Protecting Yourself from SIM Swapping During Online Dating

In February 2025, a 29-year-old software engineer in Pune called me after losing access to her dating app accounts, her email, her UPI wallet, and her work Slack, all within a six-hour window. The attacker had SIM-swapped her number the previous evening. The starting point for the attack was a Hinge match who had been messaging her for three weeks.

SIM swapping is the fastest-growing attack vector I see in my practice right now, and dating apps are one of its most common entry points. The attack works because the Indian telecom and banking infrastructure still treats your phone number as proof of identity, and because dating apps are uniquely effective at getting the initial social-engineering data the attacker needs.

The traditional advice (use an authenticator app, do not share your OTP) is correct but incomplete. The attack has evolved. The defences need to evolve too. I will cover both the well-known protections and the less-known ones that actually matter in 2026.

How a SIM Swap Actually Works in India

Before the defences, the attack. A SIM swap (also called SIM hijacking or SIM porting) is when an attacker convinces your telecom carrier to transfer your phone number to a SIM card that the attacker controls. Once the swap happens, every SMS, every OTP, and every authentication call goes to the attacker instead of you. Your phone shows "no service" because your original SIM is deactivated.

In India, the process works through a combination of social engineering and insider access. The attacker typically visits a telecom carrier store (or calls the customer care line) and requests a SIM replacement for your number, claiming that the original SIM is damaged or lost. To get the replacement, the attacker needs to answer identity verification questions: your name, address, date of birth, parents' names, Aadhaar number, or the last few digits of your last recharge. In many cases, these questions can be answered with information gathered from your social media and dating app profiles.

The 2022 NCRB Crime in India report documented a significant rise in SIM swap complaints filed through cybercrime.gov.in, and the Delhi Police Cyber Cell has flagged dating apps as a primary source of the social engineering data needed for these attacks.

The insider access angle is worse than most users realise. A 2023 investigation by The Wire documented multiple cases of telecom retail employees being bribed to process SIM swap requests without proper verification, with bribes ranging from 5,000 to 50,000 rupees per swap.

A 2024 analysis by security researcher Saket Modi estimated that SIM swap attacks in India had risen roughly fivefold between 2021 and 2024, with losses per victim averaging several lakh rupees when UPI and banking apps were compromised.

Why Dating App Users Are Particularly Exposed

Dating apps are an ideal reconnaissance surface for SIM swap attackers. Here is why, specifically.

First, dating profiles contain exactly the kind of biographical data that telecom verification questions rely on. Your first name, approximate age, city, school, and employer are usually visible or inferable. With this data and a few rounds of chat, an attacker can collect enough to answer most verification questions.

Second, dating apps are a social context in which asking personal questions feels natural. A stranger asking "where did you grow up?" on LinkedIn would feel invasive. On Hinge or Bumble, it is normal conversation. Attackers exploit this by building a few weeks of rapport and gradually extracting identifiable details.

Third, dating apps often require phone number verification at sign-up, so the attacker knows the target has their number linked to the app. Fourth, dating app users are often emotionally invested by the time the attacker asks sensitive questions, which reduces normal skepticism.

I handled a case in 2024 where the attacker had messaged the victim for over a month before asking questions that turned out to be verification data. The victim had no reason to suspect the questions because the rest of the conversation was normal and the attacker was patient.

The Attack Chain

Once the SIM swap succeeds, the attack proceeds very quickly. The attacker has a narrow window before the victim notices the loss of service.

First, the attacker resets passwords on the victim's email account using SMS-based recovery. Email is the master credential for most other accounts. Second, with email access, the attacker resets passwords on banking apps, UPI wallets, dating apps, and social media. Third, the attacker transfers money out of any accessible UPI or bank accounts, which the instant nature of UPI makes fast. Fourth, the attacker uses dating app access to message the victim's matches and ask for money or intimate content under pretext of emergency, extending the attack to secondary victims. Fifth, the attacker exfiltrates sensitive data before the victim regains control.

