SIM Swap Attacks Explained: How Hackers Steal Your Phone Number & How to Stop Them

Introduction: Your Phone Number Is More Valuable Than You Think

Your phone number has become one of the most critical pieces of your digital identity. It serves as a recovery method for email accounts, a second factor for banking apps, and the primary identifier for messaging platforms like Telegram, WhatsApp, and Signal.

This makes your phone number an incredibly attractive target for cybercriminals. Through a technique called SIM swapping (also known as SIM hijacking or SIM jacking), attackers can steal your phone number without ever touching your physical phone. Once they control your number, they can intercept your text messages, bypass two-factor authentication, and take over your most important accounts.

SIM swap attacks have been responsible for hundreds of millions of dollars in losses, with individual victims losing anywhere from a few thousand dollars to tens of millions. In 2025, the FBI received over 3,200 SIM swap complaints with adjusted losses exceeding $680 million — and these are only the reported cases.

This guide will explain exactly how SIM swap attacks work, who is at risk, how to protect yourself, and what to do if you become a victim. Understanding this threat is essential for anyone who relies on their phone number for account security.

What Is SIM Swapping: The Attack Explained

A SIM swap attack occurs when a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. This is not a technical hack in the traditional sense — it is primarily a social engineering attack that exploits the customer service processes of telecommunications companies.

The term "SIM swap" refers to the legitimate process that carriers offer when customers get a new phone or lose their SIM card. Carriers can transfer (or "port") a phone number to a new SIM card remotely. Criminals exploit this process by impersonating the legitimate account holder.

Once the swap is complete, your phone loses service — your calls, texts, and data stop working. Meanwhile, the attacker's phone starts receiving everything intended for you, including the one-time passcodes (OTPs) that many services send via SMS for two-factor authentication.

How SIM Swap Attacks Work: Step by Step

Understanding the mechanics of a SIM swap attack helps you see why they are so effective and where the vulnerabilities lie.

Step 1: Information Gathering. The attacker collects personal information about the target. This can come from multiple sources:

• Data breaches — previous leaks may contain your name, address, email, date of birth, and the last four digits of your Social Security Number
• Social media profiles — birthday, hometown, pet names, school names (common security question answers)
• Dark web purchases — complete identity packages can be bought for as little as $30-$80
• Phishing attacks — targeted emails or calls designed to extract specific information
• Public records — voter registration, property records, court filings

Step 2: Contacting the Carrier. Armed with the victim's personal information, the attacker contacts the mobile carrier's customer service — either by phone, online chat, or by visiting a retail store. They impersonate the victim and claim they need to transfer their number to a new SIM card, typically citing a lost phone, a new device, or a damaged SIM.

Step 3: Authentication Bypass. The carrier's customer service representative asks security questions to verify the caller's identity. The attacker answers using the information gathered in Step 1. Common verification questions include:

1. Full name and date of birth
2. Last four digits of Social Security Number
3. Account PIN or passcode
4. Billing address
5. Recent payment amount
6. Name on the account

In some cases, attackers bribe or coerce carrier employees directly. In 2024, multiple cases emerged where carrier employees were paid $500-$1,000 per swap by criminal organizations.

Step 4: The Transfer. Once "verified," the carrier activates the attacker's SIM card with the victim's phone number. This process typically takes only minutes. The victim's phone immediately loses cellular service — no calls, no texts, no mobile data.

Step 5: Account Takeover. With control of the phone number, the attacker moves quickly to take over accounts. They typically start with email (the master key to other accounts), then move to financial accounts, cryptocurrency wallets, and social media. For each account, they use the "forgot password" function and receive the reset code via SMS on the swapped number.

Step 6: Exploitation. The attacker drains bank accounts, transfers cryptocurrency, makes purchases, and may impersonate the victim for further fraud. The entire process from SIM swap to account compromise can take as little as 15-30 minutes.

Speed is critical: Most SIM swap damage occurs within the first hour. By the time victims realize their phone has stopped working, investigate the cause, contact their carrier, and have the swap reversed, significant damage is already done.

Why Attackers Target Your Phone Number

Your phone number has become the weakest link in account security because of how many services depend on it.

SMS-Based Two-Factor Authentication. Despite security experts warning against SMS 2FA for years, the majority of online services still use text messages as their primary or only two-factor authentication method. Banks, social media platforms, email providers, and cryptocurrency exchanges all commonly use SMS verification codes. Once an attacker controls your phone number, all SMS-based 2FA is completely compromised.

Account Recovery. Even accounts that use authenticator apps for 2FA often have phone number-based recovery as a backup option. If you cannot access your authenticator, many services offer to send a recovery code via SMS — which the attacker can intercept.

