Europol, along with the Spanish and the Romanian national police, has arrested 26 individuals in connection with the theft of over $3.9 million by hijacking people's phone numbers via SIM swapping attacks.

The development comes as SIM swapping attacks are emerging as one of the biggest threats to telecom operators and mobile users alike. The increasingly popular and damaging hack is a clever social engineering trick used by cybercriminals to persuade phone carriers into transferring their victims' cell services to a SIM card under their control.

The SIM swap then grants attackers access to incoming phone calls, text messages, and one-time verification codes that various websites send via SMS messages as part of the two-factor authentication (2FA) process.

As a result, a fraudster can impersonate a victim with an online account provider and request that the service sends account password-reset links or authentication code to the SIM-swapped device controlled by the cybercriminals, using which the bad actor can reset the victim account's log-in credentials and access the account without authorization.              

Attacks of this kind are successful even if the accounts are secured by SMS-based 2FA, thereby allowing the hackers to carry out data and financial theft by merely stealing the OTP codes sent by the website to the individual's phone number.

In addition to leveraging malicious Trojans to steal victims' banking credentials, the SIM swappers went on to apply for a duplicate SIM card by contacting their mobile service providers and providing fake documents. Upon activation of the duplicate SIMs, the criminals allegedly made fraudulent transfers from the victims' accounts using the authentication codes the banks sent to the phones for confirmation.

Although these kinds of attacks are unlikely to go away any time soon, there are plenty of things consumers can do to keep themselves safe: set up a PIN to limit access to the SIM card, delink phone numbers from online accounts, and use an authenticator app or a security key to secure accounts.

And, if you suspect you're a victim of SIM swapping, it's recommended that you contact your service provider, monitor your bank accounts for any suspicious transaction, and immediately change your passwords.