SIM Swap Fraud: How It Works and How to Protect Yourself
SIM swap fraud is one of the fastest-growing scams in South Africa. Criminals convince mobile networks to transfer your number to a SIM they control, giving them access to your banking OTPs.
SIM swap fraud has become one of the most damaging financial crimes in South Africa, consistently cited by SABRIC as a leading cause of mobile banking losses. What makes it so destructive is its invisibility: you don't click a bad link or hand over your PIN. Instead, criminals quietly take control of your phone number — and with it, the one-time PINs (OTPs) that stand between a scammer and your life savings.
South African banks processed hundreds of millions of rands in fraudulent transactions linked to SIM swap attacks in recent years. Every major network — Vodacom, MTN, Cell C, and Telkom — has been exploited. Understanding exactly how this works is the first step to protecting yourself.
What is a SIM swap?
A legitimate SIM swap is a standard network service. If your phone is lost, stolen, or your SIM is damaged, your provider can transfer your number to a new SIM card so you keep the same number and don't lose your contacts or service. It is a useful, everyday process — and that is precisely what criminals exploit.
Fraudsters abuse the SIM swap process by impersonating you at a network store, calling the network's contact centre, or bribing an insider employee. Once they convince the network that they are you, your SIM is deactivated and theirs is activated on your number. From that point forward, every call and SMS meant for you — including banking OTPs — goes to the criminal.
How the scam works step by step
Step 1: Harvesting your personal information
Criminals rarely attempt a SIM swap blindly. They first gather your personal details — ID number, date of birth, address, banking information — through phishing emails, fake websites, purchased data from dark web marketplaces, or data breaches at companies that hold your information.
Step 2: Executing the SIM swap
Armed with your details, the fraudster contacts your mobile network, either in person at a store with a fake ID or by phone claiming to be you. They report the SIM as lost or damaged and request a new one. Some cases involve corrupt network employees who perform the swap directly for payment.
Step 3: Your phone goes dark
Once the swap is done, your SIM loses signal. This is the critical warning moment. Your phone will show "No service" or "SOS only" even in areas where you normally have coverage. Calls and SMSes stop arriving.
Step 4: The fraud begins
With your number in hand, the criminal contacts your bank's voice banking line or uses the bank's app to trigger OTPs for password resets, account changes, or large transactions. Since the OTP arrives on the number they now control, they can approve anything. In a matter of minutes, accounts can be drained.
The biggest red flag
If your phone unexpectedly loses all signal and stays that way — especially when others around you have signal — treat it as an emergency. Contact your bank and network immediately from another phone. Do not wait to see if it resolves itself.
Warning signs to watch for
- Your phone suddenly has no network and cannot make calls or send SMSes.
- You receive an SMS or notification about a SIM swap you did not request.
- Someone calls or messages you asking you to confirm or ignore a SIM swap notification.
- You receive notifications from your bank about transactions you did not initiate.
- You can no longer log in to your banking app or email.
- Family members cannot reach you, even though they have full signal on their own phones.
How to protect yourself
Switch away from SMS-based OTPs
Where your bank offers it, use in-app transaction approvals or an authenticator app instead of SMS OTPs. Some South African banks now allow you to set your account to require in-app confirmation for any transaction, which a SIM swap cannot intercept.
Set up a SIM swap block with your network
Contact your network provider and ask specifically about SIM swap protection. MTN, Vodacom, Cell C, and Telkom each offer some form of port protection or additional verification. A RICA-linked requirement to appear in person for a SIM swap adds a layer of friction for criminals.
Protect your personal information
- Never share OTPs, PINs, or personal details with anyone who calls you — banks and networks never ask for these over the phone.
- Be careful what you post on social media — ID numbers, dates of birth, and home addresses are all used in SIM swap attacks.
- Use strong, unique passwords and enable two-factor authentication on your email, which is often the gateway to your banking accounts.
React within minutes
Speed is your most powerful defence once a swap has happened. Every minute you delay is a minute a criminal can use to move money. Keep your bank's fraud line number saved somewhere other than your phone — a contact in a family member's phone, or written down at home.
What to do if it happens
- Phone your bank's fraud line immediately from another device. Ask them to freeze your accounts and flag any recent transactions.
- Contact your network to reverse the SIM swap and secure your number. Ask them to add additional verification requirements.
- Change your email and banking passwords from a secure, unaffected device.
- Report to SAPS and open a case number — this is required by your bank for any fraud claim.
- Follow up in writing with both your bank and your network. Keep records of every interaction.
Your bank's legal obligation under the Financial Intelligence Centre Act and the Code of Banking Practice may entitle you to a partial or full refund depending on the circumstances. The sooner you act and report, the stronger your position.
Frequently asked questions
Can I get my money back after a SIM swap fraud?
It depends on the bank and the circumstances. South African banks have an obligation to investigate fraud claims. If you reported the fraud promptly and had reasonable security measures in place, there is a reasonable chance of recovery. Some cases have been resolved in the victim's favour through the Ombudsman for Banking Services if the bank refuses to assist.
How do criminals get my ID number and personal details?
Common sources include phishing emails, fake job application forms, data breaches at companies you've dealt with, and social engineering calls where you're tricked into confirming your details. Purchasing personal data on the dark web is also common.
Does RICA protect me from SIM swaps?
RICA registration ties your number to your identity, which should make it harder for someone else to perform a SIM swap. However, fraudsters work around this using fake IDs, corrupt insiders, or networks' telephonic verification processes. RICA alone is not sufficient protection.
What is the bank's responsibility?
South African banks are required by the Protection of Personal Information Act (POPIA) and the Code of Banking Practice to take reasonable steps to secure your account. If a bank approved large transactions based solely on an OTP without additional verification, and you report the fraud promptly, they may be found liable. The Ombudsman for Banking Services handles disputes at no cost to you.