What is a SIM swap attack?
Your phone number is more powerful than you probably realise. It is the recovery method for your email, your bank, your crypto wallet, your social media accounts almost everything. Whoever controls your phone number controls your identity.
A SIM swap attack is when an attacker convinces your mobile carrier to transfer your phone number to a SIM card they control. From that moment, every call and text meant for you including every two-factor authentication code goes to them instead. They use those codes to reset your passwords one by one and lock you out of your own accounts.
The terrifying part is that they never need to touch your phone. They do not need your password. They do not need to hack anything technical. They just need to social engineer a customer service representative on the phone for a few minutes.
The full attack, step by step
Understanding exactly how SIM swapping works is the first step to defending against it. Here is a complete walkthrough of a typical attack.
The attacker buys your personal information from a dark web breach dump. They learn your full name, phone number, home address, date of birth, and the last four digits of your Social Security Number. This data costs as little as a few dollars and is available for most adults in countries that have experienced major breaches. They may also check your social media to learn your carrier, your location, and personal details that can answer security questions.
The attacker calls your mobile carrier pretending to be you. They say they just got a new phone, lost their SIM card, or had their phone stolen. The carrier asks security verification questions name, address, date of birth, last four of SSN, or account PIN. The attacker answers all of them correctly using the breach data they bought. Some attackers bribe carrier employees directly. Others use inside knowledge of carrier verification gaps to get through with minimal information.
The carrier transfers your number. Your phone immediately loses signal you will see "No service" or "SOS only." You may not notice for hours if you are asleep, in a meeting, or away from your phone. The attacker's phone now receives all your calls and texts.
The attacker goes to your email provider, bank, crypto exchange, and social media accounts. They click "forgot password" and request a reset code via SMS. The code arrives on their phone. They reset the password. Then they change the recovery information so you cannot get back in. They work fast an experienced attacker can lock a victim out of 10 or more accounts within an hour of completing the SIM swap.
Bank transfers go out immediately. Crypto wallets are drained before the blockchain can do anything. Other accounts get sold, ransomed, or used to launch further attacks on the victim's contacts. By the time you realise what happened and contact your carrier, the damage is often already done.
Why breach data makes this so much easier
SIM swapping used to require significant research effort. Attackers had to dig through social media, find public records, or guess security question answers. Breaches eliminated most of that work.
When a company like National Public Data, AT&T, or Conduent leaks your personal information, that data goes straight into the raw material attackers use for SIM swaps. Your name, address, date of birth, and partial SSN all of which carriers use to verify identity are now sitting in a file that cost an attacker a few dollars to download.
The 2024 NPD breach exposed Social Security Numbers, addresses, and dates of birth for hundreds of millions of Americans. Every carrier in the US uses some combination of these exact data points for identity verification. If your information was in that breach, your SIM swap risk is significantly elevated.
Find out exactly what breach data is available about you before an attacker does.
Real cases what SIM swapping actually costs
In 2024 a 20-year-old in the US was charged with stealing $68 million in cryptocurrency from a single victim through a SIM swap. The victim had significant crypto holdings linked to a phone-verified account. The attacker spent months preparing before executing the swap.
The 2020 Twitter hack โ which compromised accounts belonging to Barack Obama, Elon Musk, and Apple began with a SIM swap targeting a Twitter employee. From one employee's number, the attackers gained internal admin access and took over accounts with a combined follower count of hundreds of millions.
A California woman lost her entire life savings after attackers SIM swapped her number while she slept. They transferred funds from her bank account using SMS verification codes. By the time she woke up and saw "No service" on her phone, the money was gone. Her bank initially refused to refund it.
Attackers SIM swapped the CEO of a small business, gained access to his email using SMS recovery, then sent fraudulent wire transfer instructions to the finance team. The team wired $340,000 to a foreign account before anyone realised the CEO's email had been taken over.
How to make yourself nearly immune
SIM swapping is not unstoppable. Each of the following steps removes a major part of what makes the attack work. Together they make you an extremely difficult target.
Every major carrier allows you to set a separate PIN that must be provided before any account changes including SIM swaps. Log into your carrier account or call them and set one. Make it a random number you store in a password manager, not a memorable date. This single step stops the majority of SIM swap attempts cold because the attacker cannot guess or look it up from breach data.
Easy ยท 5 minutes ยท highest impactSeveral carriers now offer a feature that locks your number so it literally cannot be ported or transferred without an additional in-person verification step. T-Mobile calls it "SIM lock," Verizon calls it "Number Lock," AT&T has a similar option. Enable it in your account settings or ask customer service to add it. This does not prevent all SIM swaps but it adds a significant barrier.
Easy ยท one-time setupIf an attacker completes a SIM swap, SMS 2FA becomes their weapon, not your shield. Move every important account email, bank, Apple/Google/Microsoft account to an authenticator app or hardware key. These generate codes on your physical device and cannot be intercepted via SIM swap because they are not sent to your phone number at all.
Easy ยท do this for every important accountThe moment a SIM swap happens, your phone loses signal. If your phone shows "No service" or "SOS only" unexpectedly especially in an area where you normally have signal call your carrier immediately from another phone. Do not wait to see if it comes back. Every minute you wait is another account the attacker can reset. Most damage in SIM swap attacks happens in the first 60 to 90 minutes.
Easy ยท knowledge to act onGo into your Gmail, Outlook, or Apple ID settings and remove your phone number as a recovery option if you can. Use a recovery email address or a backup authenticator app code instead. This severs the chain that makes SIM swapping so devastating even if an attacker has your number, your email stays protected.
Medium ยท check each accountSome banks now offer verbal passwords or biometric verification that override SMS codes. Others have a delay on large transfers initiated via online banking after a recent password reset. Ask your bank what options are available and whether they can flag your account for extra verification before any wire transfers.
Medium ยท worth a 10 minute callCall your carrier today and set a carrier PIN. This takes 5 minutes, costs nothing, and stops the vast majority of SIM swap attacks before they start. Do it before you do anything else on this list.
If it happens to you
Speed is everything. The moment you suspect a SIM swap is underway, do the following in this order:
- Call your carrier immediately from another phone tell them you believe a SIM swap is in progress and ask them to reverse it and lock your account
- Log into your email from a device that is already signed in change the password immediately without using an SMS recovery code
- Contact your bank by phone ask them to freeze any outgoing transfers while the situation is resolved
- File a report with the FTC at reportfraud.ftc.gov this creates an official record that helps with bank disputes and law enforcement
- Contact your crypto exchange immediately many have emergency freeze options that can stop withdrawals if you act fast enough
Most of the financial damage in a SIM swap attack happens in the first 60 minutes. If you act within that window โ contacting your carrier and bank before the attacker can drain accounts and change recovery information โ you dramatically improve the chances of a full recovery.
Sources
- FCC Consumer Advisory. SIM swapping and port-out scams
- FBI Internet Crime Complaint Center (IC3). 2024 Internet Crime Report
- US Department of Justice. SIM swap prosecution case files (2023 and 2024)
- Princeton University study on carrier authentication weaknesses in SIM swap attacks
- FTC Consumer Advice. What to do if your phone is lost or stolen