By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: Prove IdentityPublished July 15, 2025

TL;DR: Recycled phone numbers let fraudsters inherit dormant account links, bypass SMS OTP recovery, and impersonate prior owners, according to Prove Identity. The core issue is not the number itself but the trust model that treats tenure as proof of current ownership, which breaks once reissuance occurs.


At a glance

What this is: This is a fraud analysis of recycled phone numbers and how they let attackers exploit stale phone-based identity signals to take over accounts.

Why it matters: It matters because many IAM and customer identity programmes still treat phone numbers as durable authenticators, even though reissuance can turn a once-legitimate signal into an access path for fraud.

By the numbers:

👉 Read Prove Identity's analysis of recycled phone number fraud and identity risk


Context

Recycled phone numbers are a phone-centric identity problem, not just a fraud nuisance. Once a number is reissued, legacy accounts, password recovery flows, and contact-based trust signals can remain tied to the old owner, which creates a gap between current control and assumed ownership.

For identity teams, the issue sits at the intersection of fraud controls, account recovery, and customer authentication. If an organisation still treats phone tenure as evidence of trust, it is relying on a signal that can outlive the relationship it was meant to prove.


Key questions

Q: How should organisations handle recycled phone numbers in account recovery flows?

A: Organisations should treat recycled numbers as untrusted recovery channels unless the current SIM or subscriber identity is re-verified. SMS delivery alone does not prove ownership. For high-risk accounts, require a stronger factor before reset or step-up access, and remove any recovery path that depends only on number possession. That is the safest way to prevent accidental takeover when a number changes hands.

Q: Why do recycled phone numbers create identity verification risk?

A: A recycled number can still look valid in a CRM even after it has been reassigned to a different consumer. That creates a trust problem because the data may confirm a route to contact, but not the current owner. Identity teams should treat phone numbers as mutable evidence and re-check them before using them for recovery or authentication.

Q: What do security teams get wrong about using phone numbers as identity factors?

A: They often confuse possession of a number with durable identity assurance. In reality, numbers change hands, move between SIMs, and get reassigned by operators. If the application does not re-check the number’s current SIM context, the factor can authorize a different person than the one originally verified.

Q: Who is accountable when recycled numbers lead to account takeover?

A: Account owners, IAM teams and product teams are jointly accountable because the failure sits in recovery design and lifecycle governance. If a system keeps accepting a reassigned number after ownership has changed, the organisation has not revoked an obsolete trust path. That is a governance failure, not just a user error.


Technical breakdown

Why recycled numbers break phone-based authentication

Phone-based authentication assumes a stable relationship between the subscriber and the number. Recycled numbers break that assumption because the number can be reassigned while dormant account links, SMS recovery paths, and cached identity records remain intact. That means the number still looks familiar to systems that score tenure or prior use, even though the current holder is a different person. The risk is highest where SMS OTP or phone reset flows override stronger checks, because reissue turns a historical signal into a live access path.

Practical implication: stop using number age or prior association as a proxy for current ownership.

How fraudsters use recycled numbers in account takeover

Attackers do not need advanced exploitation when identity recovery is weak. They can acquire a recycled number, trigger password resets, and receive the OTP meant for the previous owner. From there, account takeover can include password changes, contact updates, transaction abuse, and follow-on social engineering. The technique is effective because the attacker inherits trust already embedded in the number, including any forgotten MFA enrolments or stale profile data linked to that phone identity.

Practical implication: treat phone-based recovery as a high-risk control path, not a default recovery method.

What real-time phone ownership verification changes

Real-time ownership verification checks whether the current user of the number is the legitimate owner at the moment of authentication, not whether the number has a respectable history. That is materially different from static verification, which often measures tenure or reputation without confirming control. Pairing ownership verification with reputation analysis and risk tables gives identity teams a more current view of whether the phone signal is safe to trust. In this model, the decision is based on present control, not inherited history.

Practical implication: add live ownership checks wherever phone numbers influence onboarding, recovery, or step-up authentication.


Threat narrative

Attacker objective: The attacker wants to inherit trust tied to a recycled number so they can take over accounts and commit fraud under a legitimate-looking identity.

  1. Entry occurs when a fraudster acquires a recycled phone number that still has dormant account links and recovery paths attached to the previous owner.
  2. Escalation occurs when the attacker initiates password reset flows or other phone-based recovery steps and receives the OTP intended for the original subscriber.
  3. Impact follows when the attacker changes credentials, updates contact data, takes over accounts, and uses the recovered identity for fraud or social engineering.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Phone tenure is a trust assumption built for continuity, not reassignment. Legacy identity programmes often treat a phone number as a durable proxy for the person who once controlled it. That assumption fails the moment the number is recycled, because historical reputation does not prove current ownership. The implication is that phone-based identity must be evaluated as a mutable credential path, not a stable authenticator.

