SIM Swap API

In the digital age, where identity and transactions are increasingly authenticated via mobile phone, protecting the integrity of your customers' SIM cards is essential. Plusmo's SIM Swap API is your essential tool for real-time identity verification, acting as a protective shield against one of the most sophisticated and difficult-to-detect fraud techniques: SIM Swapping.
More information

What is SIM Swap fraud and why is it a critical threat?

SIM Swapping is a type of social engineering attack in which a criminal manages to convince a mobile phone operator to transfer the victim's phone number to a new SIM card under their control. Once the scammer possesses the number, they can intercept calls, text messages, and, most importantly, the one-time verification codes (OTP) used for two-factor authentication (2FA) on bank accounts, digital wallets, and e-commerce platforms.

This type of fraud is especially dangerous because the attacker already has stolen access credentials (such as username and password) and only needs control of the phone number to take full control of the account.

Inform and verify: Plusmo's SIM Swap API

Our API not only informs you but also directly and instantly verifies the recent history of the SIM card for any mobile phone number.

This real-time verification action is the key to thwarting a SIM Swapping attack right at the moment it is being executed.
What key data does our API provide?
Plusmo's SIM Swap API executes a direct and secure query with mobile operators, providing a concise and decisive response that integrates immediately into your validation flow. The three critical pieces of information you receive are:
Inform
 Reports if the SIM card associated with that number has been changed or replaced in the last 90 days. If a recent change is detected, it is a maximum alert signal.
Portability
 Confirms if the customer has changed mobile operators (ported) within the same period. While this is a legitimate operation, its combination with other risk factors may indicate suspicious activity.
Validity
Verifies if the queried mobile phone number is valid and active on the network.
*The API provides this information instantly.
More information

How real-time validation works?

The integration of Plusmo's SIM Swap API is fluid and runs silently on the backend of your application or platform, without creating friction in the legitimate user experience.

Attack and defense scenario:

  • High-risk operation initiation: The scammer successfully logs into the bank's application (e.g., using stolen credentials) and attempts to perform a critical operation such as a bank transfer or a change of access key.

  • Validation activation: The moment the scammer clicks "Confirm," your system triggers a query to the Plusmo SIM Swap API, sending the customer's phone number associated with the account.

  • Query to mobile operators: The API connects with the mobile operators' systems to obtain the latest information on the SIM card history for that number.

  • Instant response: The Plusmo API returns the response. If the response indicates a SIM Swap detected in the last 90 days, the red flag is raised.

  • Fraud denial: Your system, upon receiving the risk signal, denies the operation (even if the scammer tries to enter an intercepted OTP code) and marks it as fraudulent, protecting your customer's funds.

Key benefits of integrating Plusmo
Reduction of fraud losses: Minimize financial losses associated with Account Takeover (ATO) fraud.
Improvement of the detection rate: Identifies SIM Swapping attacks that traditional 2FA validations fail to detect.
Regulatory compliance: Strengthens your security protocols and compliance with anti-fraud regulations.
Better customer experience: Protect your users without introducing cumbersome verification steps or additional CAPTCHAs.

Frequent asked questions

What exactly does the SIM Swap API do?
The API queries the mobile phone operator directly to verify if the phone number associated with an account has changed SIM cards (SIM Swap) or operators (portability) in the last 90 days. It also verifies that the number is valid and active.
Why 90 days? Is the period configurable?
The 90-day period is the industry standard and the most critical time window for detecting SIM Swap fraud. In most cases, a scammer will try to use the stolen number shortly after obtaining it. This period is not configurable, as it is the information provided by the operators.
Does the API require my customer to install anything or grant any permission?
No. Plusmo's SIM Swap API works at the backend level, querying the phone number information directly with the operators. It is totally invisible to the end user and does not require any action, installation, or additional permission from your customer.
Is it compatible with all mobile operators?
The Plusmo API works with a wide and growing network of mobile operators in various regions around the world. At the time of integration, you will be provided with a detailed list of coverage for your target market.
How does the SIM Swap API differ from traditional 2FA authentication?
Two-factor authentication (2FA) via SMS assumes that only the legitimate customer has control of their mobile phone. However, SIM Swap fraud overrides 2FA, as the scammer intercepts the OTP code. The SIM Swap API acts before sending the OTP, verifying the integrity of the number to ensure that the device that will receive the code is indeed the legitimate customer.
What happens if the customer legitimately changed their SIM card?
If a customer has reported the loss of their phone and received a legitimate SIM replacement, the API will report it. In this case, the institution may choose to apply a temporary risk policy, such as a lower transfer limit or a 24-hour waiting period for high-risk operations, until the SIM Swap risk period has expired. This balances security and usability.