This article explains how SIM swapping works and how to lock down your phone number before criminals use it against you.
Your Phone Number Is Not Just a Phone Number
Your mobile number is often treated like proof of identity. Banks use it. Email providers use it. Social media platforms use it. Crypto exchanges use it. Government portals may use it too.
That is exactly why SIM swapping is dangerous.
A SIM swap attack happens when a criminal tricks your mobile provider into moving your phone number to a SIM card or eSIM they control. Once that happens, your phone may lose service, and the attacker may start receiving your calls, texts, and SMS verification codes. ENISA, the European Union Agency for Cybersecurity, warns that attackers can use this access to bypass two-factor authentication on banking, social media, and other online accounts.
Your phone number should not be treated like a master key. But too many companies still use it that way.
What Is SIM Swapping?
SIM swapping is a form of identity theft where a criminal takes control of your mobile phone number.
They do not need to steal your physical phone. They do not need to touch your SIM card. They only need to convince your carrier that they are you.
In Australia, Scamwatch describes phone porting as a common example of identity theft: scammers collect personal information through phishing, data breaches, or social media, then impersonate the victim and ask the mobile provider to transfer the number to a SIM they control. Once ported, calls and messages — including bank SMS codes and one-time passwords — go to the scammer.
The Telecommunications Industry Ombudsman also defines an unauthorised SIM swap as someone taking control of your mobile service by getting the provider to cancel your SIM and replace it with another one. The victim often first notices the problem when their mobile service suddenly stops working.
SIM Swap vs Port-Out Fraud
These attacks are closely related, but they are not always the same.
| Attack Type | What Happens | Why It Matters |
|---|---|---|
| SIM swap | Your number is moved to a new SIM or eSIM under the attacker’s control. | The attacker can receive SMS codes, calls, and recovery messages. |
| Port-out fraud | Your number is transferred from your provider to another provider. | The attacker takes your number away from your carrier account entirely. |
| Account takeover | The attacker uses your number to reset passwords or bypass SMS-based security. | Your bank, email, crypto, and social accounts may be targeted. |
In the United States, the FCC has treated SIM swap and port-out fraud as serious consumer protection issues. Its rules require wireless providers to use secure authentication before SIM changes or number ports, notify customers when SIM change or port-out requests are made, offer account locks, and maintain processes for fraud reporting and remediation.
How SIM Swapping Actually Works
Most SIM swaps follow a simple pattern.
1. Criminals collect your personal information
They may use:
- Data breaches
- Phishing emails
- Fake login pages
- Scam phone calls
- Malware
- Social media posts
- Public records
- Leaked passwords
- Reused passwords
ENISA says attackers often begin by gathering personal details through social engineering, phishing, malware, data breaches, or social media research.
2. They impersonate you
The criminal contacts your mobile provider online, by phone, through chat support, or in-store.
They may claim:
- “I lost my phone.”
- “My SIM is damaged.”
- “I need to activate a new eSIM.”
- “I changed devices.”
- “I cannot receive calls.”
- “I need urgent access.”
If the carrier’s verification process is weak, the attacker may only need your name, date of birth, address, account number, or answers to basic security questions.
3. Your number is transferred
If the scam succeeds, your number is moved to the attacker’s SIM or eSIM.
Your phone may suddenly show:
- No service
- SOS only
- No mobile data
- Failed calls
- Failed SMS messages
- Lost access to mobile banking prompts
4. The attacker starts resetting accounts
Once they control your number, they may try to reset passwords on:
- Email accounts
- Bank accounts
- Crypto exchanges
- Social media accounts
- Cloud storage
- