T1451: SIM Card Swap
Adversaries may gain access to mobile devices through transfers or swaps from victims’ phone numbers to adversary-controlled SIM cards and mobile devices.[1][2]
The typical process is as follows:
1. Adversaries will first gather information about victims through Phishing, social engineering, data breaches, or other avenues. 2. Adversaries will then impersonate victims as they contact mobile carriers to request for the SIM swaps. For example, adversaries would provide victims’ name and address to mobile carriers; once authenticated, adversaries would request for victims’ phone numbers to be transferred to adversary-controlled SIM cards. 3. Once completed, victims will lose mobile data, such as text messages and phone calls, on their mobile devices. In turn, adversaries will receive mobile data that was intended for the victims.
Adversaries may use the intercepted SMS messages to log into online accounts that use SMS-based authentication. Specifically, adversaries may use SMS-based authentication to log into banking and/or cryptocurrency accounts, then transfer funds to adversary-controlled wallets.
Analyst context for executives and security teams
SIM card swap matters because it can move a user’s phone number, calls, and SMS messages away from the legitimate mobile device and into adversary control. For business leaders, the key risk is not only mobile device access; it is loss of trust in SMS-based authentication for banking, cryptocurrency, and other online accounts. This can turn a carrier-level identity failure into account takeover, fraud, or incident escalation even when the organization’s endpoint controls appear healthy.
Executive priority
Treat this as an identity and incident-readiness issue, not just a mobile security issue. Leaders should ask which high-risk workflows still depend on SMS-based authentication, how quickly users can report sudden loss of mobile service, and whether the organization can correlate carrier/SIM changes with authentication events. Priority should go to executive, finance, help desk, privileged, and other high-value users where phone-number takeover could affect business continuity, fraud exposure, or audit evidence for access controls.
Technical view
For Android and iOS environments, validate whether SOC, IAM, help desk, and mobile operations teams can identify a suspicious phone-number transfer or sudden loss of SMS/voice service and connect it to account login activity. ATT&CK provides no official detection text for T1451, but relationship context includes a detection strategy, DET0658, and mitigations through User Guidance and Enterprise Policy. Detection engineering should focus on correlation: recent SIM or carrier-account change indicators, user reports of lost service, and successful or attempted logins using SMS-based authentication. IR playbooks should include identity containment steps for accounts tied to the affected number.
Likely telemetry
- Mobile carrier account or SIM change notifications where available
- User reports of sudden loss of mobile data, SMS, or phone calls
- IAM and application authentication logs involving SMS-based authentication
- Help desk tickets related to phone-number changes, lost service, or MFA reset requests
- EMM/MDM inventory and policy records for managed Android and iOS devices
Detection direction
- Validate whether DET0658-style logic or equivalent monitoring exists for SIM card swap indicators; ATT&CK does not provide official detection details in the supplied object.
- Correlate SIM-change or lost-service indicators with new-device logins, MFA resets, SMS-based authentication success, and high-risk account activity.
- Tune for false positives from legitimate carrier changes, device upgrades, number porting, travel, and employee phone replacement workflows.
- Do not rely on endpoint telemetry alone; the decisive evidence may live with the carrier, IAM provider, help desk, or user report.
- Use relationship context carefully: LAPSUS$ and Scattered Spider are listed as using this technique, but that should inform threat modeling rather than imply current targeting.
Mitigation priorities
- Reduce dependence on SMS-based authentication for high-risk users and sensitive workflows where feasible.
- Provide user guidance so employees know that sudden loss of mobile service, SMS, or calls can be security-relevant and should be reported quickly.
- Use enterprise mobility or MDM/EMM policy where applicable to manage mobile-device behavior and support response workflows for Android and iOS devices.
- Harden identity recovery and MFA reset processes so a phone-number takeover does not automatically enable account recovery or privileged access.
- Ensure IR procedures include rapid review of accounts tied to the affected phone number, especially finance, cryptocurrency, executive, and privileged-access accounts.
Analyst notes and limits
The supplied ATT&CK object frames SIM card swap as a mobile technique affecting Android and iOS users through phone-number transfer to an adversary-controlled SIM/mobile device. The object explicitly links the behavior to collection of victim information, carrier impersonation, loss of legitimate SMS/calls, and potential use of intercepted SMS for authentication to banking or cryptocurrency accounts. Relationship context includes DET0658 as a detection strategy, M1011 User Guidance, M1012 Enterprise Policy, and use by LAPSUS$ and Scattered Spider.
Official ATT&CK detection text is not provided, tactics are not specified, and the supplied relationship details do not include DET0658 detection logic. Carrier telemetry and SMS-authentication visibility may be outside direct enterprise control, so local evidence, provider integrations, and business process review are required to assess coverage.
SIM Card Swap
Adversaries may gain access to mobile devices through transfers or swaps from victims’ phone numbers to adversary-controlled SIM cards and mobile devices.[1][2]
The typical process is as follows:
1. Adversaries will first gather information about victims through Phishing, social engineering, data breaches, or other avenues. 2. Adversaries will then impersonate victims as they contact mobile carriers to request for the SIM swaps. For example, adversaries would provide victims’ name and address to mobile carriers; once authenticated, adversaries would request for victims’ phone numbers to be transferred to adversary-controlled SIM cards. 3. Once completed, victims will lose mobile data, such as text messages and phone calls, on their mobile devices. In turn, adversaries will receive mobile data that was intended for the victims.
Adversaries may use the intercepted SMS messages to log into online accounts that use SMS-based authentication. Specifically, adversaries may use SMS-based authentication to log into banking and/or cryptocurrency accounts, then transfer funds to adversary-controlled wallets.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
G1004: LAPSUS$
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 814a3818a664… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ATT SIM Swap Scams
AT&T. (n.d.). UPDATE: Secure Your Number to Reduce SIM Swap Scams. Retrieved January 27, 2025.
Open source URL -
[2]
Verizon SIM Swapping
Verizon. (n.d.). SIM Swapping. Retrieved January 27, 2025.
Open source URL -
[3]
NIST Mobile Threat Catalogue STA-22Open source URL
-
[4]
mitre-attack T1451Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.