Messaging Platform Identity. Platforms like Telegram, WhatsApp, and Signal tie your identity directly to your phone number. A SIM swap gives the attacker control of your messaging accounts, enabling them to impersonate you to your contacts. Learn more about how attackers exploit this in our guide on how hackers steal Instagram and Telegram accounts.

Financial Services. Banking apps, payment services, and investment platforms frequently use phone numbers for transaction verification. A SIM swap can enable unauthorized transfers, payments, and trades.

Real Cases: The Devastating Impact of SIM Swap Attacks

Real-world SIM swap cases illustrate the severity and scale of this attack method.

Michael Terpin — $24 Million Cryptocurrency Theft (2018). Investor Michael Terpin lost $24 million in cryptocurrency after a SIM swap attack. He successfully sued AT&T for $75.8 million, arguing the carrier was negligent in allowing the swap. This case brought national attention to SIM swap attacks and established legal precedent for carrier liability.

The SIM Swap Ring — $680 Million (2024-2025). The FBI reported that SIM swap-related complaints in 2025 resulted in adjusted losses of $680 million. Organized criminal rings, primarily operating from the United States, West Africa, and Eastern Europe, conducted systematic SIM swap campaigns targeting cryptocurrency holders, business executives, and high-net-worth individuals.

FTX-Related SIM Swap (2023). Three individuals were charged with stealing over $400 million in cryptocurrency through SIM swap attacks. One of their targets was reportedly connected to the FTX cryptocurrency exchange. The attackers used a combination of social engineering and insider contacts at telecom companies.

Twitter CEO Jack Dorsey (2019). Even the CEO of Twitter was not immune. Dorsey's Twitter account was compromised through a SIM swap attack, with attackers posting offensive messages to his 4.2 million followers. The incident highlighted that SIM swap vulnerability is universal — it affects everyone regardless of their technical sophistication.

Robert Ross — $1 Million in Savings (2018). Robert Ross, a father of two, lost $1 million in life savings — his children's college funds — to a SIM swap attack. His case became a catalyst for advocacy around SIM swap protection legislation and carrier accountability.

The pattern is clear: SIM swap attacks disproportionately target individuals with cryptocurrency holdings or significant financial accounts. However, anyone can be a target, especially as attackers move toward automated, lower-value but higher-volume attacks.

Who Is at Risk

While anyone with a mobile phone is technically vulnerable to SIM swap attacks, certain groups face elevated risk.

Cryptocurrency holders are the primary targets. Cryptocurrency transactions are irreversible, anonymous, and can be executed quickly — making crypto the ideal theft vehicle for SIM swappers. If you hold significant cryptocurrency, you are a high-priority target.

High-net-worth individuals attract attention from sophisticated criminal groups willing to invest time and resources into targeted attacks.

Public figures and influencers have extensive personal information available online, making the information-gathering phase of a SIM swap attack much easier.

Business executives are targeted for both financial theft and corporate espionage. Access to an executive's accounts can lead to business email compromise and wire fraud.

People who have appeared in data breaches are at higher risk because their personal information is already available to criminals. Check your exposure at PR-SAFE to understand your risk level.

Users who rely heavily on SMS-based 2FA without backup authentication methods are particularly vulnerable because SIM swap directly defeats their primary security measure.

Warning Signs: How to Know If You Have Been SIM Swapped

Recognizing a SIM swap in progress is critical for minimizing damage. Here are the warning signs to watch for.

Sudden loss of cellular service. Your phone shows "No Service" or "Emergency Calls Only" even in an area where you normally have coverage. This is the most immediate and obvious sign of a SIM swap.

Inability to make calls or send texts. If your phone connects to WiFi but cannot make cellular calls or send SMS messages, your SIM may have been deactivated.

Unexpected password reset emails. If you receive emails about password changes or security alerts you did not initiate, an attacker may be using your swapped number to take over accounts.

Notifications about account access from unknown devices or locations. Services that send security notifications may alert you to logins you did not perform.

Carrier notifications about SIM changes. Some carriers send a text or email notification when a SIM change is processed. If you receive such a notification without requesting a change, act immediately.

Social media or email logins from unfamiliar locations. Check your account activity logs for access from IP addresses or locations you do not recognize.

If you notice any of these signs, contact your carrier immediately and take the emergency steps outlined later in this guide.

8 Proven Ways to Prevent SIM Swap Attacks

Prevention is far more effective than trying to recover after a SIM swap. Here are eight proven strategies to protect yourself.

1. Set a PIN or Passcode with Your Carrier. All major carriers allow you to set an additional PIN or passcode that must be provided before any account changes can be made. This is your first line of defense. Call your carrier and request a SIM lock or account PIN. Make sure this PIN is unique and not derived from easily guessable information like your birthday or address.

