CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 23, 2026

He Thought He Was Secure; His Phone Number Got Stolen Anyway

Dark Reading Archived Jun 23, 2026 ✓ Full text saved

Threat actors can easily steal one-time passwords sent by text when they conduct a SIM swap attack. This can lead to account takeovers, so users must layer up their security measures.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBER RISK Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. He Thought He Was Secure; His Phone Number Got Stolen Anyway Threat actors can easily steal one-time passwords sent by text when they conduct a SIM swap attack. This can lead to account takeovers, so users must layer up their security measures. Arielle Waldman,Features Writer,Dark Reading June 22, 2026 5 Min Read Torsten George, chief cybersecurity evangelist at ID Dataweb, Inc., felt helpless as he sat with his personal cell phone up to one ear and realized he was in the throes of an active attack. The person on the other end claimed to be an AT&T customer service representative looking to give George a discount for being a loyal customer. But it didn't take long to recognize that the “representative” was a threat actor with inside information on George's account history, derived through social engineering.  Following his own investigation later on, George determined a SIM swap attack occurred two weeks prior that allowed the threat actor to intercept George's OTP through his text messages. But they needed his passcode – the second layer of security – to gain unauthorized access to his AT & T account, hence the call.    George handed over his passcode but grew suspicious. So, he did a parallel account login on his end and entered the required identification verification steps. Unfortunately, the threat actor already had the information he needed, and George was kicked out of his account. Related:Most CISOs Report Pressure to Bury Bad Security News But he acted quickly, performed a password reset, got the OTP, and logged back in. He was able to use the existing passcode to get in and immediately changed the account password – the attacker left empty handed.  Still, the attack highlighted a theme exploding across the industry: One-time passwords (OTPs) alone do not provide sufficient security.   "He no longer had access, but in that short period of time, he had lowered passcode from extra security to standard security," George tells Dark Reading.  SIM Swap Makes a Comeback Threat actors can gain alarmingly high levels of access through SIM swap attacks. When a threat actor convinces a mobile carrier to transfer the victim's phone number to their device, they may have the tools for a total account takeover.  While overall rates for SIM swapping have decreased recently, the FBI saw an increase in complaints from users aged 60 and over,  from 174 in 2023 to 222 in 2025. Losses from SIM swapping decreased between 2023 and 2024 but rose again in 2025 to $6,741,791.  Cifas, the UK's fraud prevention arm, found “a notable rise in unauthorized SIM swaps (up 38%), driven by the availability of stolen personal data and increasingly automated attack methods,” in 2025. Its annual report warned identity fraud remains the most common threat “as criminals increasingly move towards account takeover, particularly targeting the telecoms sector for mobile phone products.” Related:AI Risk Worries Insurers & Businesses Alike A joint government advisory issued last year by the U.S., UK, Australian and Canadian cybersecurity authorities warned users that the infamous Scattered Spider threat group conducted SIM swaps during their campaigns to "steal OTPs, credentials, and security answers."  And it worked. MITRE said the group used SIM swapping to maintain persistence on mobile carrier networks.  The Shinyhunters ransomware gang operates from the same playbook, reveals George;  impersonation is its "primary attack methodology," he says.  Attackers rely on people being desensitized to OTPs popping up on their screens at this point. "It's become a habit to automatically respond," warns George. Therefore, when it comes to making account changes, implementing additional safeguards is critical from both a user and company standpoint. Users can implement multifactor authentication like passcodes and use authenticator apps that generate OTPs that expire within minutes or seconds.  "Companies have to do more, like look at risk signals including geolocation, the status and distance of the phone, the IP address. Factor those in before making decisions," George says. He adds some telecoms opt out because of extra costs or concerns over usability.  What Are Some Telltale Signs? Red flags emerged throughout the attack against George. First, the threat actor bad-mouthed AT&T, telling George that the telco was losing customers.  Then, when he managed to log back into his account, he received an email that said his wireless number was no longer associated with his user ID. He later discovered that his phone number was cancelled.  Related:Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security George can account for many of the attack steps, but he can't explain how his phone number was cancelled. To him, that indicated that the threat actor had somehow gained access to AT&T beyond his account.   "The threat actors were able to impersonate me in front of AT&T, that means that AT&T didn't do a geolocation check and didn’t send an OTP," George says. "So, they just relied on someone telling them it had to be changed. They need a multi-layer approach for such a high-risk transaction."  When he reported the fraud to AT&T, he was disappointed with the lack of responsibility, and noted several security shortcomings, so he took matters into his own hands. George learned to enable Wireless Account Lock, a feature AT&T launched in 2025 to help prevent unauthorized account changes. However, users must turn the feature on because it not enabled by default and historically, that's unlikely to happen. With SIM swapping and advanced impersonation tactics there are simply too many ways to take advantage of the verification protocol, and attackers will jump on any opportunities.  Users must implement their own multi-layer strategy as well, explains George. They should not rely solely on OTPs, which are "no longer secure as they were a couple of years ago."  Dark Reading reached out to AT & T for comment on how it responds to customer reports of an active SIM swap attack. The company said it offers Wireless Account Lock, a free feature that disables several types of account changes, including SIM swaps and port-outs.  "If your phone loses service and you believe it may be a SIM swap, report it to us by visiting one of our retail stores or calling customer care," AT & T said.  About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, providing context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. Her coverage areas include identity and access management, cyber risk and operations, industrial control systems, operational technology, and ransomware trends.     She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at TechTarget SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.     Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge CYBER RISK Most CISOs Report Pressure to Bury Bad Security News JUN 15, 2026 CYBER RISK AI Risk Worries Insurers & Businesses Alike JUN 10, 2026 ENDPOINT SECURITY The Invisible Battlefield: How Cyberwar Is Reshaping Everyday Life JUN 9, 2026 CYBER RISK AI Slop Will Kill Cybersecurity Storytelling If We Let It JUN 8, 2026 Read More The Edge Want more Dark Reading stories in your Google search results? BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 23, 2026
    Archived
    Jun 23, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