Because they attack the delivery channel, not just the password. If an attacker can redirect SMS or voice OTPs, the code still appears valid while reaching the wrong device. That makes the account look authenticated even though the legitimate user never saw the challenge, which is why channel trust must be evaluated continuously.
Why This Matters for Security Teams
SIM swaps and call forwarding are dangerous because they undermine the trust boundary around authentication recovery and OTP delivery. Once a phone number is ported, duplicated, or silently redirected, SMS and voice challenges can still succeed from the system’s point of view while failing the security team’s actual intent. NIST’s NIST SP 800-53 Rev 5 Security and Privacy Controls emphasizes that authentication mechanisms must be protected as part of the overall control environment, not treated as a standalone step.
This matters most for account recovery, high-value approvals, and privileged access, where a single diverted code can reset passwords, approve payouts, or change MFA settings. The weakness is not the password itself but the assumption that a phone number is a reliable possession factor. NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now shows how identity compromise often persists because defenders trust the delivery path for too long, and the same pattern applies to consumer and workforce accounts that still rely on telephony-based recovery. In practice, many security teams discover SIM swap abuse only after the attacker has already taken over the account and changed the recovery settings.
How It Works in Practice
A SIM swap lets an attacker move a victim’s mobile number to a different SIM, while call forwarding reroutes incoming calls to an attacker-controlled destination. Both attacks weaken the “something you have” assumption behind SMS and voice OTPs. The account still receives a valid challenge, but the legitimate user never sees it. That is why channel security and identity assurance have to be evaluated together, not separately.
In operational terms, the takeover often follows a predictable chain:
- the attacker gathers personal data from phishing, breaches, or social media;
- the carrier is persuaded to port the number or enable forwarding;
- OTP messages or voice calls are intercepted in real time;
- the attacker resets the password, disables MFA, or adds a new recovery method.
For defenders, the practical response is to reduce dependence on telephony for step-up authentication and recovery. Prefer phishing-resistant factors, device-bound authentication, and stronger recovery verification. For account monitoring, watch for sudden changes in carrier status, MFA method resets, forwarding configuration changes, and logins from unfamiliar devices immediately after a phone-number event. Where possible, treat number changes as a high-risk signal that triggers reauthentication or temporary account protections. NHIMG’s Top 10 NHI Issues and Ultimate Guide to NHIs — Key Challenges and Risks both reinforce the broader lesson that identity controls fail when trust in the credential delivery path is too implicit. These controls tend to break down when telecom recovery is still treated as a primary trust anchor for privileged or customer-facing accounts because the attacker only needs temporary control of the number, not the password itself.
Common Variations and Edge Cases
Tighter recovery controls often increase friction for legitimate users, requiring organisations to balance account security against support load and user lockout risk. That tradeoff is real, especially in consumer services, telecom-heavy workflows, and environments where SMS remains embedded in legacy onboarding or help-desk procedures. Current guidance suggests that SMS should be a fallback option at best, but there is no universal standard for every business context yet.
Call forwarding is also more subtle than a full SIM swap because it can be enabled without changing the physical device. In some cases, the user may still have service and never notice that calls are being redirected. That makes detection harder and response slower. Organisations should pay attention to carrier account changes, not just login events, and should verify whether help-desk staff can override identity checks through weak recovery scripts.
One useful operational rule is to treat any phone-number-based recovery path as a high-risk exception rather than a normal control. For sensitive accounts, use stronger factors and a separate recovery channel. For broader identity programs, align monitoring with NIST Cybersecurity Framework 2.0 and the account lifecycle emphasis in The 2024 ESG Report: Managing Non-Human Identities, especially where identity events can cascade into broader compromise. The edge case that most often gets missed is when a seemingly minor forwarding change becomes the first step in a broader account recovery abuse path because the organisation never correlates telecom events with authentication risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA | Phone-number takeover is an authentication assurance problem. |
| NIST SP 800-63 | IAL2 | SIM swaps weaken possession-based assurance and recovery trust. |
| OWASP Non-Human Identity Top 10 | NHI-06 | Credential delivery path compromise mirrors NHI secret exposure risk. |
| NIST AI RMF | Risk governance should cover identity recovery and abuse pathways. | |
| NIST Zero Trust (SP 800-207) | AC-6 | Least privilege reduces damage when one factor or channel is hijacked. |
Document telecom-based takeover risk in your AI and identity governance reviews.
Related resources from NHI Mgmt Group
- Why do passkeys reduce account takeover risk more effectively than OTP?
- Why do SIM swaps create such high fraud risk for banks and consumer apps?
- Why do phone-number based login methods create account takeover risk?
- How should security teams reduce AI-enabled account takeover risk in authentication flows?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org