Cybercriminals are increasingly using stolen phone numbers to execute SIM-swap attacks, vishing scams, and full account takeovers of personal data [1, 2].
This trend is critical because phone numbers often serve as the primary key for account recovery and two-factor authentication. By seizing control of a number, attackers can bypass security controls that are designed to protect financial and private information [1, 3].
One primary method is the SIM-swap attack. In this scenario, a hacker convinces a mobile carrier to transfer a victim's service to a new SIM card. Once the transfer is complete, the victim loses network access while the attacker receives all calls and text messages, including security codes for banking and email accounts [3].
Another growing threat is vishing, or voice phishing. This technique involves using phone calls to trick individuals into revealing sensitive information. The scale of this threat was evident in a breach involving Charter Communications, where hackers stole millions of customer records through vishing tactics [4].
These techniques are global in scope, though they have significantly impacted users of U.S. carriers [4, 2]. The vulnerability is exacerbated by the fact that 75% of global phone users rely on their devices for a wide variety of daily tasks [5].
Security experts said that these practices remained prevalent threats through 2024 and 2025 [6, 2]. Because phone numbers are linked to so many digital identities, they have become high-value targets for those seeking to steal personal data or commit fraud [1, 3].
“Hackers can use a phone number to perform SIM-swap attacks, vishing, and account takeovers.”
The shift toward phone-based authentication has created a single point of failure for digital security. As attackers move away from traditional password guessing toward social engineering and carrier-level exploits, the reliability of SMS-based two-factor authentication is decreasing, necessitating a shift toward hardware security keys or app-based authenticators.
