SIM swapping is one of the fastest-growing cyberattacks. The FBI reported over $68 million in SIM swapping losses in 2023 alone. This guide explains how SIM swapping works and exactly how to protect yourself.
What Is SIM Swapping?
A SIM swap attack happens when a hacker convinces your phone carrier to transfer your phone number to a new SIM card — one that the hacker controls. Once they have your number, they receive all your calls, texts, and most importantly, your two-factor authentication (2FA) codes.
With those codes, they can reset passwords on your bank accounts, email, cryptocurrency wallets, and social media profiles.
How Hackers Pull Off a SIM Swap
Step 1: Gather Personal Information
Hackers collect your name, address, phone number, and account details from data breaches, social media, or social engineering.
Step 2: Contact Your Carrier
They call your phone carrier (AT&T, Verizon, T-Mobile) pretending to be you. They claim they lost their phone or need to switch to a new SIM card.
Step 3: Pass Security Questions
Using your leaked personal information, they answer security questions and convince the carrier representative to make the transfer.
Step 4: Take Over Your Accounts
With your phone number redirected, they receive your 2FA codes and reset passwords on your banking, email, and financial accounts.
Warning Signs You Are Being SIM Swapped
- Your phone suddenly shows "No Service" or "SOS Only" without any carrier outage in your area
- You stop receiving text messages and phone calls
- You receive emails about password changes you did not request
- Your bank sends alerts about transactions you did not make
- You cannot log into accounts that use SMS verification
If you notice any of these signs, act immediately — you may have minutes before accounts are compromised.
7 Steps to Protect Your Phone Number
1. Set a PIN or Passphrase With Your Carrier
Call your carrier and set up an account PIN that must be provided before any account changes. This is the single most important step.
- AT&T: Set up "Extra Security" passcode
- Verizon: Set up Account PIN in My Verizon
- T-Mobile: Enable Account Takeover Protection (call 611)
2. Switch From SMS to Authenticator Apps
Replace SMS-based 2FA with authenticator apps on all accounts that support it:
- Google Authenticator
- Authy
- Microsoft Authenticator
These apps generate codes on your device — a SIM swapper cannot intercept them.
3. Use Hardware Security Keys
For your most critical accounts (email, banking, crypto), use a hardware security key like YubiKey. This is the strongest form of two-factor authentication available.
4. Enable Number Transfer Lock
Most carriers offer a port-out lock or number transfer lock. Enable this to prevent your number from being transferred without extra verification.
5. Use Unique Passwords Everywhere
If a hacker has your email password from a data breach and you reuse it, they can access multiple accounts. Use a password manager to create and store unique passwords.
6. Limit Personal Information Online
The less personal information available publicly, the harder it is for attackers to answer your security questions. Review your social media privacy settings and remove your information from data broker sites using our Data Shield tool.
7. Monitor Your Phone Service
Pay attention to your phone's signal. If you unexpectedly lose service, contact your carrier immediately from another phone.
What to Do If You Are SIM Swapped
- Contact your carrier immediately from another phone. Tell them your number was stolen and ask them to reverse the SIM change.
- Change passwords on your email, banking, and financial accounts from a secure device.
- Contact your bank to freeze accounts and reverse any unauthorized transactions.
- File a report with the FBI at ic3.gov and your local police department.
- Place a fraud alert on your credit with Equifax, Experian, and TransUnion.
- Review all accounts that used SMS-based 2FA and update their security settings.
The key to surviving a SIM swap attack is speed. The faster you detect it and respond, the less damage the attacker can do. Setting up carrier protections now is the best prevention.