A retired Bank of America and Merrill Lynch client recently went public on LinkedIn with a dispute that's becoming more common as banking moves further onto mobile devices: he says his eSIM was cloned, fraudsters used the resulting access to push thousands of dollars out of his home equity line of credit into accounts authorities have linked to scam and money-laundering activity, and the bank denied his fraud claim on the grounds that the transactions were completed from a device consistent with his prior account activity. According to his account, that's also the same device he says was compromised through the cloned eSIM in the first place. He says he's escalated the matter through bank executives, his financial advisor, local detectives, his state bureau of investigation, his state's Department of Justice, and the Consumer Financial Protection Bureau, and that without further review he could end up repaying a fraudulent balance for the next decade.

Whatever the eventual outcome of his specific claim, the dispute he describes lands squarely on top of two trends converging right now: the rapid growth of SIM-swap-style fraud targeting eSIMs specifically, and an unresolved legal fight over which federal consumer-protection law, if any, actually covers a fraudulent wire transfer.

The Authentication Problem at the Center of the Dispute

The bank's stated reasoning, that the transfers came from a device "consistent with prior account activity," reflects a standard piece of fraud-detection logic: a transaction from a device, IP address, or location the account has used before looks safer than one from somewhere new. The flaw is that this logic assumes the device's identity and the account holder's identity are the same thing. Once a phone number has been ported onto a SIM or eSIM the attacker controls, the attacker can often complete that authentication step from what looks, technically, like the customer's own established device or number, because in a meaningful sense it temporarily is. Security researchers tracking the rise of SIM-swap fraud have noted this pattern directly, observing that once an account is accessed through a newly registered eSIM, the resulting transactions can flow through banking apps as if nothing were wrong, often before any anomaly-detection system flags a problem. An authentication signal designed to catch unfamiliar access can be neutralized precisely when the underlying credential, the phone number, has itself been hijacked.

eSIM swapping is also not really a distinct vulnerability from traditional SIM swapping; it's the same attack, social engineering a carrier into reassigning a phone number, adapted to a newer technology. The supposed security advantage of an eSIM, that there's no physical card to steal or clone, doesn't address the actual weak point, which sits with the carrier's identity-verification process rather than the SIM hardware itself. If anything, some researchers argue eSIM has made the attack faster, since reassigning a number can now happen through a remote profile transfer in minutes rather than requiring an in-person SIM swap.

A Murkier Legal Landscape Than Most Consumers Expect

What makes cases like this one especially difficult to resolve is that wire transfers sit in a different, and considerably less consumer-friendly, legal category than the debit-card or ACH fraud most people think of when they hear "unauthorized transaction." Card and ACH fraud are generally governed by the Electronic Fund Transfer Act and its implementing rule, Regulation E, which puts the burden on the bank once a consumer reports an unauthorized transfer and limits consumer liability. Wire transfers, by contrast, have long been treated by banks, federal regulators, and most courts as falling under Article 4A of the Uniform Commercial Code instead, a framework built primarily for business-to-business payments. Under Article 4A, a bank can generally avoid reimbursing a customer for an unauthorized wire if it used a security procedure both parties agreed to and that procedure is judged "commercially reasonable," shifting much of the risk onto the customer rather than the institution.

That distinction is currently being tested in court. A New York Attorney General lawsuit against Citibank argues that consumer wire transfers, increasingly initiated through ordinary banking apps rather than in a branch, should fall under the EFTA's stronger consumer protections rather than Article 4A's bank-favorable framework. A federal judge allowed that theory to proceed in early 2025, and the case is now before the Second Circuit, with oral argument held this April. If the appeals court sides with the New York Attorney General, banks could face strict reimbursement timelines and a much higher bar for denying wire-fraud claims industry-wide; if it doesn't, the long-standing practice of evaluating consumer wire fraud claims under Article 4A's "commercially reasonable procedure" standard, the same kind of standard implicit in a bank's argument that a transaction matched prior device activity, will remain intact. Either way, the outcome will shape how denials like the one described in this case get evaluated going forward.

The Scale Behind One Story

Individual disputes like this one are easy to dismiss as anecdotal, but the underlying fraud pattern is well documented at scale. The FBI's Internet Crime Complaint Center recorded tens of millions of dollars in reported SIM-swap losses in a recent single year, with an average loss per victim in the tens of thousands of dollars, and fraud-intelligence firms tracking the issue describe a fairly consistent playbook: gain control of the phone number, use it to defeat SMS-based verification, then move money quickly through banking apps into accounts designed to be hard to trace or claw back. That last step, money landing in accounts linked to broader scam or laundering networks, matches what's described in this case and is a recurring feature of these schemes generally, since funds parked briefly in a mule account and then dispersed are far harder to recover than a transaction reversed within minutes.

What It Points To

Cases like this illustrate a gap that sits between three parties, none of which is fully equipped to close it alone. Carriers' identity-verification processes for porting a number remain a weak point that port-out PINs and number locks only partly address, since they depend on customers proactively enabling them. Banks' fraud models often still weight device and location familiarity heavily, a signal that becomes actively misleading once the underlying phone number is compromised rather than merely stolen credentials. And the legal framework determining who absorbs the loss when those first two layers fail is, as of this year, still being actively litigated rather than settled. Until that's resolved, and until banks adapt fraud detection to account for the fact that "the same device as always" can mean something very different after a SIM swap than it did before one, individual customers are likely to keep finding themselves exactly where this case describes: caught in the gap between a security procedure that worked exactly as designed and a fraud that happened anyway.