Fraud that exploits the reassignment of previously used phone numbers. A number can still appear reachable and legitimate after ownership changes, allowing attackers to pass SMS-based checks and exploit trust built by the previous owner.
Expanded Definition
Recycled phone number fraud occurs when a mobile number is reassigned by a carrier but still carries residual trust from its previous use. The risk is not the number itself, but the assumptions systems and people continue to make about it. In identity workflows, a recycled number can still receive one-time codes, pass callback checks, or appear to belong to the same user even after ownership has changed.
This matters because phone numbers are often treated as a stable recovery factor, yet the telecom lifecycle is outside the control of the relying organisation. Definitions vary across vendors, but the core issue is consistent: an attacker benefits when a system equates number possession with account continuity. NIST-aligned control thinking places this squarely in authentication and recovery governance, while NIST SP 800-53 Rev 5 Security and Privacy Controls helps frame the broader need for controlled authenticator lifecycle management and verified recovery procedures.
The most common misapplication is treating SMS delivery success as proof of user identity, which occurs when account recovery and step-up authentication rely on a number that has been reassigned.
Examples and Use Cases
Implementing phone-based verification rigorously often introduces user-friction and recovery complexity, requiring organisations to weigh account continuity against the cost of stronger proofing and fallback handling.
- A bank sends password reset codes to a number that a fraudster now controls after the original customer changed carriers or abandoned the line.
- A help desk uses the caller ID associated with an old phone number as a trust signal, even though the number has been reassigned.
- A consumer app allows SMS-based MFA and account recovery without checking whether the number was recently ported, recycled, or inactive.
- An enterprise identity team discovers that a dormant user profile can still be reactivated through a number no longer owned by the employee, creating an account takeover path.
- An NHI control gap appears when a service account recovery contact is a recycled number, echoing the same weak assumption highlighted in the OWASP Non-Human Identity Top 10: contact channels and recovery paths must be governed as security dependencies, not convenience features.
Why It Matters for Security Teams
Security teams need to understand recycled phone number fraud because it converts an ordinary telecom event into an authentication weakness. If SMS is used for account recovery, password resets, or step-up verification, the reassigned number can become a ready-made bypass for identity controls. The failure is often organisational rather than technical: systems assume phone numbers are durable identifiers, while carriers treat them as reusable assets. That mismatch creates avoidable exposure in IAM, fraud prevention, and customer support workflows.
The issue also matters beyond human accounts. Where organisations use SMS or phone-based contacts for administrators, contractors, or service-linked workflows, the same weakness can undermine Non-Human Identity governance by letting outdated contact data support privileged access recovery. Identity teams should treat number reassignment as a lifecycle risk, not an edge case, and align recovery design with stronger verification and risk-based checks. Practitioners often discover the impact only after an account takeover, at which point phone-based assurance has already failed and recovery processes become the attack path.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | AAL2 | Digital identity guidance warns against weak recovery factors tied to reused phone numbers. |
| NIST CSF 2.0 | PR.AA-1 | Identity and authentication management covers risks from stale or recycled phone-based factors. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management applies when phone numbers are used as credentials or recovery channels. |
| OWASP Non-Human Identity Top 10 | NHI guidance highlights the need to secure recovery and contact channels tied to identity assets. | |
| NIST Zero Trust (SP 800-207) | Zero trust requires continual verification rather than assuming a phone number proves identity. |
Treat phone numbers as managed authenticators and revalidate them before using them for access.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org