Beat SIM-Swap Fraud: Use Authenticator Apps—Today

SIM-swap fraud is exploding, siphoning tens of millions from investors’ accounts every year. SMS codes can be stolen the moment your client’s phone number is hijacked. Switching to an authenticator-app second factor (TOTP) inside SideDrawer shuts that door without adding friction. Below is the background, the business case, and a quick “how-to” you can share with every advisor and client.

The $48-Million Wake-Up Call

First, let’s quantify the threat that ordinary investors—and the advisors who guide them—face today.

• $48 million lost in the U.S. last year alone from SIM-swap attacks, according to the FBI.

• SEC’s own Twitter account was hijacked in January 2024 after attackers ported the agency’s phone number.

• In Canada, a Toronto couple saw CA$140,000 vanish overnight after fraudsters swapped their SIM.

• The FCC has now issued mandatory anti-SIM-swap rules for all U.S. carriers, while FINRA warns advisors that a stolen phone number is a direct path into brokerage accounts.

Why it matters to advisors: SIM-swap criminals don’t need to crack passwords—they just wait for the bank, custodian or portal to text a one-time code and then drain the account. If your client’s retirement nest egg is protected only by SMS 2FA, you (and your E&O insurer) are one port-out request away from a nightmare.

SMS Codes vs. Authenticator Apps: Quick Reality Check

Most firms adopted SMS 2FA because it felt “good enough” and was familiar to clients. Today that same familiarity is what crooks exploit: phone numbers are public, port-out requests are simple, and phishing kits automate OTP theft. Here’s a side-by-side view of why app-based codes have become the new baseline.

Encouraging your clients to move from texts to an authenticator reduces fraud risk and cuts telecom costs—without adding user friction after the first setup scan. Bottom line: authenticator apps close the SIM-swap loophole, cost less, and are no harder to use once installed.

How SideDrawer Lets You Lean In—Gently

Technology should never force an ‘all-or-nothing’ gamble with client comfort. SideDrawer’s MFA framework lets you prefer stronger factors without springing surprises on long-time users. Below is the exact flow.

1. Offer a Choice at On-Boarding
   New invitees see “Use an Authenticator App” alongside SMS. A 30-second QR scan in Google or Microsoft Authenticator completes enrollment. 

2. Set Recommended Security Levels
   Under My Account → Security Settings you can flag authenticator 2FA as “Preferred.” Users who opt for SMS still pass, but the UI nudges them to upgrade. 

3. Switching Later? Contact Support
   For clients already on SMS, a quick email or chat to SideDrawer Support triggers a secure MFA-reset workflow. Support will walk them through scanning a new QR code—no downtime, no lost access. 

4. Three-Layer Protection
   Even if a password leaks, attackers still face authenticator MFA, drawer-level permissions, and record-level permissions. One weak factor can’t topple all three. 

How SideDrawer Makes 2FA Easy

SideDrawer already supports both SMS and authenticator-based 2FA, so you can prefer the stronger method without forcing a hard cut-over.

1. Choose Authenticator at Sign-Up

When a new user accepts an invitation, they can select “I’d rather use OTP Authenticator App” and scan the QR code—done in 30 seconds.

2. Adjustable Security Levels

Advisors (or firm admins) can require MFA every login, only on risky logins, or—least safe—skip it. It can be adjusted later by users within My Account → Security Settings. Recommend the top level of security for anyone accessing client records.

3. Authenticator vs. SMS—Visible to the User

The login screen clearly tells users whether the 6-digit code is coming from SMS or their authenticator app, reinforcing the habit.

4. Lost Phone? Quick MFA Reset

If a client changes handsets or phone numbers, support can reset the MFA binding in under an hour during business hours.

5. Three-Layer Access Control

Even if an attacker guessed a password, they’d still need:

1. Platform login + MFA,

2. Permission to the specific SideDrawer,

3. Permission to the exact Record inside.
   The authenticator sits at layer 1, stopping most threats at the gate.

For clients already on SMS, a quick email or chat to SideDrawer Support triggers a secure MFA-reset workflow. Support will walk them through scanning a new QR code—no downtime, no lost access. 

Talking Points for Advisors

1. “Text messages are no longer safe.” Share the FBI statistic and the SEC hack example—clients relate to headlines.

2. “The fix is free.” Any iOS or Android phone can run Microsoft or Google Authenticator. No tokens or extra hardware.

3. “SideDrawer is already set up for this.” They scan a QR code once; after that it’s quicker than waiting for a text.

4. “Your compliance team will love it.” MFA every login + audit trails in SideDrawer satisfy regulators and cut E&O exposure.

5. “If you lose your phone, we can reset you fast.” Removes the ‘what-if-I-change-phones’ objection.

Help-Center links to share with clients:

• Logging into SideDrawer – step-by-step with screenshots (QR code, authenticator vs. SMS)

• Starting a SideDrawer Account – invitation flow and MFA choice

• Account Settings: Security – how to change or enforce MFA

Action Plan

1. Turn on “Every Login” MFA in My Account → Security Settings and require authenticator apps.

2. Email your client list with the help-center links above.

3. Schedule 10-minute check-ins with high-net-worth clients to switch them over—position it as an estate-protection move.

4. Update onboarding templates so new clients default to authenticator-based MFA.

5. Stay vigilant: follow FCC rule updates and industry alerts on SIM-swap tactics.

Your clients trust you to safeguard their life’s work. Moving them from SMS codes to authenticator-based MFA inside SideDrawer is the fastest, cheapest way to eliminate one of today’s biggest fraud vectors—before it hits the headlines with their name in it. Ready to upgrade? Mark ‘Authenticator App’ as preferred in Security Settings and copy-paste the Help-Center links above into a client email. Support is on standby for any SMS-to-app migrations.