A Sim card is, effectively, a portable identity token. Once compromised, it gives attackers a backdoor into bank accounts, digital wallets, investment apps and high-risk transactional environments. Sim-swap fraud, identity impersonation and large-scale Sim-farm operations are no longer fringe problems; they are industrialised criminal enterprises.
The Communications Risk Information Centre 2025 Telecommunications Sector Report found that telecoms fraud, including Sim-swap, subscription and identity fraud, cost South Africa around R5.3-billion in 2024. That figure reflects a broader truth: every Sim-based attack is an identity-based attack, and every identity-based breach cascades directly into AML (anti-money laundering), fraud and financial crime risk.
The Sim card’s central role in identity verification (IDV) makes it an attractive target for sophisticated cyber and financial criminals. From Sim-swap scams to plunder victims’ bank accounts to widespread identity impersonation campaigns, Sim-related crime continues to proliferate in South Africa and the rest of the world.
Sim crime is no longer a side issue sitting at the edges of the financial system. It has become a central threat to identity integrity itself and therefore to the foundations of digital banking, payments, fintech and regulatory compliance. And criminals understand this better than anyone.
Sim cards have emerged as a vulnerability because we use them not only to access telecoms services, but also to authenticate ourselves to digital banking platforms and a range of other online services. Sim swaps remain one of the most dangerous cybercrimes that South Africans face.
This is when a criminal convinces your mobile network to transfer your phone number to a new Sim card in their possession, which they usually achieve using personal information stolen in a phishing attack or purchased on the dark web. This allows a criminal to intercept your calls and texts (including OTPs), so they can access your online accounts.
Rica failure
Under the Regulation of Interception of Communications and Provision of Communication Related Information Act (Rica), networks must register all Sim cards with users’ ID numbers and proof of address. But given how often South Africans swap out Sims and the free availability of Rica-authorised Sims at repair shops and informal trading shops, Rica has not stopped Sim-related crime.
Combatting Sim-related crimes has become even harder with the advent of Sim farms, which are often cross-border operations run at massive scale. A Sim farm is a device that can house many Sim cards, effectively allowing criminals to industrialise identity impersonation campaigns behind prepaid or stolen Sims.
Read: Biometrics take centre stage in fight against Sim-swap fraud
Each illegal Sim in circulation accounts for a counterfeit identity, opening risks for organisations and end users. Businesses are especially susceptible to slip-ups using SMS-based OTPs for multi-factor authentication (MFA), with criminals using swapped Sims to steal user data and funds through various apps.
What’s more, banks are spending tens of millions of rand annually on pricey SMS OTPs, managing the related false positives and failed deliveries, and dealing with know your customer (KYC) re-verification following Sim swaps. SMS-based MFA is simply not enough to outsmart identity thieves. In fact, the industry’s dependency on SMS-based MFA has created a false sense of security. While OTPs play an important role, they are far too vulnerable to stand alone.
- While advanced deepfake attacks can bypass weaker biometric systems, strong smartphone security, like FaceID, makes it much harder for criminals to access a device or account, because the system checks that a real, live face matches. AI-based IDV can detect even sophisticated lighting or textual nuances to catch manipulated images, too.
- Companies can use behavioural intelligence, based on digital data such as identities, transactional histories and typical online behaviours, to build a profile of end users that criminals will find hard to replicate.
- Push notification MFA can approve an action through a pre-registered device or app, without hinging on a vulnerable SMS network.
- Other apps such as Google Authenticator or tools such as hardware keys are not affiliated with phone numbers and are less prone to Sim attacks.
Modern identity verification needs to be layered, risk-based and adaptive. These technologies exist. The problem is not capability. It’s coordination.
2FA and SMS OTPs are the backbone of digital authentication, but they’re also a flaw in the financial ecosystem’s armour against financial crime. Siloed KYC and IDV operations are a major reason for the vulnerability. When a Sim swap occurs, criminals can instantly access messaging platforms, impersonate victims and solicit money from their contacts – making unified data intelligence essential. To seal the widening fraud gap, telcos, banks, insurers, regulators, government and social media operators such as WhatsApp must work together.
Telecoms operators know when Sim swaps occur. Banks know when high-risk transactions spike. Regulators see emerging patterns first. But these signals remain unshared or shared too slowly to matter.
Compliance ecosystem
All accountable institutions should form a proactive compliance ecosystem that catches threats before they proliferate. This depends on cross-sector collaboration and strengthened frameworks for KYC and AML compliance, despite variations in data privacy standards and rules.
Using technology to facilitate IDV is an obvious starting point for sharing data about suspect users and transactions between mobile networks, financial institutions, regulators and prosecutors. With users vetted instantly, customers can be onboarded fast and authorities can deal with any alerts. However, IDV is only one piece of the puzzle. Continuous monitoring of customer behaviour and transactions is needed to detect emerging risks, speed up investigations and maintain full auditability.
Public education is also key. Users need to be educated about Sim crime, their role in safeguarding their identities and how to get help from service providers. Better education and leadership stems from compliant businesses and builds a greater network to combat Sim fraud.
Read: BIN scans, DDoS and the next cybercrime wave hitting South Africa’s banks
A Sim compromise is never just a telecoms incident. It’s an AML incident. It’s a fraud incident. It’s a financial crime incident. Every weak link – every unverified identity, every siloed database, every unreported Sim swap – gives criminals a foothold. To reclaim identity integrity, the ecosystem must move as one.
Get breaking news from TechCentral on WhatsApp. Sign up here.
