SIM-swapping as a cybercrime phenomenon according to Europol’s report “Internet Organised Crime Threat Assessment (IOCTA) 2020” and Polish legislation plans

On 5 October 2020 the EU’s law enforcement agency, Europol has published a new report – The Internet Organised Crime Threat Assessment (IOCTA) 2020. The report includes information about the latest developments with regard to cross-cutting crime facilitation. It also treats about the challenges related to criminal investigations, cyber-dependent crime, online child sexual exploitation, payment fraud and criminal abuse via the dark web.

The report shows that technological developments make it easier to commit cybercrime. Many modern financial instruments such as cryptocurrencies, for example, make it possible to pay for various forms of crime online. Recently the key trend seems to be sim-swapping.

What is sim-swapping?

Sim-swapping is a cybercrime. This is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone.  

When a scammer plans a crime, he begins by collecting the victim’s personal information. He may obtain it through pushing emails, by buying the data from organized criminals, or by directly manipulating the victim into providing the data. The fraud exploits a mobile phone service provider’s ability to seamlessly port a phone number to a device containing a different subscriber identity module (SIM). This technique is usually being used when a customer has lost or had their phone stolen.

After obtaining the personal details, the scammer contacts the victim’s by mobile phone provider. The next step is convincing the telephone company to port the victim’s phone number to the fraudster’s SIM. This can happen if someone has not taken care to use two-factor authentication with questions that only the person in question knows the answer to and passwords that are strong enough. They usually try to give personal details by learning about the person beforehand.

Unfortunately, sometimes the personal data is provided by employees of telecommunication companies. In many cases, SIM numbers are changed directly by criminals cooperating with scammers.

Once this happens, the victim will lose access to their SIM card. From then on, the fraudster can intercept one-time passwords sent via SMS and bypass multiple two-factor authentication methods. Many social media websites or even online banking allow you to reset your password with just a recovery phone number. This allows the fraudster to directly transfer funds from your bank account or steal your identity.

What is the risk of sim-swapping?

A successful SIM swapping attack can lead to criminals gaining complete control over a victim’s bank, email or social media account, and as a result, enable a number of serious follow-up crimes. The victim will notice the mobile phone lost service, and eventually will discover they cannot log in to their bank account. One of the dangerous things is that this kind of cybercrime has nonlocal character. The actions can occur in distant countries that come under a different jurisdiction.

How does Europol consider this phenomenon?

According to Europol, SIM swapping is definitely a key trend that allows perpetrators to take over accounts and has demonstrated a steep rise over the last year. This modus operandi garnered considerable attention over the past months, as law enforcement agencies noticed a significant increase with a growing number of cases in Europe. Overall, SIM swapping poses a significant concern and huge potential danger and risk. Europol describes in its report how to protect yourself from becoming a victim and what to do if you become one.

How to protect yourself against sim-swapping?

First of all it is important to have suitable anti-virus software. If you discover a virus on your computer, disconnect from the internet immediately. The next thing you should pay attention to are your passwords. Don’t use the same password for more than one account. The passwords should be complicated – remember not to use personal information such as names or dates of birth. Do not post on social media things that are connected with your passwords or that are the answer for questions you would be asked during the authentication process. Set up your own PIN to restrict access to the SIM card. Do not share this PIN with anyone. Checking your financial account frequently also can help. These rules can protect you from losing your money, identity or other unpleasantness.

How to realize that you’re a victim?

The first sign that should get your attention is when your phone loses reception for no reason. Then you may notice that you have lost the ability to log into your social media accounts or access your bank account. If you suspect previously mentioned signs – report it immediately to your service provider. If your service provider confirms that your SIM has been swapped, report it to the police.


Nowadays, as the Europol’s OICTA report mentions sim-swapping is a trendy kind of cybercrime. Since this typically requires detailed information on the victim, SIM swapping attacks are highly targeted. As many workers settle into remote work routines due to the pandemic, cybercrimes are expected to grow in frequency in the future.

Sim-swapping – Polish legal status

Following the completion of work on the Polish electronic communication law and the amendment to the act on the national cybersecurity system, the Polish government is to propose regulations aimed at limiting the SIM-swapping phenomenon. Legal solutions will be consulted with the market representatives.

For example, there is a suggestion of introducing the rule that obtaining a duplicate SIM card would take place in a telecommunications operator’s showroom (today it is possible, for example, via the hotline), unless the customer consciously resigns from this form of protection. Another idea is the statutory obligation to verify the identity card of a customer wishing to obtain a new SIM card. And granting telecoms access to the Personal ID Register (RDO) to make this verification more effective.


IOCTA 2020 – eucrim