Subscribe to the Non-Human & AI Identity Journal

Why do SIM swaps and call forwarding increase account takeover risk?

Because they attack the delivery channel, not just the password. If an attacker can redirect SMS or voice OTPs, the code still appears valid while reaching the wrong device. That makes the account look authenticated even though the legitimate user never saw the challenge, which is why channel trust must be evaluated continuously.

Why This Matters for Security Teams

SIM swaps and call forwarding are dangerous because they undermine the trust boundary around authentication recovery and OTP delivery. Once a phone number is ported, duplicated, or silently redirected, SMS and voice challenges can still succeed from the system’s point of view while failing the security team’s actual intent. NIST’s NIST SP 800-53 Rev 5 Security and Privacy Controls emphasizes that authentication mechanisms must be protected as part of the overall control environment, not treated as a standalone step.

This matters most for account recovery, high-value approvals, and privileged access, where a single diverted code can reset passwords, approve payouts, or change MFA settings. The weakness is not the password itself but the assumption that a phone number is a reliable possession factor. NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now shows how identity compromise often persists because defenders trust the delivery path for too long, and the same pattern applies to consumer and workforce accounts that still rely on telephony-based recovery. In practice, many security teams discover SIM swap abuse only after the attacker has already taken over the account and changed the recovery settings.

How It Works in Practice

A SIM swap lets an attacker move a victim’s mobile number to a different SIM, while call forwarding reroutes incoming calls to an attacker-controlled destination. Both attacks weaken the “something you have” assumption behind SMS and voice OTPs. The account still receives a valid challenge, but the legitimate user never sees it. That is why channel security and identity assurance have to be evaluated together, not separately.

In operational terms, the takeover often follows a predictable chain:

  • the attacker gathers personal data from phishing, breaches, or social media;
  • the carrier is persuaded to port the number or enable forwarding;
  • OTP messages or voice calls are intercepted in real time;
  • the attacker resets the password, disables MFA, or adds a new recovery method.

For defenders, the practical response is to reduce dependence on telephony for step-up authentication and recovery. Prefer phishing-resistant factors, device-bound authentication, and stronger recovery verification. For account monitoring, watch for sudden changes in carrier status, MFA method resets, forwarding configuration changes, and logins from unfamiliar devices immediately after a phone-number event. Where possible, treat number changes as a high-risk signal that triggers reauthentication or temporary account protections. NHIMG’s Top 10 NHI Issues and Ultimate Guide to NHIs — Key Challenges and Risks both reinforce the broader lesson that identity controls fail when trust in the credential delivery path is too implicit. These controls tend to break down when telecom recovery is still treated as a primary trust anchor for privileged or customer-facing accounts because the attacker only needs temporary control of the number, not the password itself.

Common Variations and Edge Cases

Tighter recovery controls often increase friction for legitimate users, requiring organisations to balance account security against support load and user lockout risk. That tradeoff is real, especially in consumer services, telecom-heavy workflows, and environments where SMS remains embedded in legacy onboarding or help-desk procedures. Current guidance suggests that SMS should be a fallback option at best, but there is no universal standard for every business context yet.

Call forwarding is also more subtle than a full SIM swap because it can be enabled without changing the physical device. In some cases, the user may still have service and never notice that calls are being redirected. That makes detection harder and response slower. Organisations should pay attention to carrier account changes, not just login events, and should verify whether help-desk staff can override identity checks through weak recovery scripts.

One useful operational rule is to treat any phone-number-based recovery path as a high-risk exception rather than a normal control. For sensitive accounts, use stronger factors and a separate recovery channel. For broader identity programs, align monitoring with NIST Cybersecurity Framework 2.0 and the account lifecycle emphasis in The 2024 ESG Report: Managing Non-Human Identities, especially where identity events can cascade into broader compromise. The edge case that most often gets missed is when a seemingly minor forwarding change becomes the first step in a broader account recovery abuse path because the organisation never correlates telecom events with authentication risk.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AA Phone-number takeover is an authentication assurance problem.
NIST SP 800-63 IAL2 SIM swaps weaken possession-based assurance and recovery trust.
OWASP Non-Human Identity Top 10 NHI-06 Credential delivery path compromise mirrors NHI secret exposure risk.
NIST AI RMF Risk governance should cover identity recovery and abuse pathways.
NIST Zero Trust (SP 800-207) AC-6 Least privilege reduces damage when one factor or channel is hijacked.

Document telecom-based takeover risk in your AI and identity governance reviews.