At eleven o'clock on a Wednesday night, the owner of a small building supplies business in Sligo noticed something strange. His phone had dropped to no signal. He assumed it was a network outage, put the phone on charge, and went to bed. By seven the next morning, €23,000 had been transferred out of the business bank account in three separate transactions. The phone had not been stolen. Nobody had broken into the office. The attacker had never needed to go anywhere near the building.
What happened to this Sligo business owner is called a SIM swap attack, and it is one of the most effective methods criminals currently use to bypass the security controls that most Irish businesses believe are protecting them.
WHAT: How SIM Swapping Works
Your mobile phone number is, in many ways, a master key. Banks use it to send one-time passcodes. Business email accounts use it for two-factor authentication. Accounting software, payroll systems, and cloud storage all tie security verification to a phone number. That is the problem.
A SIM swap attack begins not with your phone, but with your personal information. An attacker gathers details about you — your name, date of birth, address, and the last few digits of your IBAN — from sources that may include data breaches, social media profiles, phishing emails you received months ago, or information available through public records. With enough detail, the attacker contacts your mobile network provider, claims to be you, and requests that your number be transferred to a new SIM card that they control.
Mobile networks have processes to verify identity for SIM transfers, but those processes can be manipulated through social engineering. An attacker who has done their homework can often provide enough correct personal details to satisfy a customer service representative. Once the transfer is approved, your phone loses signal — exactly what the Sligo business owner experienced — and the attacker's phone starts receiving every text message and authentication code sent to your number.
From that point, the attacker has a window of several hours, typically overnight, before you notice the loss of signal and contact your carrier to reverse it. In those hours, they can trigger password resets on your email account, your banking app, and any other service tied to your phone number. Each reset sends a code to your number — which they now control — and within minutes, they are inside your accounts.[^2]
WHAT NOW: The Controls That Actually Stop This
The most important thing to understand is that SMS-based two-factor authentication — the system where a code is texted to your phone — does not protect you against SIM swapping. If an attacker controls your number, they receive the code. SMS 2FA is significantly better than no two-factor authentication, but it is not the highest level of protection available.
Is your business still relying on SMS codes for authentication? Book a free 20-minute strategy call — we will help you move to stronger authentication methods that SIM swapping cannot bypass.
The NCSC Ireland recommends authenticator apps and hardware security tokens as stronger alternatives to SMS-based verification.[^1] An authenticator app — such as Microsoft Authenticator or Google Authenticator — generates a time-based code on the device itself. It does not use your phone number and is not affected by a SIM swap. Even if your number is hijacked, the attacker cannot generate the correct code from the app. For high-value accounts like business banking and payroll systems, a hardware token — a small physical device that generates codes — provides the strongest available protection.
Contact your mobile carrier and ask about additional SIM transfer protections. Most Irish carriers can add a PIN or verbal password requirement to your account that must be provided before any SIM transfer is approved. This single step significantly raises the bar for an attacker. Some carriers also offer port freeze options that prevent number porting without in-branch verification. Call your provider, explain that you want to protect your number from unauthorised SIM swaps, and ask what protections they can apply to your account.
Monitor your accounts proactively. Set up notifications for all bank transfers, including low-value ones. If your business bank account supports real-time alerts by email — not just by SMS — enable them. An alert arriving in your inbox while your phone is hijacked may be your only early warning that something is happening.
WHY IT MATTERS: The Regulatory and Business Context
An Garda Síochána has recorded a significant increase in SIM swap fraud cases targeting Irish businesses over the past two years, with the Garda National Cyber Crime Bureau issuing warnings to business owners about the risk.[^2] The attacks often happen overnight or at weekends, specifically because that is when businesses are least likely to notice and react quickly.
The financial exposure is real and often not fully covered by insurance. Many cyber insurance policies exclude fraud losses unless specific controls — such as multi-factor authentication on financial accounts — are in place and documented. A business that was using SMS-based 2FA, or no 2FA at all, may find that a claim is disputed. The Data Protection Commission is also relevant here: if the SIM swap results in a breach of customer or employee personal data, the business has a legal obligation to assess whether it must notify the DPC within 72 hours.[^3]
The broader issue is that SIM swapping exploits a weakness in authentication infrastructure that most Irish business owners have never had to think about. The assumption that a text message is a secure second factor is understandable — it is how banks and technology companies have presented it for years. But the threat has evolved, and the controls need to evolve with it.
WHAT NEXT: Three Steps to Reduce Your Exposure
First, audit every account that uses your mobile number for authentication. Start with your business bank accounts, then email, then cloud services. For each one, check whether an authenticator app is available as an alternative to SMS. Where it is, switch to it. This takes fifteen minutes per account and eliminates SIM swapping as a viable attack vector for that service.
Second, add a SIM lock to your mobile account. Call your carrier today and ask them to add a verbal PIN or account password that must be provided before any SIM transfer is processed. This is free and takes one phone call. The Sligo business owner whose story opens this post had no such protection on his account. His carrier processed the SIM transfer because the attacker provided his name, address, and date of birth — all of which are not difficult to find.
Third, talk to your bank about what happens if your mobile number is hijacked. Ask specifically whether your account has daily transfer limits, whether large transfers require additional verification beyond an SMS code, and whether you can whitelist specific payees. Many Irish banks have fraud response teams available outside business hours — find out the direct number and save it somewhere that is not your phone.
SIM swapping is not sophisticated. It works because most businesses have not hardened their basic authentication. Book a free 20-minute strategy call — we will review your authentication posture and help you close the gaps before an attacker finds them.
The €23,000 taken from the Sligo business was partially recovered — after months of engagement with the bank, the Garda, and the carrier. Not all victims are that fortunate. The attack itself took less than two hours from SIM transfer to funds gone. The protection that would have stopped it takes less than an afternoon to put in place.
Related Reading
- Cyber Essentials for Irish SMEs: The 5 Controls That Matter Most
- The 10-Minute Security Review Every Donegal Business Should Do Every Quarter
- Building a Human Firewall: Security Awareness Training That Actually Works
[^1]: NCSC Ireland: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána: https://www.garda.ie/en/crime/cyber-crime/ [^3]: DPC: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.