Business smartphone showing contacts and 2FA apps before number recycling
Cybersecurity

Important Steps Before Recycling a Mobile Phone Number

PN
Peter Nelson
· · 5 min read

Reassigning a company mobile number? Ensure you don't leak sensitive data or 2FA codes with this essential pre-recycling checklist.

When a staff member leaves and their company mobile number is reassigned to a new employee, or when a business decides to cancel and recycle a number, the process creates security and privacy risks that most businesses do not consider.

A mobile phone number is not just a contact point — it is often the second factor in MFA, the recovery method for online accounts, and the destination for sensitive text messages and verification codes. Reassigning it without proper preparation can expose both the departing employee’s personal accounts and your organisation’s business systems.

The Security Risk: Why Phone Numbers Are High-Value Targets

Modern account security heavily relies on SMS verification. Banks, Microsoft 365, Google accounts, financial platforms, and hundreds of other services send one-time codes to a registered mobile number for:

  • Two-factor authentication login codes
  • Password reset verification
  • Account recovery
  • Transaction approval notifications

When a phone number is cancelled and recycled to a new user — by the telco, after a period of non-use — the new number owner receives all of those codes. If the previous user has not removed the number from their accounts, the new owner of the number can trigger password resets on accounts that still list the old number.

This is not hypothetical. There is documented research on the scale of account takeover risk from recycled phone numbers. A 2021 study found that 66% of available recycled numbers on two major US carriers were still associated with accounts on popular websites.

The Business Risk: Company Systems

For a company mobile that was used for business accounts and MFA:

  • The number may be registered as the MFA method for business systems (Microsoft 365, banking, payroll)
  • The number may be the account recovery method for shared business accounts
  • Business contacts have the number saved — they will reach the new holder who may not correctly identify themselves

If the departing employee used the company mobile for their own personal accounts (banking, social media, personal email), those accounts still have the number registered after the device and number are reassigned.

The Pre-Recycling Checklist

For the Departing Employee’s Business Accounts

Before the number is reassigned:

1. Remove the number from MFA on all business systems

  • Microsoft 365 / Entra ID: Admin Centre → Users → Select user → Authentication methods → Remove phone number
  • Any SaaS applications where the number was registered as MFA method
  • Business banking — contact the bank to update MFA contact details
  • Payroll system, accounting software, CRM

2. Remove the number from account recovery settings Same applications as above — check both “security info” and “account recovery” sections, which are often separate fields.

3. Check what notifications and alerts are sent to the number Transaction alerts from business banking, system alerts from monitoring tools, and other automated messages sent to the number will continue to the new holder if not updated.

For the Departing Employee’s Personal Accounts

Brief the departing employee on their personal responsibility:

  • Remove the company number from personal banking accounts
  • Remove from personal email account recovery (Google, Apple, Microsoft personal)
  • Remove from any personal accounts using SMS-based 2FA
  • Update contact details anywhere the number was provided personally

This is the employee’s responsibility for their own accounts, but failing to do it creates risk for them — and potential complications if the new number holder triggers account recovery on accounts linked to the old number.

For Business Contacts

Notify key clients, suppliers, and partners that the number will be reassigned before it happens. For important ongoing relationships, ensure the contact’s entry is updated with the new contact details before the number goes to a new employee.

Before Assigning to a New Employee

When assigning a number (whether a recycled company number or a newly issued one) to a new staff member:

  1. Change the voicemail greeting immediately — incoming callers hear a professional greeting with the new employee’s name
  2. Block or re-check any auto-forwarding rules on the device or account
  3. Register the number on all business systems that require it (MFA, contact directories)
  4. Inform the new employee that they should not use the company number for personal MFA — their personal accounts should use their personal mobile

The Wider Lesson: Phone Numbers as Identity

The underlying issue this checklist addresses is the overuse of phone numbers as identity and authentication anchors. SMS-based verification was widely adopted because it was convenient, not because it was secure.

The appropriate response for businesses is to move away from SMS-based MFA for business systems and towards authenticator apps or hardware keys — methods that are not tied to a phone number and do not create this type of account exposure risk on offboarding.

CX IT Services helps Melbourne businesses implement proper MFA policies and offboarding procedures. Contact us to discuss your current offboarding security process.

Related Articles

Free Right Fit Call

Want to Talk Through What This Means for Your Business?

Book a free 15-minute Right Fit Call. No obligation - just a straight conversation about your IT situation.

  • No lock-in contracts - ever
  • Valued at $250 - completely free
  • 4.5-star Google rated
  • Answer in 60 seconds or less

Book Your Free Right Fit Call

Takes about 2 minutes. We'll confirm if we're the right fit - or point you in the right direction.

Step 1 of 8 13%

Takes about 2 minutes · No obligation

4.5★ Google Rated
Valued at $250 - Free
No Lock-In Contracts