When Sue Shore, a 58‑year‑old resident of Manchester, discovered that her phone number had been transferred to a fraudster’s device, she realised her entire online identity had been compromised. The BBC’s investigation revealed that the breach was part of a coordinated SIM‑swap operation that gave criminals unfettered access to her Gmail, banking apps and social‑media accounts, allowing them to siphon thousands of pounds.
How the Scam Unfolded
According to Shore, the attackers first obtained personal details – including her full name, address and date of birth – from an online database that had been exposed in a data‑leak earlier this year. Armed with this information, they contacted her mobile‑network provider, posing as the account holder and requesting a SIM replacement. The provider, convinced by the forged identity documents, transferred Shore’s number to a new SIM card in the fraudsters’ possession.
Immediate Consequences
Within minutes of the swap, the criminals used the newly‑acquired number to reset passwords on a range of services that relied on SMS‑based two‑factor authentication. They gained entry to Shore’s Gmail account, intercepted verification codes, and subsequently accessed her online banking, cryptocurrency wallets and shopping profiles. By the time she regained control of her phone, the perpetrators had already withdrawn over £7,000 and made unauthorised purchases worth an additional £2,300.
Broader Investigation
The BBC’s team examined three separate victims of similar SIM‑swap attacks over the past six months. All cases shared a common thread: the perpetrators sourced personal data from publicly available leaks, then exploited lax verification procedures at telecom operators. In each instance, the victims reported that their digital lives were effectively hijacked, with fraudsters exploiting the same chain of authentication weaknesses.
Industry Response and Recommendations
Telecom providers have pledged to tighten identity‑verification protocols, including mandatory face‑to‑face checks for SIM replacements and the adoption of biometric authentication. Security experts also urge consumers to move away from SMS‑based two‑factor authentication in favour of app‑generated or hardware‑based tokens, which are far less susceptible to SIM‑swap manipulation.
What Victims Can Do Now
Authorities advise anyone who suspects a SIM‑swap attack to act immediately: contact the mobile carrier to freeze the number, change passwords on all linked accounts, and report the incident to the police and the national fraud reporting centre. Victims should also monitor financial statements for unauthorised transactions and consider placing a fraud alert on their credit files.
Looking Ahead
The surge in SIM‑swap fraud underscores a growing vulnerability in the digital ecosystem, where personal data harvested from data‑leaks can be weaponised against unsuspecting users. As criminals refine their tactics, both service providers and consumers must adopt stronger security measures to safeguard identities in an increasingly interconnected world.
