How Banks Handle SIM Swap Fraud Claims

A SIM swap is a carrier-side failure that becomes a bank-side problem. The attacker steals your phone number, intercepts one-time codes, resets passwords, and then drains accounts.

When you file a claim, your bank isn’t just looking at “money missing.” They’re trying to classify the event into a bucket that determines whether you get refunded.

This guide explains:

• What banks actually do when you report SIM-swap-related fraud
• What evidence makes them treat your case as “unauthorized” (good) vs “authorized” (bad)
• How to phrase your claim (without sounding like you’re guessing)
• How timelines work for investigations, provisional credits, and written decisions
• How to escalate if you’re stonewalled

(Rules vary by country, product, and account type. But the process patterns are consistent.)

If this is happening right now: go read Think It’s a SIM Swap? Do This in the First 60 Minutes first (then come back here). If you’re still diagnosing, start with How to Know You’ve Been SIM Swapped (And What to Check First).

Banks typically decide between two narratives.

1) “Unauthorized Account Takeover” (What You Want)

A fraudster got access and initiated transfers without your actual authority. Under U.S. Regulation E, an “unauthorized EFT” is a transfer initiated by someone else without authority and where you received no benefit, and CFPB guidance makes clear that fraudsters using stolen access info can still produce unauthorized EFTs under Regulation E.

 (Consumer Financial Protection Bureau, 2021)

SIM swap cases often fit here because you didn’t authorize the attacker to log in, reset credentials, or transfer funds.

2) “Authorized Transaction / Scam” (What Banks Sometimes Try To Call It)

This is the “you personally approved it” bucket (for example, you sent the wire, you approved the Zelle, you read a code to someone). Banks and payment firms often deny or partially reimburse here depending on product and jurisdiction.

Your job is to keep your case out of Bucket #2 unless it truly belongs there.

When you report it, banks generally run a process like this.

Step A: Intake + Containment (Same Day)

They:

• open a fraud case
• lock online banking / reset credentials
• freeze cards or issue replacements
• add notes like “account takeover suspected”
• may restrict outgoing transfers temporarily

What you want: a case number + the name of the team handling it.

Step B: “Funds Recovery Attempt” (Hours To Days)

Depending on the rail:

• debit card: chargeback / network dispute
• ACH: return attempt (time-sensitive)
• P2P (bank app): internal investigation + network notifications
• wire: recall request (often low success, but worth doing immediately)

Step C: Investigation + Classification (Days To Weeks)

They check signals like:

• new device login / new IP
• password reset timestamps
• MFA method used (SMS vs app vs push)
• changes to contact info
• unusual payees / new beneficiaries
• behavioral anomalies (new device + large transfers + new payees is a classic ATO pattern)

Step D: Dispute Clock (Country-Specific)

U.S. (debit/ACH/P2P from a deposit account): Regulation E’s error-resolution rules apply, including investigation timelines, the option to require written confirmation within 10 business days, and the conditions for provisional credit when the bank extends the investigation window. (Consumer Financial Protection Bureau, n.d.)

U.S. (credit card): the FTC’s FCBA dispute guidance includes the familiar 60-day mailing window, plus issuer acknowledgment and resolution timelines. (Federal Trade Commission, n.d.)

Step E: Outcome Letter + (Sometimes) A Fight

If they deny, you can usually:

• request the documents they relied on (Reg E provides for explanations and documentation rights in the error-resolution process) (Consumer Financial Protection Bureau, n.d.)
• appeal / escalate to executive resolutions
• file regulator or ombudsman complaints

These are the biggest “claim outcome levers” across banks.

Things That Help You Get Reimbursed

• you reported quickly (hours or days, not weeks)
• you can show SIM swap timing (carrier case number + timestamp)
• the transfers clearly look like account takeover, not you sending money
• you provide a clean timeline and evidence packet
• you file disputes through the right channel (fraud/unauthorized transfer / billing error), not just a generic complaint

Things That Hurt You (Even If You’re A Victim)

• delayed reporting (days to weeks to months)
• saying “I got scammed” without emphasizing account takeover
• confusing or inconsistent statements (banks use this to classify as “authorized”)
• no documentation and no follow-up in writing

1) Build A One-Page Timeline (Your “Case Backbone”)

Copy/paste and fill this in:

• [Date/Time] Phone lost service / “SOS only” / “No SIM”
• [Date/Time] Carrier confirmed SIM change / port-out / eSIM activation
• [Date/Time] First suspicious bank alert / login notification
• [Date/Time] Unauthorized transfers initiated (list amounts + rails)
• [Date/Time] You contacted bank fraud dept (case #)
• [Date/Time] You contacted carrier (ticket #)
• [Date/Time] You regained number (if applicable)

This matters because banks make decisions from timelines.

