Why SIM-swap scams are a big deal for travellers
Most of the time, cautionary tales and travel anecdotes sound like problems to happen to someone else. Unfortunately, if you’re not careful, then you too could be at risk of the types of attacks that come with a SIM-swap scam, including cybersecurity threats.
This goes double while you’re travelling and already relying on your phone for secure transactions like banking, bookings, and communications.
What is a SIM-swap attack?
In basic terms, a SIM-swap attack transfers your primary phone number to a SIM card (or eSIM) that belongs to and is controlled by someone else. This means that a scammer would receive your calls and texts, including any two-factor authentication that you might use for logging into your bank account, email, or social media. It’s as though the number belongs to them.
You might not realize it, but, as a traveller, you are even more at risk of these scams. When you’re on unfamiliar networks, dealing with foreign carriers, and sharing your travel details on social media, you are a target. You might even be more likely to fall for phishing tactics disguised as urgent messages regarding your travel.
How SIM-swap attacks actually work
SIM-swaps follow patterns. They aren’t random. Here are a few red flags to watch out for to help protect yourself from a potential attack.
Phishing links and fake login pages
It might start as a realistic-looking email or text that appears to be from your bank or airline. Under this guise, scammers will ask you to “verify your account” or click on a “security alert.”
They will link to bogus login pages where you will unknowingly enter your credentials. That’s all they need to request a SIM transfer from your carrier.
Social engineering at the carrier level
With only a few personal details (think: your name, number, your ID, or answers to security questions), an attacker is able to communicate with your phone carrier pretending to be you.
They can request to move your phone number to a new SIM or eSIM. Depending on the strength of the carrier’s verification process, this can happen within a few minutes.
Lost or stolen phones while abroad
Losing anything while travelling can add unnecessary stress — double if it’s your phone, which contains all your communications and personal info.
If your device isn’t protected with a strong password or biometrics, a thief might be able to gain access to your apps, including your phone carrier’s app. Combined with a SIM-swap, you might be looking at a potential identity theft.
eSIM vs physical SIM: Is eSIM really safer?
While we can trust that eSIM technology does add protection, know that it’s not completely foolproof.
eSIMs are harder to duplicate than a physical SIM because the process is digital and requires more steps; a QR code, account logins, and confirmation codes can act as barriers. Despite this, if an attacker has access to your personal information, they can still trigger a SIM-swap remotely.
Carrier-level security is of the utmost importance, as is making sure your passwords are strong and you have multi-layered authentication whenever possible.
Threat model overview: How you could be targeted
While everyone should take care to stay safe while travelling, being aware of the threats and taking steps to protect yourself can make you less susceptible to SIM-swaps than others.
| Attack Type | What the Attacker Needs | Impact | Prevention |
| Fake security alert via email or text | Your phone number and carrier info | Number stolen, bank and email access compromised | Don’t click unknown links; use app-based 2FA |
High-risk scenarios for travellers
- Using unsecured public Wi-FI
- Updating social media with real time locations or travel dates
- Not using multi-factor authentication
- Weak passwords
Pre-travel security checklist
Here are a few concrete steps to take before your trip to ensure you’ve protected your number (and all your private information tied to it):
- Secure your mobile account with additional PINs and locks where possible.
- Contact your carrier and add a port-out Pin, additional passcodes, and extra verification steps for any potential number changes or transfers of SIMs.
- Inquire if your carrier offers “no SIM change” flags to help prevent any unauthorized swaps.
- Harden your critical and important accounts.
- Swap out SMS-based two-factor authentication for your banking apps, email accounts, and cloud storage for authenticator apps or hardware security keys.
- Backup your contact methods and recovery codes.
- Ensure key accounts are attached to a secondary email address, have printed out backup codes, and assign yourself a trusted contract to help recover access if ever needed.
On the road: Daily habits to prevent SIM-swap scams
Once you’re on your way, here’s what you need to do to keep your guard up, digitally so you can relax in every other way.
- Learn to recognize suspicious calls and texts.
- Be cautious of any message that: urges you to act quickly, contains typos or suspicious links, or asks for your login info (especially if it claims to be from your bank or carrier).
- Remember best use practices for public WiFi and shared devices.
- Try to avoid logging into sensitive accounts on: hotel lobby computers, public terminals, or unsecured public WiFi networks at cafes or airports.
- Keep your digital footprint to a minimum while travelling.
- Hold back on sharing: your boarding pass (even if it’s just a barcode), your private phone number, and real time updates about your location. All of this can be scraped and used in a social engineering attack.
What to do if you suspect a SIM-swap while abroad
If you’re out enjoying your travels and suddenly notice that your phone has lost service and can no longer make or receive texts and calls, that’s a red alert. Here’s how to mitigate the swap.
- In the first hour, it’s imperative that you regain control.
- Contract your mobile carrier though a verified support channel (no clicking email links).
- Freeze access to banking and other key accounts.
- Log into your email and cloud to check for suspicious activity.
- Next, secure your financial and personal accounts.
- Notify your bank of a breach and set-up fraud alerts.
- Reset your passwords for any high-risk accounts.
- Review any recent logins or in-app activities.
- File travel insurance claims for your stolen device.
- Finally, involve the local authorities.
If you even suspect that your identity is stolen, if your phone is missing, or your accounts are compromised, go ahead and file a police report. In cases of major financial fraud, you should also contact your home country’s fraud reporting agency or embassy.
SIM-swap scams are rare, but they do happen, and they can happen to anyone. Knowing the warning signs and taking counter measures in advance can help you to stay vigilant and protect the data on your mobile device.
