SIM swap attacks: when someone steals your phone number

Your phone number is more valuable to a criminal than you probably realize. It is not just how people call you — it is often the backup key to your email, your bank, your crypto wallet, and dozens of other accounts. SIM swap attacks exploit that. A scammer convinces your carrier to transfer your number to a SIM card they control. Suddenly, every call and text meant for you goes to them instead. Every "text us a code to verify it's you" message from your bank goes straight to the attacker.

The FBI reported $68 million in SIM swap losses in 2021, a number that has continued rising. High-profile cases have involved cryptocurrency investors losing millions of dollars in a matter of hours. But it also happens to regular people whose email contains enough financial information to make the effort worthwhile. Here is how to understand this threat and what you can actually do about it.

How a SIM swap attack works

The attack starts long before the attacker calls your carrier. They spend time collecting information about you first — your full name, phone number, carrier, address, and the last four of your Social Security Number or account PIN. They get this through data breaches, phishing emails, social media profiles, or by simply buying your data from underground markets where breached records are sold in bulk.

Armed with that information, the attacker contacts your carrier's customer service — either by phone or sometimes by visiting a retail store in person. They claim to be you. They say they lost their phone, got a new one, and need to transfer the number to a new SIM. If the customer service representative does not verify your identity rigorously (and this is where carriers have historically been weak), the transfer goes through.

From that moment, your phone loses service. All your calls and texts route to the attacker's phone. They immediately use your number to receive two-factor authentication codes for your accounts — starting with your email, which is master key to everything else. Within an hour or two, a skilled attacker can compromise email, financial accounts, and crypto wallets.

You often do not know it happened until your phone just stops working, and by then the damage can already be done.

Warning signs you may be under attack

• Your phone suddenly loses all signal — not a coverage blip, but a full "No Service" or "SOS only" state that does not resolve when you move around or restart the device.
• You can no longer make or receive calls or texts even in areas where you normally have signal.
• You get a notification from your carrier about a SIM change or account update that you did not initiate.
• You receive emails about password resets on accounts you did not request. The attacker is using your number to get into your accounts.
• You are suddenly locked out of accounts you were logged into — your email password changed, your bank account inaccessible.

If your phone loses service unexpectedly and you live in an area with good coverage, call your carrier immediately from a different phone. Do not wait to see if it comes back.

How to protect yourself before it happens

Prevention is much easier than recovery. These steps meaningfully reduce your risk.

Set a SIM PIN or account passcode with your carrier. Every major carrier allows you to add an extra PIN that must be provided before any account changes are made. Call your carrier or go to their website settings and set this up today. This is the most direct protection against SIM swaps.

Ask your carrier about port freeze or number lock. Some carriers offer account freezes that prevent number transfers entirely unless you specifically request to remove the freeze. AT&T, Verizon, and T-Mobile all have some version of this.

Stop using SMS for two-factor authentication on important accounts. SMS 2FA is better than nothing, but it is the exact thing a SIM swap defeats. Switch to an authenticator app — Google Authenticator, Authy, or Apple's built-in option — wherever the service allows it. These apps generate codes on your device that are not tied to your phone number at all.

Use a hardware security key for your most critical accounts. For accounts like your primary email and financial services, a physical security key (YubiKey is the most common) is immune to SIM swap attacks entirely. It is worth the investment if you have significant financial or crypto accounts.

Do not over-share personal information publicly. Scammers assemble your profile from what you post. Your phone number, carrier, birthday, address — the less of this that is publicly visible on social media and data broker sites, the harder it is to impersonate you to your carrier.

What to do if you think you've been SIM swapped

1. Call your carrier immediately from another phone. Tell them you believe your SIM has been swapped fraudulently and ask them to reverse it and lock your account. Time matters here.
2. Change your passwords for email, banking, and financial accounts from a device that is not your phone. If the attacker was in your email, assume they have a reset link for every account that email address controls.
3. Notify your bank and financial institutions. Ask them to place a fraud alert and review recent activity. Move quickly — fund transfers can happen within minutes.
4. Place a credit freeze at Equifax, TransUnion, and Experian. This prevents anyone from opening new credit in your name using stolen identity information.
5. File a report with the FTC (ReportFraud.ftc.gov) and your local police department. The FTC report is the official record you will need for any fraud disputes.

For a more detailed recovery checklist, see our guide on what to do if you got scammed.

Why crypto holders are targeted most often

Cryptocurrency is the primary target in most SIM swap cases because it is fast and irreversible. Once crypto leaves your wallet, it cannot be recalled the way a wire transfer sometimes can. Attackers who know a target holds significant crypto will specifically target them using information gathered from social media or forums where users discuss holdings publicly.

If you hold meaningful cryptocurrency, use a hardware wallet for storage, use an authenticator app (never SMS) for exchange 2FA, and treat your phone number as a potential attack surface rather than a security feature.