SIM Swap Attack: How It Works and How to Protect Your Accounts (2026)

In 2024, Tempo reported a SIM swap case where a victim lost Rp 350 million ($25,000) in 2 hours. Attackers hijacked the phone number, intercepted SMS OTPs from mobile banking, transferred money to other accounts. Victim: a professional with decent tech awareness, still got caught.

SIM swap isn't new technique, but remains effective in 2026 because many services still rely on SMS OTP as primary security. This article covers how the attack works, why effective, and practical defense strategies.

What is SIM Swap Attack

SIM swap (or SIM hijacking, port-out fraud) is an attack where attackers take over victim's phone number by deceiving telco providers. After success, all SMS and calls intended for that number go to attacker's SIM.

Because many services use SMS OTP as 2FA, attackers controlling the number have access to:

• Mobile banking (BCA, Mandiri, BRI, etc.)
• E-wallets (GoPay, OVO, DANA, ShopeePay)
• Crypto exchanges
• Email accounts (if using SMS recovery)
• Social media (if using SMS 2FA)

Damage potential: catastrophic. Many victims lose savings in less than an hour.

Detailed How the Attack Works

Phase 1: Reconnaissance

Attackers collect info about target. Sources:

• Public data leaks (many Indonesian data leaks: BPJS 2021, Tokopedia, etc.)
• Social media: public phone numbers, personal info (date of birth, address)
• Earlier phishing to get provider verification info
• Insider info from corrupt telco employees

Target: high-value individuals. Attackers prefer those with many accounts, crypto holders, business owners.

Phase 2: Social Engineering to Provider

Attacker calls or visits operator outlet (Telkomsel, XL, Indosat, etc.). Claims:

• "My SIM is broken, want to replace"
• "Phone lost, need replacement SIM"
• "Want to transfer number to new card"

They show fake ID (or real ID if there's an insider). Verify with personal info collected (date of birth, address). If verification passes, provider issues new SIM with target's number.

Target's old SIM dies. Attacker's SIM activates with target's number.

Phase 3: Account Takeover

After getting SIM with target's number, attacker:

1. Logs into services with credentials from earlier phishing (or credential-stuffing with leaked passwords)
2. Service sends SMS OTP to target's number (now controlled by attacker)
3. Attacker enters OTP, granted access
4. Transfers funds, drains accounts, changes passwords

For crypto: transfer directly to attacker wallet. For banking: transfer to money laundering accounts (mule accounts).

Phase 4: Cleanup

Attacker drains everything quickly before target realizes. Sets up email forwarding, changes passwords, locks recovery. By the time target realizes (usually when phone suddenly has no signal), money is gone.

Why This Attack Succeeds in Indonesia

1. Provider Verification Not Strict

Some operator outlets can still be fooled with personal info from leaks. Biometric verification still not mandatory. Some staff inadequately trained on anti-fraud.

2. Insider Risk

Reports of telco employees paid by attackers to swap SIMs. For Rp 5-10 million, they're willing. Attacker rewards (tens of millions to hundreds of millions) far larger.

3. Weak Regulations

SIM swap fraud penalties in Indonesia still light compared to damage caused. Telcos rarely financially accountable for failed verification.

4. SMS OTP Dominant

Most Indonesian banks still use SMS OTP as primary 2FA. Authenticator app or hardware key support limited. Single point of failure.

Real Reported Cases

• Jakarta Crypto Holder (2024): lost ~$50,000 after attacker SIM swap and accessed Binance. Recovery 6 months, not full.
• Surabaya SME Owner (2024): business BCA account drained Rp 200 million in 1 hour. Bank partial refund after 3-month investigation.
• Bandung Influencer (2025): TikTok account hijacked via SIM swap, blackmail to return. Not recovered because TikTok support slow.
• Tech Executive (2025): Gmail (recovery via SMS) hijacked, then spread phishing from that email to contact list.

