time authentication. In short, the database helps telemarketers avoid wrong numbers; it doesn’t tell an authentication system whether a subscriber still owns the number. 

How ID Dataweb’s new signals close the gap 

As a leading threat detection and fraud prevention platform, ID Dataweb developed MobileMatch to check whether a phone number truly belongs to a user during onboarding or login. If carrier data shows a number was recently duplicated or ported, MobileMatch can block the OTP and step-up the authentication flow. Banks and airlines already use these capabilities to prevent account takeover and loyalty program abuse. 

To address recycled number fraud more directly, ID Dataweb is introducing two new signals into MobileMatch: subscriber status and number deactivation. These signals build on the lessons from researchers and regulatory bodies to provide near real‑time insight into phone ownership and history. 

Together, they move beyond basic tenure checks and begin to address the core vulnerability with recycled number fraud: verifying whether the person presenting the number is still the rightful owner.

Subscriber status: verifying who actually owns the number 

Drawing on carrier data and proprietary analysis, this signal reveals whether the number is currently active, suspended or deactivated, prepaid or postpaid, who the primary account holder is, and how long the account has existed. This granular view is critical because prepaid numbers tend to churn faster and are more susceptible to fraud. Suspended or deactivated numbers signal that ownership may have changed. 

Within MobileMatch, enterprises can use subscriber status to answer questions such as: 

• Is the number currently assigned to the same person? If the number is deactivated or belongs to a different account holder, the rules engine prevents its use for OTP delivery and prompts the user to update their contact information. 

• How long has the account been active? Long tenure suggests stability, while brand‑new numbers might be recycled or part of a burner SIM scheme. According to Telesign’s research, number intelligence tools can flag numbers tied to prepaid or burner SIMs and those known for high‑risk behavior. 

• Is the account prepaid or postpaid? Prepaid numbers have lower barriers to acquisition and therefore pose greater risk. When a high‑risk transaction originates from a prepaid number, the system can step up to additional identity verification or route the user through a different second factor. 

Incorporating subscriber status, MobileMatch moves beyond static tenure checks and validates real‑time ownership. This helps prevent attackers from using newly acquired numbers to impersonate victims. It also reduces false positives by allowing legitimate users with stable numbers to proceed seamlessly. 

Number deactivation: catching recycled numbers before they’re exploited 

The second signal, number deactivation, focuses on the history of the phone number itself. Carriers record when a number is deactivated and when it is reassigned. By exposing this data to our risk engine, we can answer questions such as: 

• Has the number recently been deactivated? A number that has a recent deactivation timestamp is more likely to have changed hands. The number deactivation service can return the deactivation date and time, along with the carrier responsible. 

• Has the number been recycled since the last verification? If a user enrolled with a particular phone number last month but the number has since been deactivated and reassigned, our engine can detect this gap and require the user to re‑verify or update their contact details. This protects accounts from unauthorized access when a number leaves the user’s control. 

• Does the carrier report multiple deactivations? Numbers that churn repeatedly may be tied to burner phones and fraudulent activity.  

Integrating number deactivation into MobileMatch gives organizations a proactive tool to prevent misdirected OTP codes. Instead of blindly sending a code to any active number, ID Dataweb first checks whether the number was recently recycled. If it were, the rules engine either declines the transaction or prompts the user for an alternative authentication method, such as document verification or biometric authentication. 

Putting the signals to work – scenarios and benefits 

Let’s consider how these signals transform authentication flows in practice. Suppose a credit union uses MobileMatch to secure online banking. When a member logs in, the risk engine checks the phone number on record and sees that the number’s subscriber status is “active, postpaid, primary account holder for five years.” There is no recent deactivation and no porting event. The system concludes that the number likely still belongs to the member, so it sends a one‑time link to confirm possession and allows the login if the link is tapped. The member experiences minimal friction. 

Next, imagine a fraudster obtains a recycled prepaid number previously tied to a dormant savings account. When they attempt to reset the password, MobileMatch queries subscriber status and sees that the number is only two weeks old, is prepaid, and is not associated with the original account holder. It also sees a recent deactivation timestamp. The engine flags the attempt as high risk and denies the reset. Instead of sending an OTP to a fraudster, the platform asks the legitimate account holder (through email or an alternative factor) to update their contact details. This prevents the takeover without affecting the legitimate user.