They called the carrier. The code went to them.

The scenario:

The CFO’s phone stopped working at 2pm on a Wednesday. No signal. No calls. No texts. 

By 2:15pm, the attacker had received the MFA codes to the CFO’s bank account, email, and cloud storage. They hadn’t hacked anything. They’d called the mobile carrier, convinced the support agent they were the CFO, and transferred the number to a new SIM. 

The attack:

STAGE 1: RECONNAISSANCE

Attacker gathers personal information about the CFO from LinkedIn, Companies House, and data broker sites.

Collects: full name, date of birth, home address, mobile number, and email.

This information is sufficient to pass most carrier identity verification checks.

STAGE 2: SIM SWAP

Attacker calls the mobile carrier’s customer support line.

Claims to be the CFO. Says they’ve lost their phone and need the number transferred to a new SIM.

Passes security questions using publicly available information.

Carrier transfers the CFO’s number to the attacker’s SIM card.

CFO’s phone immediately loses signal.

STAGE 3: MFA BYPASS

Attacker triggers password resets on the CFO’s email, banking, and cloud accounts.

SMS-based MFA codes are sent to the CFO’s number, which now goes to the attacker.

Attacker resets passwords on 4 accounts within 12 minutes.

Full access to corporate email, online banking, and cloud storage.

STAGE 4: FINANCIAL THEFT

Initiates a six-figure wire transfer from the company’s business account.

Uses email access to delete the bank’s confirmation email.

Downloads sensitive documents from cloud storage.

Attack discovered when the CFO visits a phone shop to report their "faulty" phone.

What stopped it:

The bank flagged the wire transfer as unusual (new recipient, high value) and placed a temporary hold. The CFO discovered the SIM swap at the phone shop and contacted the bank before the hold expired.