Recycled number fraud exposes a lifecycle gap, not just a verification gap. The issue is not only whether a number can be checked at onboarding, but whether the organisation can recognise when the control relationship has changed. If recovery channels remain live after reassignment, the security model has no offboarding concept for the number itself. Practitioners should treat phone identity lifecycle as a governed asset, not a one-time check.

Phone recovery paths create disproportionate blast radius in consumer IAM. When SMS OTP or call-back recovery sits above other factors, a recycled number can become a direct route into password reset, account change, and transaction abuse. That makes the recovery plane a high-value target because it bypasses normal user friction. Teams should assume the recovery path will be attacked first, not last.

Risk scoring based on history alone is insufficient once control can change overnight. A number can look reputable because it has tenure, previous usage, and legitimate past association, yet still be unsafe for the current transaction. That is why static scoring models need current-control validation to remain meaningful. The practitioner conclusion is simple: reputation without ownership confirmation is a false comfort.

Identity programmes need a named concept for this failure mode: recycled number trust debt. This is the accumulated risk created when organisations keep relying on a phone number after its ownership has changed. The debt compounds across recovery, fraud detection, and customer support because each layer inherits the same stale assumption. Practitioners should audit where that debt has been allowed to persist and where it most directly affects account access.

From our research:

  • 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to the Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
  • For the lifecycle angle, review NHI Lifecycle Management Guide for provisioning, rotation, and offboarding patterns that map to this type of trust drift.

What this signals

Recycled number trust debt: phone-based identity programmes accumulate hidden risk whenever a number is treated as durable after reassignment. Teams should expect more fraud attempts to target recovery paths, because those flows often retain the weakest validation and the highest privilege.

The practical shift is toward lifecycle-aware identity controls that verify current control, not historical association. That means bringing recovery, support tooling, and fraud review into the same governance conversation instead of treating them as separate problems.

For broader identity context, the same pattern appears in NHI governance when long-lived credentials outlive their original trust relationship. See the Ultimate Guide to NHIs and the OWASP Non-Human Identity Top 10 for how stale trust becomes an access problem.


For practitioners

  • Remove phone tenure from trust decisions Stop treating the age or historical use of a number as evidence of current ownership. Use it only as a weak risk signal, and require live ownership validation before a phone number can drive authentication or recovery decisions.
  • Harden SMS recovery paths Reclassify SMS OTP and phone-based password reset as high-risk flows, especially where they can override other factors. Add step-up checks when a number is newly seen, recently recycled, or associated with suspicious reputation signals.
  • Track number lifecycle changes Build controls that identify when a phone number is reassigned, not just when it is first enrolled. That includes monitoring for stale account links, dormant MFA enrolments, and unreviewed recovery options tied to recycled numbers.
  • Correlate phone reputation with ownership evidence Use reputation analysis, risk tables, and current ownership verification together so a clean history does not automatically clear a transaction. The decision should depend on present control, not a reused trust signal.

Key takeaways

  • Recycled phone numbers undermine the assumption that a familiar number still belongs to the same person.
  • The risk is measurable in account takeover, recovery abuse, and impersonation because SMS-based trust paths can survive reissue.
  • Identity teams need live ownership checks and lifecycle-aware recovery controls, not tenure-based phone verification.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Phone-based trust drift aligns with identity lifecycle and verification weaknesses.
NIST CSF 2.0PR.AA-1Current identity proofing and authentication are central to recycled number risk.
NIST SP 800-53 Rev 5IA-2Authentication strength matters when phone recovery becomes an access path.
NIST Zero Trust (SP 800-207)Zero trust assumes every access request needs current verification.

Review phone-number trust paths against NHI lifecycle controls and remove historical association as a trust factor.


Key terms

  • Recycled Phone Number Fraud: Fraud that exploits the reassignment of previously used phone numbers. A number can still appear reachable and legitimate after ownership changes, allowing attackers to pass SMS-based checks and exploit trust built by the previous owner.
  • Phone Number Trust Debt: Phone number trust debt is the accumulated risk created when organisations keep relying on a number after its ownership has changed. The debt shows up in recovery flows, fraud scoring, and support processes that still assume the historical owner controls the number.
  • Ownership Verification: Ownership verification is the process of confirming that the current user of a phone number is the legitimate controller of that number at the time of authentication. It goes beyond tenure or reputation by checking present control, which is what matters when numbers are reassigned.
  • Phone-Based Recovery: Phone-based recovery is any identity reset or account recovery flow that uses a phone number to send codes, links, or callbacks. It is convenient, but it becomes a high-risk control when the number can be recycled and the recovery path outlives the original trust relationship.

What's in the full article

Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:

  • Prove Identity's breakdown of the phone reputation, ownership, and primary-number signals used to assess recycled-number risk.
  • The article's explanation of how its Trust Score approach combines near-real-time phone activity with device information.
  • Examples of how risk tables are used to flag numbers associated with rented or recycled schemes.
  • The vendor's discussion of longitudinal phone evidence across 12+ years in the U.S. and 50 countries.

👉 Prove Identity's full post covers the attack phases, ownership verification, and the defence model in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org