He Thought He Was Secure; His Phone Number Got Stolen Anyway
Dark ReadingArchived Jun 23, 2026✓ Full text saved
Threat actors can easily steal one-time passwords sent by text when they conduct a SIM swap attack. This can lead to account takeovers, so users must layer up their security measures.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBER RISK
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
He Thought He Was Secure; His Phone Number Got Stolen Anyway
Threat actors can easily steal one-time passwords sent by text when they conduct a SIM swap attack. This can lead to account takeovers, so users must layer up their security measures.
Arielle Waldman,Features Writer,Dark Reading
June 22, 2026
5 Min Read
Torsten George, chief cybersecurity evangelist at ID Dataweb, Inc., felt helpless as he sat with his personal cell phone up to one ear and realized he was in the throes of an active attack. The person on the other end claimed to be an AT&T customer service representative looking to give George a discount for being a loyal customer. But it didn't take long to recognize that the “representative” was a threat actor with inside information on George's account history, derived through social engineering.
Following his own investigation later on, George determined a SIM swap attack occurred two weeks prior that allowed the threat actor to intercept George's OTP through his text messages. But they needed his passcode – the second layer of security – to gain unauthorized access to his AT & T account, hence the call.
George handed over his passcode but grew suspicious. So, he did a parallel account login on his end and entered the required identification verification steps. Unfortunately, the threat actor already had the information he needed, and George was kicked out of his account.
Related:Most CISOs Report Pressure to Bury Bad Security News
But he acted quickly, performed a password reset, got the OTP, and logged back in. He was able to use the existing passcode to get in and immediately changed the account password – the attacker left empty handed.
Still, the attack highlighted a theme exploding across the industry: One-time passwords (OTPs) alone do not provide sufficient security.
"He no longer had access, but in that short period of time, he had lowered passcode from extra security to standard security," George tells Dark Reading.
SIM Swap Makes a Comeback
Threat actors can gain alarmingly high levels of access through SIM swap attacks. When a threat actor convinces a mobile carrier to transfer the victim's phone number to their device, they may have the tools for a total account takeover.
While overall rates for SIM swapping have decreased recently, the FBI saw an increase in complaints from users aged 60 and over, from 174 in 2023 to 222 in 2025. Losses from SIM swapping decreased between 2023 and 2024 but rose again in 2025 to $6,741,791.
Cifas, the UK's fraud prevention arm, found “a notable rise in unauthorized SIM swaps (up 38%), driven by the availability of stolen personal data and increasingly automated attack methods,” in 2025. Its annual report warned identity fraud remains the most common threat “as criminals increasingly move towards account takeover, particularly targeting the telecoms sector for mobile phone products.”
Related:AI Risk Worries Insurers & Businesses Alike
A joint government advisory issued last year by the U.S., UK, Australian and Canadian cybersecurity authorities warned users that the infamous Scattered Spider threat group conducted SIM swaps during their campaigns to "steal OTPs, credentials, and security answers."
And it worked. MITRE said the group used SIM swapping to maintain persistence on mobile carrier networks.
The Shinyhunters ransomware gang operates from the same playbook, reveals George; impersonation is its "primary attack methodology," he says. Attackers rely on people being desensitized to OTPs popping up on their screens at this point.
"It's become a habit to automatically respond," warns George. Therefore, when it comes to making account changes, implementing additional safeguards is critical from both a user and company standpoint. Users can implement multifactor authentication like passcodes and use authenticator apps that generate OTPs that expire within minutes or seconds.
"Companies have to do more, like look at risk signals including geolocation, the status and distance of the phone, the IP address. Factor those in before making decisions," George says. He adds some telecoms opt out because of extra costs or concerns over usability.
What Are Some Telltale Signs?
Red flags emerged throughout the attack against George. First, the threat actor bad-mouthed AT&T, telling George that the telco was losing customers. Then, when he managed to log back into his account, he received an email that said his wireless number was no longer associated with his user ID. He later discovered that his phone number was cancelled.
Related:Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security
George can account for many of the attack steps, but he can't explain how his phone number was cancelled. To him, that indicated that the threat actor had somehow gained access to AT&T beyond his account.
"The threat actors were able to impersonate me in front of AT&T, that means that AT&T didn't do a geolocation check and didn’t send an OTP," George says. "So, they just relied on someone telling them it had to be changed. They need a multi-layer approach for such a high-risk transaction."
When he reported the fraud to AT&T, he was disappointed with the lack of responsibility, and noted several security shortcomings, so he took matters into his own hands. George learned to enable Wireless Account Lock, a feature AT&T launched in 2025 to help prevent unauthorized account changes. However, users must turn the feature on because it not enabled by default and historically, that's unlikely to happen.
With SIM swapping and advanced impersonation tactics there are simply too many ways to take advantage of the verification protocol, and attackers will jump on any opportunities. Users must implement their own multi-layer strategy as well, explains George. They should not rely solely on OTPs, which are "no longer secure as they were a couple of years ago."
Dark Reading reached out to AT & T for comment on how it responds to customer reports of an active SIM swap attack. The company said it offers Wireless Account Lock, a free feature that disables several types of account changes, including SIM swaps and port-outs.
"If your phone loses service and you believe it may be a SIM swap, report it to us by visiting one of our retail stores or calling customer care," AT & T said.
About the Author
Arielle Waldman
Features Writer, Dark Reading
Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, providing context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. Her coverage areas include identity and access management, cyber risk and operations, industrial control systems, operational technology, and ransomware trends.
She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at TechTarget SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Say Yes to AI: Securing Innovation Without Compromise
Zero Trust Identity: Beyond Traditional Authentication
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
More Webinars
You May Also Like
CYBER RISK
How Can CISOs Respond to Ransomware Getting More Violent?
by James Doggett
JAN 28, 2026
CYBER RISK
US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity
by Alexander Culafi
JAN 05, 2026
CYBER RISK
Switching to Offense: US Makes Cyber Strategy Changes
by Robert Lemos, Contributing Writer
NOV 21, 2025
CYBER RISK
Microsoft Exchange 'Under Imminent Threat,' Act Now
by Arielle Waldman
NOV 12, 2025
Edge Picks
APPLICATION SECURITY
AI Agents in Browsers Light on Cybersecurity, Bypass Controls
CYBER RISK
Browser Extensions Pose Heightened, but Manageable, Security Risks
CYBERSECURITY OPERATIONS
Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds
ENDPOINT SECURITY
Extension Poisoning Campaign Highlights Gaps in Browser Security
Latest Articles in The Edge
CYBER RISK
Most CISOs Report Pressure to Bury Bad Security News
JUN 15, 2026
CYBER RISK
AI Risk Worries Insurers & Businesses Alike
JUN 10, 2026
ENDPOINT SECURITY
The Invisible Battlefield: How Cyberwar Is Reshaping Everyday Life
JUN 9, 2026
CYBER RISK
AI Slop Will Kill Cybersecurity Storytelling If We Let It
JUN 8, 2026
Read More The Edge
Want more Dark Reading stories in your Google search results?
BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE
Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass.
GET YOUR PASS