Cyber Security

Most Betting Apps Still Send Your Login Code by SMS, and SIM Swap Fraud Rose 1,055% Last Year

Miller (AI & Cyber Security Guy)
most-betting-apps-still-send-your-login-code-by-sms-and-sim-swap-fraud-rose-1055

Your phone is not suddenly crapping out, calls going choppy or data slowing down. It is the other kind. You wake the screen and the carrier name is gone, replaced with “No Service” or “SOS Only,” and nothing you do brings it back.

About twenty minutes later your email locks you out. Then your banking app does the same. And then anything that sends a verification code to your phone number, which is basically every betting site sitting on a funded balance, is suddenly open to whoever just talked your carrier into moving your number onto their SIM card.

That is a SIM swap, and the frightening part is not the technical side, because there really is not one. The attacker rings your mobile provider, gives them enough personal detail to sound like you, says the phone was lost or damaged, and asks for the number to be ported to a new SIM. If the agent on the other end runs the standard verification script and the attacker already has your name and date of birth and address, pulled from a data breach or a social media profile or a criminal marketplace where that stuff sells for almost nothing, the request goes through. Once it does, every SMS meant for you lands on their device instead, including the two-factor codes that most platforms still treat as the wall between your account and someone else’s.

This stopped being small a while ago

The FBI logged 982 SIM swap complaints in 2024, with confirmed losses hitting $26 million, around $26,400 per victim

That number looks manageable on its own, right up until you realise a SIM swap is almost never the crime itself. It is the doorway to everything after it, the password resets, the account drains, the identity theft chains that stretch across platform after platform once the attacker owns the number. The $26 million is only what the FBI counted as direct SIM swap losses, not the downstream damage those swaps unlocked.

The numbers elsewhere are worse, and more recent:

That Australian detail is the one that should bother you most.

90% of those swaps went through without the victim doing anything at all to trigger it. No dodgy link clicked, no password handed over. 

The swap just cleared on the carrier’s end, and the first sign was the phone going dark.

The eSIM line is the other one most coverage skips. Plenty of people assumed eSIMs would kill SIM swapping off, no physical card to replace, so how would it work. The fraud just moved. eSIM activation through a carrier’s account portal turned out to be easier to social-engineer remotely than walking into a shop with a fake ID ever was, and the UK reports went from 18 to 763 in two years.

Betting accounts hold real cash, and most still lean on SMS

A funded betting account is a financial account in every way that matters. It holds real money you can withdraw, and it sits behind the same SMS verification the FBI says attackers are deliberately going after. Most major platforms still default to SMS for login codes. Some offer authenticator app support but bury it deep enough in the settings that the average user never finds it unless they go digging.

So before you log in and start betting online easily on any platform, the first thing worth doing, before a single deposit, is checking whether it lets you switch from SMS codes to an authenticator app like Google Authenticator or Authy. If SMS is the only option and there is no alternative, that is worth knowing before your money goes in, because you are trusting a method the entire cybersecurity industry spent the last two years telling people to stop using.

How the attack actually plays out

The sequence is nearly always the same, and it moves fast.

  • Step one, information gathering. The easiest part for the attacker, because so much of your data is already floating around from years of breaches. Name, date of birth, address, phone number, maybe the last four digits of your ID, all of it either sitting on social media or buyable from a criminal data broker for a few dollars. Thomson Reuters made the point that attackers do not need sophisticated tools for this anymore. The data is just out there.
  • Step two, carrier impersonation. This is the bit that actually makes the swap happen. The attacker contacts your mobile provider, pretends to be you, and asks for a number transfer. The FCC was meant to enforce new rules requiring carriers to use stronger verification before processing these requests, with a compliance deadline of July 8, 2024, and then it delayed the rules with no new date announced. That regulatory gap is still wide open, and the fraud rings know it.
  • Step three, account takeover. This follows within minutes. They have your number now, so they go to your email, hit forgot password, and the reset code gets sent to your phone number, which is their phone. They reset the password, and from inside your email they can see every service you are registered with, then run the same play on your banking apps, crypto wallets, betting platforms, anything that trusts SMS as proof of identity.

Norton documented a 2025 case where a Florida woman lost access to her phone in a SIM swap, and within hours the attackers had spent over $17,000 and tried to sell $50,000 in stocks from a brokerage account. The whole chain, swap to drain, can run in under an hour.

What actually works, and what does not

A quick version before the detail: switch to an authenticator app, lock your number at the carrier, and stop letting your phone number reset your email. Here is each one.

  • Switch to an authenticator app, and do it on every account that offers it, betting included, not as an exception. Google Authenticator, Microsoft Authenticator, Authy, any of them. The codes generate on your own device and never travel through SMS, which means a SIM swap hands the attacker nothing. Three minutes per account, and it closes the door most of these attacks walk through.
  • Set a carrier PIN or port-out lock. Ring your provider and ask for it by name. Most carriers will let you add a PIN that has to be given before any SIM change or number transfer goes through. Some US and UK carriers started auto-enabling this for certain customers after the 2024 surge, but most people still have to request it manually.
  • Stop using your phone number for account recovery. If your email resets through your phone number, then a SIM swap hands the attacker your email, and your email is the key to everything sitting behind it.
  • If your phone loses signal for no reason, do not shrug it off as a network blip. Call your carrier from a different phone straight away and ask whether a SIM change just went through. The window between the swap and the attacker using it is usually under an hour, so catching it early is the whole difference between a quick password reset and an actual financial loss.

What does not protect you is a strong password on its own. SIM swap attacks step around passwords completely, because the attacker just resets them through the SMS channel. The password stops mattering the second the reset mechanism behind it is compromised.

Sources: FBI Internet Crime Complaint Center 2024 Report, Cifas 2025 Fraudscape Report, IDCARE 2024 Analysis, Thomson Reuters Institute, Norton 2026 Coverage, Keepnet Labs, FCC Order FCC 23-95, US PIRG Education Fund.

Share This Article
ByMiller (AI & Cyber Security Guy)
Follow:
Mike Miller, a cybersecurity and AI expert with over 10 years of experience in the field. I have a proven track record of helping companies strengthen their security posture by identifying and addressing vulnerabilities in their networks and systems. I have a deep understanding of AI and its applications. Part time writing at Mobilemall Blog.
Previous Article The Best Mini PC in 2026: Compact Power for Work, Play, and Modern Setups
Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You Might also Like

Exit mobile version