How Hackers Hijack Your SIM Card, and Why Africa Has the Most to Lose

Your phone number is no longer just a way to receive calls. For most people across Africa, it is the key to a bank account, a mobile wallet, a two-factor authentication code, and in many cases, a digital identity. That makes the SIM card, that small chip sitting quietly in your device, one of the most valuable targets in modern cybercrime. And increasingly, criminals do not need to steal your phone to take control of it.

What SIM Swapping Actually Is

A SIM swap attack exploits a mobile phone service provider’s ability to port a phone number to a device containing a different subscriber identity module. The feature was designed for legitimate use, when a customer loses their phone, for instance, or switches to a new device. Criminals have turned it into a vehicle for account takeover fraud.

The attack begins before anyone picks up the phone. Criminals first gather personal data, through phishing emails, social media scraping, or by purchasing credentials from dark web breach dumps. Armed with that information, they contact the victim’s mobile carrier, impersonating them and requesting a SIM transfer under the pretense that the original device was lost or damaged.

Once the carrier approves the request, the attacker gains control of the phone and begins intercepting all SMS messages and voice calls, including authentication codes used to access bank accounts and social media profiles. They then use password reset flows to lock victims out of their own accounts.

Research shows that 96% of SIM swap cases involve social engineering or insider collusion, not sophisticated technical exploits. The attack is not glamorous. It is patient, methodical, and devastatingly effective.

The Insider Threat Problem

Beyond deceiving front-line call center staff, criminals have found a more direct route. In some cases, telephone company employees have been bribed by attackers to change SIM numbers directly, approached through social media or internal directories, and sometimes offered cryptocurrency for each number transferred.

In Nigeria, the scale of this insider problem is well-documented. A 2024 report by Kaspersky identified at least 17 organized SIM swap syndicates active in Nigeria alone. A corrupt telecom employee might receive ?50,000 to process an unauthorized SIM swap, a fraction of what fraudsters stand to earn if they access a mobile money account holding millions of naira.

High-Profile Cases and Financial Scale

The consequences extend well beyond individual victims. In January 2024, hackers executed a SIM swap against the U.S. Securities and Exchange Commission’s X account, posting fraudulent news about Bitcoin ETF approvals that temporarily caused Bitcoin prices to spike. Eric Council Jr., an Alabama man, later pleaded guilty to his role in the attack and received a 14-month prison sentence.

Globally, the financial exposure has grown to a point that courts are taking notice. In March 2025, a California arbitrator ordered T-Mobile to pay $33 million after a SIM swap enabled thieves to steal approximately $38 million in cryptocurrency from a customer’s wallet, despite the victim having “extra security” measures on their account. Attackers bypassed the carrier’s security flag by persuading a call center agent to issue a remote eSIM QR code.

Africa’s Particular Vulnerability

Nowhere are the stakes higher than on a continent where mobile phones function as the primary banking infrastructure for hundreds of millions of people. Telecom fraud costs Africa roughly $1.59 billion every year, with SIM swap attacks among the primary drivers of that figure.

According to the NIBSS Fraud Report, Nigerian financial institutions lost ?52.26 billion, approximately $32 million, to fraud in 2024, a 196% increase over five years. In the first quarter of 2025 alone, fraud losses jumped 603% while cases rose only 7.63%, a pattern suggesting fraudsters are working with greater precision and targeting higher-value victims.

Nigerian banks reported a 300% increase in SIM swap-related fraud cases between 2022 and 2024, according to data from the Nigeria Inter-Bank Settlement System. The trend mirrors patterns across Kenya, South Africa, and Ghana, where mobile penetration exceeds 80% but digital literacy around security threats remains uneven.

Nigeria carries an additional vulnerability that distinguishes it from most other markets. In Nigeria, the fraudster must, in some cases, convince the victim to approve the SIM swap by pressing 1 — a social engineering layer that criminals have learned to exploit through impersonation calls posing as telecom support staff. Combined with the widespread use of USSD-based banking, which relies entirely on the phone number for authentication, the attack surface is unusually wide.

Regulatory Response and Its Limits

Regulators across the continent have not been passive. Kenya’s Communications Authority now requires in-person visits with biometric verification for all SIM replacements. Nigeria’s National Identity Management Commission mandates SIM registration linked to National Identification Numbers, though implementation remains inconsistent. South Africa amended its communications law in 2023 to specifically criminalize unauthorized SIM swaps, carrying penalties of up to 10 years imprisonment.

In Nigeria, the NCC recently unveiled TIRMS, the Telecommunications Identity Risk Management System, a cross-sector platform designed to allow banks and telecom operators to verify phone numbers before granting access to financial services, and to flag SIMs linked to fraud, recycling, or suspicious activity. Whether the initiative achieves scale will depend on mandatory industry adoption; a SIM swap notification system between the NCC, CBN, and NIBSS already exists but has seen low uptake by financial institutions.

Still, regulatory frameworks move more slowly than criminal adaptation. Fraudsters have shifted tactics, targeting less-secure markets or exploiting loopholes in cross-border telecom agreements.

What Users Can Do

The most actionable defense is also the least convenient: stop using SMS as a second factor for any account that matters. Stronger alternatives — biometric authentication, physical security tokens, and standalone authentication applications like Google Authenticator — ensure that even if a SIM swap occurs, the attacker cannot access sensitive accounts.

Beyond that, the habits that enable SIM swap attacks are largely the same habits that enable all social engineering fraud: oversharing personal details on public platforms, reusing security question answers across services, and responding to unsolicited requests for identity information. Attackers mine LinkedIn profiles, Instagram birthday posts, and public data broker listings for the breadcrumbs they need to impersonate a target convincingly. The less of that data is publicly accessible, the harder the reconnaissance phase becomes.

The Authentication Gap

The deeper problem is structural. Africa’s mobile money revolution was built on accessibility, the ability to transact using any phone, on any network, through USSD codes that require only a number and a PIN. That same simplicity is what makes the system exploitable. Many mobile banking systems still use SMS OTPs as the primary verification method, despite repeated warnings from cybersecurity experts. Adoption of stronger alternatives remains slow due to infrastructure and literacy barriers.

Banks and fintechs are aware of this, and some are moving. App-based verification, behavioral analytics, and real-time SIM change alerts are being deployed at various stages across Nigerian, Kenyan, and South African financial institutions. But millions of customers on basic feature phones, or in communities with limited smartphone penetration, remain exposed.

The SIM card was designed to connect people to networks. In Africa’s mobile-first economy, it became something more: a digital passport. That elevation made it worth protecting and worth stealing. Until authentication infrastructure catches up with that reality, it will remain one of the most exploited attack surfaces on the continent.