2. Switch from SMS 2FA to Authenticator Apps. Wherever possible, use authenticator apps like Google Authenticator, Authy, or Microsoft Authenticator instead of SMS-based two-factor authentication. Authenticator apps generate codes locally on your device and are not affected by SIM swaps. Our two-factor authentication setup guide walks you through this process for all major platforms.

3. Use Hardware Security Keys. For maximum security, use hardware security keys like YubiKey or Google Titan. These physical devices must be present to authenticate, making remote attacks impossible. They are especially important for email accounts, financial services, and cryptocurrency exchanges.

4. Use a Google Voice Number for Account Recovery. Google Voice numbers cannot be SIM swapped because they are tied to your Google account, not to a physical SIM card. Using a Google Voice number for account recovery provides protection against SIM swap attacks while still allowing SMS-based recovery.

5. Consider eSIM Technology. Embedded SIM (eSIM) technology provides some additional protection against SIM swap attacks because the SIM is built into the device and cannot be physically removed or replaced without device access. Many modern smartphones support eSIM, and carriers are increasingly offering eSIM activation.

6. Implement Carrier-Level Security Features. Many carriers now offer additional security features specifically designed to prevent SIM swap fraud:

• AT&T: "Extra Security" feature requires additional verification for account changes
• T-Mobile: "Account Takeover Protection" adds extra authentication requirements
• Verizon: "Number Lock" prevents number transfers without unlocking through the Verizon app
• International carriers: Check with your specific carrier for SIM lock or port protection features

7. Minimize Personal Information Online. The less personal information available about you online, the harder it is for attackers to pass carrier verification. Remove yourself from data broker sites, limit what you share on social media, and be cautious about who you share personal details with. Use PR-SAFE to check what personal data may already be exposed in breaches.

8. Use a Dedicated Phone Number for Financial Accounts. Consider having a separate phone number — preferably on a different carrier — that you use exclusively for banking and financial services. Keep this number private and do not use it for social media or public purposes. If your primary number is compromised, your financial accounts remain protected.

What to Do If You Have Been SIM Swapped: Emergency Response

If you believe you are experiencing a SIM swap attack, every minute counts. Follow these steps in order.

Immediate Actions (First 15 Minutes):

1. Contact your carrier immediately. Use a different phone to call your carrier's fraud department. Tell them you believe your number has been SIM swapped and request immediate restoration. Have your account PIN and identification ready.
2. Secure your email accounts. Using a computer (not the affected phone), change your email passwords and review security settings. If you cannot access your email, initiate account recovery through your email provider's support.
3. Contact your banks and financial institutions. Alert them to the SIM swap and request temporary account freezes if necessary.

Secondary Actions (First Hour):

• Change passwords on all critical accounts (banking, cryptocurrency, email, social media) using a password manager
• Disable SMS-based 2FA and switch to authenticator apps where possible
• Check for unauthorized transactions and report them
• Review email account forwarding rules — attackers often set up hidden forwarding
• Log out of all sessions on all accounts

Follow-Up Actions (First 24-48 Hours):

• File a police report — you will need this for fraud claims and insurance
• Report the incident to the FBI's IC3 (ic3.gov) if you are in the United States
• File a complaint with the FCC if your carrier failed to protect your account
• Place a fraud alert on your credit reports
• Consider a credit freeze
• Document everything — dates, times, conversations, losses — for potential legal action
• Contact an attorney if significant financial losses occurred

Carrier-Specific Protection Guide

Each carrier offers different security features and processes. Here is what you need to know about protecting your account on major carriers.

AT&T Protection:

• Set up "Extra Security" passcode through the myAT&T app or by calling customer service
• Enable "Account Lock" to prevent changes to your wireless account without in-person verification with a valid ID
• Request that your account be flagged as "high risk" for SIM swap fraud
• Consider AT&T's ActiveArmor security app for additional protection

T-Mobile Protection:

• Enable "Account Takeover Protection" through the T-Mobile app or customer service
• Set up a customer care PIN (different from your device unlock PIN)
• Enable "SIM Protection" which locks your SIM to your current device
• Use T-Mobile's Scam Shield app for call protection

Verizon Protection:

• Set up "Number Lock" through the My Verizon app — this prevents your number from being ported without unlocking
• Enable "Account PIN" for all customer service interactions
• Consider Verizon's "Account Security" features for additional verification requirements

International Carriers:

• Contact your carrier directly to ask about SIM lock, port protection, or account freeze features
• In the UK, carriers participate in the "Number Verify" scheme — ask about this
• In the EU, the revised Payment Services Directive (PSD2) requires stronger authentication for financial transactions, providing some protection
• In Australia, carriers offer "port protection" that requires in-store verification for number transfers
• In Canada, the CRTC has mandated improved SIM swap protections since 2024

Legal Consequences for SIM Swap Attackers

Law enforcement has become increasingly aggressive in prosecuting SIM swap crimes, with significant legal consequences for perpetrators.

