In a SIM-swapping attack, the attacker convinces the mobile carrier to transfer the victim’s phone number to a new SIM card under the attacker’s control. The attacker then receives SMS-based one-time passwords and can bypass two-factor authentication. SIM swapping is particularly dangerous for bank accounts and email services. You should avoid SMS as a second factor and use TOTP apps or hardware tokens instead. In an ISMS, SIM swapping is categorised as a social-engineering threat and is addressed in awareness training.