So I was the Victim of a Sim-Swap Attack

17 Oct, 2025

On Tuesday, the 14th of October 2025, around 1 pm, I received a phone call from my friend asking why I needed R3,000 and if it was urgent.

Confused for a bit, I realised it was a scam. I had received the same message from an old classmate of mine the previous Sunday morning.

I quickly told her to block and report the number, while I hung up and tried to fix the issue. When I checked my WhatsApp to see what was wrong, I realised that I was logged out.

Here came the tricky part, the number I was using for WhatsApp was my old SIM card, which I had obtained in South Africa while at University. At this point, I had been out of the country for 6 months and had not migrated WhatsApp to my new local number.

So when I got logged out, I had no access to log back in. The attacker now had access to the contacts in many WhatsApp groups I had been in and was targeting South African and international numbers.

I suspect the attacker cloned my SIM card and sent the OTP to his phone directly. This is the only way that they could have gained access to my account. Later, this was confirmed by the MTN fraud help line, which informed me that a SIM swap had happened earlier that morning.

The problems mitigating this attack were:

1. I had no access to the phone number when the attack occurred, and so, I could not get a new OTP to try to stop the attackers from doing damage. Even if I had access to my phone number, I would still need to go to an MTN store and have them sort this whole situation out before I could get my account back.

2. I did not have access to all the contacts in the groups that the attacker had access to. I rarely save people's contacts unless their a family member or a close friend. This meant I could not warn as many people as I could.

3. WhatsApp has no way to temporarily block an account if it is hacked. This is for good reason, someone might cheat the system and block unsuspecting people. Even if they allowed temporary blocking, I try to put as little information into anything owned by Meta, and so such a blocking feature would be useless if they had asked for proof of account ownership.

Lessons Learnt

• OTP is very insecure. I mean, this is conventional knowledge and nothing new. OTP's are susceptible to SIM-swap attacks, scammers asking for the OTP directly, and call-forwarding attacks. People should always use 2-Factor authentication. This sounds like basic cybersecurity advice, but look at me, I work in tech, and this still happened to me.

• My friend sent R600 to the attacker, and this was a classic example of a social engineering attack. When a friend or a family member asks for money, you usually do not bat an eye and just send it to them. In this case, always call the person just to confirm. Tell them you will not send the money unless you hear their voice, if you have to.

• When you get hacked, the one thing you should do is communicate with your friends and family through other communication channels. Warning people, then actively trying to mitigate the attack, would have been a better use of my time than trying to mitigate it and then warn people.

• You should always update your security information as soon as it is changed. When your email address or phone number changes, you should update all the services and platforms associated with it.

• WhatsApp and MTN should have better polices in place to temporarily block accounts and SIM cards if they suspect someone has taken over an account. Meta has not responded to the emails I've sent them to block the account. The report feature on WhatsApp has not done much since the account was still active a day after mass reporting. MTN's solution of going to your nearest MTN store was a bit lackluster. I would have preferred an immediate action to at least suspend the account.

Bigger Implications

Many of the financial transactions that occur in Africa are done through mobile money. This is the case with Zimbabwe (Ecocash and InnBucks) as well as in places like Kenya. Mobile money providers usually only require OTP for verification, and these platforms seem ripe for such attacks.

Mobile money platforms usually serve low-income, unbanked individuals. Having the most vulnerable members of our society be susceptible to such an attack is devastating. Every Dollar, Rand, Pula, and kwacha counts, and being a victim of such an attack could take away everything someone has.

Cybersecurity researchers and mobile money providers should investigate and find ways to mitigate such attacks. Some telecom companies have a distributed network of agents who provide services such as SIM card registration, and these individuals are the weak points in this system. Attackers could directly target them with phishing or social engineering attacks and gain access to the Telecom company's system.

Sidenote: I tried activating 2-factor authentication on my new number on WhatsApp, and it keeps saying that 2-factor authentication can not be registered at this point. This was frustrating because even if someone was security-oriented, this could have stopped them from doing 2-Factor altogether and just used the app as is.