LEGALAUDIT
Cyber Coach

Social engineering

Account takeover, SIM swap and OTP phishing

The number jumps to another SIM, bank SMS goes elsewhere, the email account gets drained. Typical sequence.

10 min readExpert

Red flags to recognize

  • Phone suddenly loses signal and does not recover after reboot
  • You receive password-change or new-device emails you did not request
  • Number-porting notification with no signature from you
  • Bank app login fails with 'device not recognized'
  • Your carrier activated an eSIM on your request - that you did not make
  • Push 2FA notifications you did not start (push fatigue)
  • A fake bank login page asks for credentials + OTP in real time

What to do now

  • Enable port-out PIN / 'porting lock' with your carrier where available
  • Move 2FA from SMS to authenticator app or FIDO2 hardware key
  • Set an additional PIN with the carrier for any SIM/eSIM operation
  • Monitor email access: forwarding rules, last logins, connected apps
  • If you suspect SIM swap: call the carrier immediately from another phone, block the SIM
  • Notify the bank to freeze outbound transfers for 24-48h
  • Generate recovery codes and store them offline (safe or secure drawer)

Real case

SIM swap on a solo professional, Rome 2025

A Rome-based lawyer receives a 'client' asking for a quote by email with a scanned ID. The ID is his own, stolen in a prior breach. The criminals had obtained date of birth, tax code and phone number from a dark-web listing.

The next day the lawyer loses phone service. Within 90 minutes the criminals reset the bank password via SMS, authorise an instant SEPA transfer of 28,000 EUR to a Lithuanian mule and drain the Revolut account. The lawyer notices only when he passes a tobacconist and sees the bank app showing zero.

Mythos rebuilt the timeline: breach correlation, window between line loss and transfer, recipient wallet cluster. The dossier let the prosecutor request a freeze within 24 hours through the Europol AMP network.

What Mythos can do on this case

  • Email/phone cross-check against known breach databases
  • Timeline analysis: porting, bank login, transactions
  • SEPA transfer tracing and correlation with known mule clusters
  • Email log analysis for forwarding rules and suspicious access
  • Dossier for Europol/AMP freeze requests

Next steps

Lesson 2FA: the account lifesaverAnalyze the incident with Mythos