expira-mail

SIM Swapping Attacks: How Your Email Can Be Used to Steal Your Identity

Imagine waking up one morning to find your phone has no signal. Your mobile service is suddenly dead. You assume it's a network issue. But when you try to log into your email, your password doesn't work. Then your bank. Then your social media.

Introduction

Imagine waking up one morning to find your phone has no signal. Your mobile service is suddenly dead. You assume it's a network issue. But when you try to log into your email, your password doesn't work. Then your bank. Then your social media.

You've been SIM swapped — one of the most dangerous cyber attacks most people have never heard of.

SIM swapping occurs when an attacker convinces your mobile carrier to transfer your phone number to a SIM card they control. With your phone number, they can intercept SMS-based two-factor authentication codes, reset your email password, and take over your digital life.

The FBI's IC3 received 982 SIM swap complaints in 2024, with reported losses exceeding $25.9 million. In the UK, Cifas reported nearly 3,000 unauthorized SIM swaps in 2024 — a 1,055% surge.


How SIM Swapping Works

Step 1: Reconnaissance

The attacker collects personal information about you — your full name, address, date of birth, and sometimes the last four digits of your Social Security number. This data is often obtained from data breaches, data broker profiles, or social media.

Step 2: The Social Engineering Call

The attacker calls your mobile carrier, impersonating you. They claim to have lost their phone and need a new SIM activated. Using the stolen personal information, they answer the carrier's security questions.

Step 3: SIM Activation

The carrier deactivates your SIM and activates a new one in the attacker's phone. You lose service. The attacker now receives your calls and SMS messages.

Step 4: Account Takeover

With your phone number, the attacker:

  • Initiates a password reset on your email account (sent via SMS)
  • Intercepts the 2FA code
  • Resets your email password
  • Uses your email to reset passwords on your bank, social media, and other accounts

Why Your Email Is the Primary Target

Your email address is the key that unlocks every account. Once an attacker controls your email, they can:

  • Reset passwords on any service linked to that email
  • Intercept password reset confirmations
  • Lock you out of your own accounts
  • Access stored payment methods and personal data

According to the Microsoft Digital Defense Report, SIM swapping represents less than 1% of identity attacks — but the damage per incident is among the highest of any attack vector.


How Disposable Email Reduces SIM Swap Risk

Using a disposable email for low-value accounts won't prevent a SIM swap directly. But it does something equally important: it reduces the blast radius.

By using disposable addresses for non-critical accounts:

  • An attacker who gains control of your phone can only access the accounts tied to your primary email.
  • Your disposable-address accounts remain invisible — the attacker doesn't know they exist.
  • Even if the attacker accesses a disposable-address account, there's nothing valuable there.

Critical accounts (banking, primary email) should use hardware-based 2FA (FIDO2 security keys), not SMS. This makes SIM swapping ineffective against your most important accounts.


Additional Defenses

  • Use a PIN or passcode with your mobile carrier that's required for any account changes.
  • Use authenticator apps instead of SMS for 2FA wherever possible.
  • Monitor your phone service — if it suddenly drops, contact your carrier immediately.
  • Use a password manager with unique, strong passwords for every account.

The Expira Connection

Expira doesn't replace strong security practices for critical accounts. But by using disposable addresses for your low-value sign-ups, you ensure that even a successful SIM swap can't cascade across dozens of accounts. The blast radius is contained to your primary inbox alone.


Conclusion & CTA

SIM swapping is a sophisticated attack, but its damage is amplified by how many accounts are tied to a single email. By compartmentalizing with disposable addresses, you limit what an attacker can reach.

Protect your critical accounts with strong 2FA. Use Expira for everything else.

Sources: FBI IC3 2024 Internet Crime Report; Cifas UK Fraud Database 2024; Microsoft Digital Defense Report 2024; KrebsOnSecurity