The entire chain typically completes within two to six hours. In the Pune case I mentioned at the start, the total loss was around 8 lakh rupees from UPI transfers, plus the compromised accounts and the damage to the victim's dating app contacts.

What Actually Stops SIM Swap Attacks

The defences fall into three categories: reducing the information available to attackers, hardening the telecom side, and making your accounts resilient to SMS compromise.

Reduce Information Exposure

Your dating profile should not contain information that could answer telecom verification questions. This means no employer name, no school name, no specific neighbourhood, no parents' names, no date of birth beyond the age required, and absolutely no Aadhaar information.

Your bio and photos should not identify your exact workplace or home area. A photo in front of a recognisable office building is as good as a text caption for an attacker. A photo with your ID card visible is a catastrophic mistake I have seen more than once.

Be cautious about biographical questions during chat, especially early. "Which school did you go to?", "where did you grow up?", "what is your mother's maiden name?", and "when is your birthday?" match the exact pattern of telecom verification questions.

Finally, audit your social media for the same data points. Facebook and Instagram profiles often contain more identifying information than dating profiles, and attackers will cross-reference them.

Harden the Telecom Side

Call your telecom carrier and ask about SIM swap protection features. Jio, Airtel, and Vi all offer some form of additional verification for SIM replacement, though the features are not well publicised. Specifically ask for:

A "SIM lock" or "port lock" feature that requires additional verification (biometric, in-person, or a supplementary PIN) before any SIM replacement or porting request is processed. Airtel calls this feature "SIM Lock" and it requires in-person verification at a physical store with Aadhaar biometric authentication. Jio has a similar feature called "SIM Security". Activating this significantly raises the bar for attackers.

Register your complaint preference with the carrier so that any SIM swap or port request triggers a call to an alternative number (such as a partner or parent's number) for confirmation. Not all carriers support this, but it is worth asking.

Ask specifically what verification questions the carrier uses for SIM replacement and ensure that the answers cannot be found on your public social media or dating profiles. If your verification answers are "mother's maiden name" and your mother is tagged in your Facebook profile, you have a structural problem.

Make Accounts SMS-Resistant

The single most important technical change is to move away from SMS-based two-factor authentication for any account that supports alternatives. SMS 2FA is the weakest link because it relies on your phone number being secure, which SIM swap breaks.

Use an authenticator app (Google Authenticator, Authy, or Raivo) for 2FA on every account that supports it. For email, use app-based 2FA. For banking apps, enable any biometric or app-based verification the bank offers in preference to SMS OTP. For dating apps, set up 2FA using an authenticator app if supported.

For high-value accounts (primary email, banking), consider a hardware security key like YubiKey. Hardware keys are not vulnerable to SIM swap because authentication requires physical possession of the key, not access to your SMS. YubiKey and similar devices are available in India for around 4,000 to 6,000 rupees per key.

Set up account recovery on your primary email using a backup email address, not a phone number. If the recovery mechanism is SMS, SIM swap defeats the entire 2FA setup regardless of how strong the primary 2FA is.

Bruce Schneier has written extensively about this. In a 2023 essay he noted, "SMS two-factor authentication is the worst form of two-factor except for no two-factor at all. It is still better than a password alone, but the moment you move to any alternative, you should." This is the right mental model. Do not use SMS 2FA by choice. Use it only when no alternative exists, and move away as soon as one becomes available.

The threat model here is not theoretical for Indian users:

What to Do If You Think You Are Being Targeted

If you notice any of these warning signs in a dating app conversation, treat them seriously.

One, the match asks biographical questions that match telecom verification patterns (mother's name, school, date of birth, childhood address) within the first few weeks.

Two, the match asks for your full phone number early in the conversation, before you have decided to move off the app.

Three, the match asks about your bank or UPI provider, your employer's full name, or your Aadhaar details in any context.