2) Use The Right Words When You Report It

On the phone and in writing, say:

• “This is an account takeover caused by a SIM swap.”
• “I did not authorize these transfers.”
• “Please treat this as an unauthorized electronic fund transfer / billing error (as applicable), and open a formal dispute.”

Why this wording matters: CFPB’s Regulation E FAQs address unauthorized EFTs even when access info was obtained through fraud or the consumer was fraudulently induced into sharing access details. (Consumer Financial Protection Bureau, 2021)

3) Ask For Specific Actions (Don’t Just “Report Fraud”)

Use a checklist tone:

• “Lock online banking, reset credentials, and disable SMS codes.”
• “Freeze outgoing transfers until new credentials are issued.”
• “Open a fraud case and give me a case number.”
• “Initiate recall/return/dispute for each transaction by rail.”
• “Confirm whether I will receive provisional credit if the investigation takes longer than the initial window.”

Under Regulation E, banks generally must investigate promptly and determine whether an error occurred within 10 business days (with defined extension and provisional credit mechanics if they need more time). (Consumer Financial Protection Bureau, n.d.)

4) Follow Up In Writing Within 24 Hours

Even if you called first, send written confirmation.

Regulation E allows a bank to require written confirmation within 10 business days after an oral notice, and the bank must provide the address where it must be sent. (Consumer Financial Protection Bureau, n.d.)

What to send:

• a short letter/email (template below)
• your timeline
• evidence packet (screenshots + PDFs)

5) Provide Carrier Proof That A SIM Swap Happened

Banks love third-party corroboration. Ask your carrier for:

• the timestamp of the SIM change/port-out/eSIM activation
• the method (store visit, online, call center)
• the ticket number and notes (even a brief written confirmation helps)

If you want a deeper read on carrier controls, a port-out lock is one of the simplest “deadbolt” features to understand and verify.

Regulation E Basics (Debit/ACH/P2P Tied To A Deposit Account)

Regulation E sets the investigation process and, importantly, CFPB clarifies that many fraud-driven transfers are still “unauthorized EFTs” under Regulation E even when fraudsters got access through deception. (Consumer Financial Protection Bureau, 2021)

Also, Regulation E commentary makes clear that consumer negligence is not the basis for imposing greater liability than Regulation E permits. (Consumer Financial Protection Bureau, 2021)

Credit Cards (FCBA Dispute Process)

The FTC explains the FCBA dispute pattern in plain language: send a dispute letter so it reaches the issuer within 60 days after the first bill with the error, and issuers must acknowledge disputes within 30 days and resolve within 90 days. (Federal Trade Commission, n.d.)

UK: APP Fraud Reimbursement Rules

The UK’s Payment Systems Regulator says that from 7 October 2024, you can generally expect reimbursement within 5 business days of making your claim, firms can “stop the clock” while gathering information, but must arrive at an outcome within 35 business days, and the maximum claim amount under the regime is £85,000. (Payment Systems Regulator, n.d.)

EU: PSD2 (Unauthorized Payment Transactions)

PSD2 includes a rule that in the case of an unauthorised payment transaction, the payer’s payment service provider refunds immediately and no later than by the end of the following business day after noting or being notified of the transaction (with a fraud-suspicion exception). (European Parliament & Council of the European Union, 2015)

“Hi, I’m reporting an account takeover caused by a SIM swap. My phone lost service at [time/date], and my carrier confirmed an unauthorized SIM change/port-out/eSIM activation at [time/date] (carrier ticket/case #: [####]). After that, unauthorized transactions occurred on my account: [list]. I did not authorize these transfers and did not receive any benefit from them. I need you to: (1) lock online banking, (2) disable SMS-based verification, (3) open a fraud case and give me a case number, and (4) start the dispute process for each transaction by rail.”

Then ask:

• “What is my case number?”
• “What’s the best email/postal address for a written notice of error / dispute letter?”
• “Will you require written confirmation within 10 business days?”
• “When should I expect provisional credit if the investigation isn’t complete in the initial window?”

(Consumer Financial Protection Bureau, n.d.)

Subject: Unauthorized transfers due to SIM swap (account takeover), request for investigation and reimbursement

Hello,

On [date/time], my phone unexpectedly lost service. My mobile carrier [carrier name] confirmed an unauthorized SIM change/port-out/eSIM activation on [date/time] (carrier ticket/case #: [####]).