Layered Defense Strategy

Layer 1: Reduce Reliance on SMS OTP

If service supports, switch from SMS OTP to:

• Authenticator app (Google Authenticator, Authy, 1Password): codes generated offline, not via SMS. SIM swap doesn't affect.
• Hardware key (YubiKey): ultimate. Phishing-proof and SIM-swap-proof.
• App-based 2FA: banks with proper apps (BCA Mobile, Jenius) usually use in-app approval, not SMS.

Layer 2: Minimize Number Exposure

• Don't make phone number public on social media
• Don't use the same phone number for banking and public-facing services. Many people successfully have 2 numbers: 1 secret for banking only, 1 for casual.
• For casual signups (forum, free trial, marketplace), use virtual numbers

Layer 3: Provider-Level Protection

Some operators support "number PIN" or "extra verification" for SIM swap:

• Telkomsel: can request "ID Verification Hold" via MyTelkomsel or outlet
• XL Axiata: optional PIN protection
• Indosat: similar protection available

Visit outlet and request "set up additional verification for SIM replacement". Make replacement process stricter. Worth the friction.

Layer 4: Monitor Warning Signs

• Phone suddenly no signal in normal area: Could indicate active SIM has been swapped. Don't dismiss as network issue.
• Email "new SIM card activated": telco sends notification. Don't ignore.
• Login alerts from services: if you get "Login from new device" emails you didn't do, immediately respond.

Plan if compromised:

1. Call provider from other phone, request immediate SIM lock
2. Call bank, freeze accounts
3. Change passwords on all critical services via secure device
4. File police report
5. Document timeline for insurance/legal claim

Layer 5: Bank-Side Defense

• Set low daily transfer limits. If attack succeeds, damage capped.
• Enable real-time transaction notifications. Suspicious transfer? Stop ASAP via call to bank.
• Use BCA OneKlik or equivalent: requires device authorization, not just SMS OTP.
• Enable "money transfer cooling period" if bank supports. New beneficiary needs 24-hour wait before large transfer.

If You Are Hit: Recovery Steps

1. Lock all accounts within 1 hour: time critical. Every additional minute means more damage.
2. Document everything: screenshots, logs, timestamps. For police report and insurance claim.
3. File police report: although recovery slow in Indonesia, paper trail important for insurance and legal.
4. Contact bank/exchange immediately: ask to freeze transactions, request reverse if possible. Banks don't always refund, but quick reporting increases chance.
5. Contact provider: file formal complaint. Some victims successfully got compensation from provider if verification process appeared negligent.
6. Inform contacts: attacker likely already used your accounts to phish contact list. Warn them.
7. Reset all passwords from clean device (uncompromised laptop).
8. Set up hardware key before returning to use accounts. Don't return to vulnerable state.

For Developers: Reduce User Risk

If you build apps handling authentication:

• Default to authenticator app, not SMS OTP. SMS OTP should be fallback, not primary.
• Support hardware key (FIDO2) for power users. Few Indonesian apps support, so differentiator.
• Detect anomaly logins: new location, new device, distant IP geolocation. Step-up authentication.
• Email backup notification for SIM-related actions: if user changes phone number or requests SMS recovery, send immediate email as dual-channel notification.
• Cooling period for password change + 2FA disable. Attackers who got in usually immediately try to disable 2FA. Add 24-hour delay so legitimate users have window to reverse.

Closing

SIM swap isn't new attack, but in 2026 still major threat in Indonesia due to gap between security expectations and implementation by telcos/banks. Until industry catches up, layered defense on user side is more important.

What you shouldn't do:

• 100% reliance on SMS OTP for important accounts
• Public main phone number on social media
• Trust random "telco" verification calls to verify info
• Use same phone number for critical banking and casual signups

What you should do: switch to authenticator app, monitor anomalies, set up layered defense, and plan response if compromised. Half-day investment once, saves you from potential catastrophic loss.