Four, you notice unusual login attempts on your email or banking accounts after messaging a new match.

If you suspect targeting, do not confront the match directly. Take these actions instead. Screenshot the conversation. Stop sharing additional information. File a preemptive complaint at cybercrime.gov.in describing the pattern and include the screenshots. Enable SIM lock with your telecom carrier. Move your 2FA from SMS to an authenticator app on every account.

If the Attack Happens

If your phone suddenly shows no service and you suspect a SIM swap, act within minutes. Every delay makes the damage worse.

First, call your telecom carrier from a different phone (borrow one if you need to) and report the suspected SIM swap. Ask them to immediately freeze any further changes to your number.

Second, call your bank's 24/7 fraud line and freeze all cards, UPI, and net banking access. Speed matters here because UPI transfers cannot be reversed once completed.

Third, from a clean device, log into your primary email and change the password, then enable app-based 2FA immediately.

Fourth, file a cybercrime complaint at cybercrime.gov.in and in parallel lodge an FIR at your local police station. The cybercrime portal coordinates with banks and telecoms for faster response on recent incidents.

Fifth, notify any family or close contacts that your number may have been compromised and that messages claiming to be from you in an emergency should be verified through a voice call or video call before any money is sent.

What Hidnn Does Differently

Hidnn does not require phone number authentication as a primary login method, which removes the SIM swap vector entirely for app access itself. For users who do link a phone number, 2FA is app-based rather than SMS-based by default. This is a deliberate privacy by design choice. When your phone number is not a single point of failure, SIM swap becomes much less valuable for attackers. This does not eliminate the broader SIM swap risk to your other accounts, but it means that Hidnn itself is not the weak link.

Do This Now: Five-Step Hardening Checklist

First, audit your dating profile and remove any biographical details that match telecom verification questions. Second, enable SIM lock with your telecom carrier (call customer care or visit a store). Third, move all your 2FA from SMS to an authenticator app (Google Authenticator, Authy, or Raivo). Fourth, buy a YubiKey for your primary email and banking accounts. Fifth, set up account recovery using a backup email, not a phone number.

FAQs

How common are SIM swap attacks on dating app users in India? SIM swap attacks in India have risen roughly fivefold between 2021 and 2024 according to independent analysis, and dating apps are one of the primary reconnaissance sources for the social engineering data attackers need. The NCRB Crime in India reports have specifically flagged rising SIM-related cybercrime complaints, and Delhi Police Cyber Cell has identified dating apps as a recurring entry point in case files.

Can a SIM lock feature from my telecom carrier fully prevent a SIM swap? SIM lock significantly raises the bar for attackers because it typically requires in-person biometric verification for any SIM replacement. However, no defence is absolute. Insider access at telecom stores has been documented in multiple cases, so SIM lock is a layer of protection rather than a guarantee. Combine SIM lock with authenticator-app 2FA for a more robust overall defence.

What should I do if a dating app match is asking questions that match verification patterns? Stop sharing information, screenshot the conversation, and file a preemptive complaint at cybercrime.gov.in with the screenshots attached. Do not confront the match directly, as this may cause them to accelerate the attack. Enable SIM lock with your carrier and move your 2FA to an authenticator app immediately.

Is app-based 2FA safe against SIM swap attacks? Yes, app-based 2FA (using Google Authenticator, Authy, Raivo, or similar) is not vulnerable to SIM swap because the one-time codes are generated on your device rather than sent over SMS. As long as the device itself is secure, the attacker cannot access the codes even with control of your phone number. This is the single most important technical change you can make.

If I have already been SIM swapped, can I recover the money stolen from my UPI account? Recovery is possible but time-sensitive. Report to your bank's fraud line within a few hours, file a cybercrime complaint at cybercrime.gov.in, and lodge an FIR at your local police station. RBI rules provide some protection for reported unauthorised transactions, but the success rate depends on how quickly the transactions can be traced and frozen. Speed is the most important factor.