After I lost control of my phone number, unauthorized activity occurred on my bank account:

• [date/time] – $X – [transaction type: debit/ACH/P2P/etc] – [merchant/payee]
• [date/time] – $Y – [transaction type] – [merchant/payee]

I did not authorize these transactions and received no benefit from them. This appears to be an account takeover facilitated by a SIM swap.

Please:

1. investigate these as unauthorized transactions / errors,
2. reimburse the unauthorized amounts as applicable,
3. provide my case number and written confirmation that this dispute is open, and
4. provide a written explanation and supporting documents if you determine no error occurred.

Thank you, [Name] [Account last 4] [Phone] [Best contact email]

Evidence Checklist That Moves The Needle

Attach as PDF screenshots or a single zipped folder.

Carrier Evidence

• ticket number + timestamp of SIM change/port-out/eSIM
• screenshot of “no service / SOS only”
• support chat transcript (if you have it)

Bank Evidence

• fraud alert emails/SMS (screenshots)
• transaction list with times + amounts
• “new device login” or password-reset emails (if applicable)

Identity Theft Reporting (U.S.)

In the U.S., you can report identity theft at IdentityTheft.gov, which the FTC describes as the federal government’s one-stop resource to report and recover from identity theft. (Federal Trade Commission, 2018)

The Most Common Denial Reasons (And How To Respond)

“But The One-Time Passcode Was Used.”

Your response: “Yes, because the attacker stole my number via SIM swap. SMS codes show the attacker had control of my phone number, not that I authorized the transfer.”

Then attach carrier proof + timeline.

“You Shared A Code / You Were Tricked.”

If the bank is dealing with EFTs from a deposit account, CFPB’s Regulation E FAQs address scenarios where consumers are fraudulently induced into sharing access information and the resulting EFT can still be considered unauthorized. (Consumer Financial Protection Bureau, 2021)

“We Can’t Refund Zelle/P2P.”

Push back gently and keep it factual:

“I’m disputing this as account takeover / unauthorized transfer, not a scam I willingly sent. Please document that distinction in the case file.”

Escalation Ladder (When The Bank Drags Its Feet Or Denies)

1) Ask For The Written Determination + Documents

If they deny, request the written explanation and the documents they relied on. (Consumer Financial Protection Bureau, n.d.)

2) File A CFPB Complaint (U.S.)

If you’re dealing with a U.S. financial product, you can submit a complaint to the CFPB for review and routing to the company. (Consumer Financial Protection Bureau, 2025)

3) File With The Correct Regulator (U.S.)

• national banks: OCC complaint portal (HelpWithMyBank). (Office of the Comptroller of the Currency, n.d.)
• credit unions: NCUA Consumer Assistance Center complaint process. (National Credit Union Administration, 2025)
• FDIC-insured banks: FDIC consumer complaint process. (Federal Deposit Insurance Corporation, 2025)

4) UK: Financial Ombudsman Service

If you’re in the UK and the firm’s final response isn’t acceptable, the Ombudsman is a major escalation path. (Payment Systems Regulator, n.d.)

What If You Can’t Get Reimbursed?

Sometimes reimbursement fails because:

• it was a wire (hard to reverse)
• it was crypto (often irreversible)
• it was classified as “authorized” and your jurisdiction/product doesn’t protect that scenario

If that happens, still document everything, still escalate if the facts support account takeover, and tighten prevention so it never happens again.

Start here:

• How To Stop SIM Swap Fraud In 2025
• Secure Cell Phone Service: How Your Carrier Can Make or Break Your Security
• How to Choose a Secure Cell Phone Service: 12 Questions to Ask Any Carrier

FAQ

How Long Can A Bank Take To Investigate (U.S. Debit/ACH Disputes)?

Regulation E’s error-resolution rule describes the 10 business day determination window and the conditions for extending the investigation period (including provisional credit requirements). (Consumer Financial Protection Bureau, n.d.)

Can The Bank Require Me To Put It In Writing?

They may require written confirmation within 10 business days of an oral notice and must provide the address where it must be sent. (Consumer Financial Protection Bureau, n.d.)

Does “I Was Negligent” Destroy My Claim?

CFPB’s Regulation E FAQs state that consumer negligence cannot be used to impose greater liability than Regulation E allows, and liability depends on timing and conditions rather than negligence labels. (Consumer Financial Protection Bureau, 2021)