Federal Charges. SIM swap attackers commonly face federal charges including wire fraud (up to 20 years), identity theft (mandatory 2 years consecutive), computer fraud under the CFAA (up to 10 years), and conspiracy charges that can compound sentences.

Recent Prosecutions. In 2024-2025, several high-profile SIM swap cases resulted in significant sentences. A 21-year-old from Florida received 10 years for stealing $7.5 million through SIM swaps. Three members of a SIM swap ring were sentenced to 4-8 years each for $400 million in cryptocurrency theft. A former telecom employee who facilitated SIM swaps received 5 years for their role.

Civil Liability. Victims are increasingly suing both attackers and carriers. Michael Terpin's $75.8 million judgment against AT&T established that carriers can be held liable for failing to protect customers from SIM swap attacks. Class action lawsuits against carriers for inadequate SIM swap protections are ongoing in multiple jurisdictions.

Carrier Employee Prosecution. Telecom employees who facilitate SIM swaps through bribery or coercion face both criminal charges and civil liability. Multiple carrier employees have been prosecuted for accepting payments from SIM swap rings.

Connection to 2FA Bypass: The Bigger Security Picture

SIM swap attacks are part of a broader category of attacks designed to bypass two-factor authentication. Understanding this context helps you build more resilient security.

SMS-based 2FA is considered the weakest form of two-factor authentication for several reasons beyond SIM swapping. SS7 protocol vulnerabilities can allow interception of SMS messages without any SIM swap. Malware on your device can read incoming text messages. Social engineering can convince carriers to reveal one-time codes over the phone.

The authentication hierarchy from weakest to strongest is:

1. SMS codes (vulnerable to SIM swap, SS7 attacks, malware)
2. Email codes (vulnerable if email is compromised)
3. Authenticator apps (secure against SIM swap, but vulnerable to device theft/malware)
4. Push notifications (secure, but vulnerable to notification fatigue attacks)
5. Hardware security keys (most secure, immune to remote attacks)

Whenever possible, move up this hierarchy. At minimum, use authenticator apps for all important accounts and hardware security keys for the most critical ones (email, financial services, cryptocurrency).

Future: eSIM Security and Beyond

The mobile industry is evolving to address SIM swap vulnerabilities, with several promising developments on the horizon.

eSIM Adoption. Embedded SIMs are becoming standard in modern smartphones. Apple removed the physical SIM tray from iPhone 14 and later models sold in the United States. eSIMs provide some protection because they cannot be physically stolen or cloned. However, eSIM profiles can still be transferred through social engineering, so they are not a complete solution.

Carrier Authentication Improvements. Major carriers are implementing more robust authentication processes for account changes, including biometric verification for in-store requests, multi-step verification for number transfers, real-time fraud detection systems that flag suspicious SIM change requests, and mandatory waiting periods before number transfers take effect.

STIR/SHAKEN Protocol. This telecommunications standard verifies the identity of callers and helps prevent phone number spoofing. While primarily designed to combat robocalls, it also makes certain types of SIM swap social engineering more difficult.

Passkeys and FIDO2. The industry is moving toward passwordless authentication using passkeys and FIDO2 standards. These technologies are tied to specific devices and are immune to SIM swap attacks. Major platforms including Apple, Google, and Microsoft are aggressively pushing passkey adoption.

Regulatory Action. The FCC has implemented rules requiring carriers to authenticate customers before processing SIM changes and to notify customers of SIM swap requests. Similar regulations are being adopted worldwide, creating a stronger protective framework.

While these developments are encouraging, they do not eliminate the need for personal vigilance. Technology and regulation work together with individual security practices to create comprehensive protection.

Conclusion: Protecting Your Phone Number Is Protecting Your Identity

SIM swap attacks exploit a fundamental vulnerability in our digital infrastructure — the reliance on phone numbers as identity verification. Until the industry fully transitions to more secure authentication methods, your phone number remains a critical security asset that requires active protection.

Take action today:

• Set a PIN with your mobile carrier right now — it takes less than 5 minutes
• Switch critical accounts from SMS 2FA to authenticator apps or hardware keys
• Check your data exposure at PR-SAFE to understand what information attackers could use against you
• Implement the carrier-specific protections outlined in this guide
• Have an emergency response plan ready in case you are targeted

The effort required to protect yourself is minimal compared to the devastating consequences of a successful SIM swap attack. A few minutes of prevention today could save you from months of recovery and potentially millions in losses.

For complete account security, also read our guides on social media security, email security, and choosing a password manager. Together with SIM swap protection, these measures create a comprehensive defense against modern cyber threats.