Torsten George, chief cybersecurity evangelist at ID Dataweb, felt helpless when he realized he was in the middle of an active cyberattack. The person on the other end of the phone call claimed to be an AT&T customer service representative and offered George a discount for being a loyal customer. But it didn’t take George long to recognize that the “representative” was an attacker already armed with information about George’s account history, most likely obtained through social engineering.
George determined through his own investigation later that a SIM swap attack two weeks prior to that phone call allowed that individual to intercept George’s one-time-password (OTP) that was sent to his text message. But the attacker needed his passcode – the second layer of security – to gain unauthorized access to his AT&T account, hence the call.
George handed over his passcode but grew suspicious. So, he did a parallel account login on his end and entered the required identification verification steps. Unfortunately, the threat actor already had the information he needed, and George was kicked out of his account.
But he acted quickly, performed a password reset, got the OTP, and logged back in. He was able to use the existing passcode to get in and immediately changed the account password – the attacker left empty handed.
Still, the attack highlighted a theme exploding across the industry: One-time passwords (OTPs) alone do not provide sufficient security.
“He no longer had access, but in that short period of time, he had lowered passcode from extra security to standard security,” George tells Dark Reading.
SIM Swap Makes a Comeback
Threat actors can gain alarmingly high levels of access through SIM swap attacks. When a threat actor convinces a mobile carrier to transfer the victim’s phone number to their device, they may have the tools for a total account takeover.
While overall rates for SIM swapping have decreased recently, the FBI saw an increase in complaints from users aged 60 and over, from 174 in 2023 to 222 in 2025. Losses from SIM swapping decreased between 2023 and 2024 but rose again in 2025 to $6,741,791.
Cifas, the UK’s fraud prevention arm, found “a notable rise in unauthorized SIM swaps (up 38%), driven by the availability of stolen personal data and increasingly automated attack methods,” in 2025. Its annual report warned identity fraud remains the most common threat “as criminals increasingly move towards account takeover, particularly targeting the telecoms sector for mobile phone products.”
A joint government advisory issued last year by the U.S., UK, Australian and Canadian cybersecurity authorities warned users that the infamous Scattered Spider threat group conducted SIM swaps during their campaigns to “steal OTPs, credentials, and security answers.”
And it worked. MITRE said the group used SIM swapping to maintain persistence on mobile carrier networks.
The Shinyhunters ransomware gang operates from the same playbook, reveals George; impersonation is its “primary attack methodology,” he says. Attackers rely on people being desensitized to OTPs popping up on their screens at this point.
“It’s become a habit to automatically respond,” warns George. Therefore, when it comes to making account changes, implementing additional safeguards is critical from both a user and company standpoint. Users can implement multifactor authentication like passcodes and use authenticator apps that generate OTPs that expire within minutes or seconds.
“Companies have to do more, like look at risk signals including geolocation, the status and distance of the phone, the IP address. Factor those in before making decisions,” George says. He adds some telecoms opt out because of extra costs or concerns over usability.
What Are Some Telltale Signs?
Red flags emerged throughout the attack against George. First, the threat actor bad-mouthed AT&T, telling George that the telco was losing customers. Then, when he managed to log back into his account, he received an email that said his wireless number was no longer associated with his user ID. He later discovered that his phone number was cancelled.
George can account for many of the attack steps, but he can’t explain how his phone number was cancelled. To him, that indicated that the threat actor had somehow gained access to AT&T beyond his account.
“The threat actors were able to impersonate me in front of AT&T, that means that AT&T didn’t do a geolocation check and didn’t send an OTP,” George says. “So, they just relied on someone telling them it had to be changed. They need a multi-layer approach for such a high-risk transaction.”
When he reported the fraud to AT&T, he was disappointed with the lack of responsibility, and noted several security shortcomings, so he took matters into his own hands. George learned to enable Wireless Account Lock, a feature AT&T launched in 2025 to help prevent unauthorized account changes. However, users must turn the feature on because it not enabled by default and historically, that’s unlikely to happen.
With SIM swapping and advanced impersonation tactics there are simply too many ways to take advantage of the verification protocol, and attackers will jump on any opportunities. Users must implement their own multi-layer strategy as well, explains George. They should not rely solely on OTPs, which are “no longer secure as they were a couple of years ago.”
Dark Reading reached out to AT&T for comment on how it responds to customer reports of an active SIM swap attack. The company said it offers Wireless Account Lock, a free feature that disables several types of account changes, including SIM swaps and port-outs.
“If your phone loses service and you believe it may be a SIM swap, report it to us by visiting one of our retail stores or calling customer care,” AT&T said.

No responses yet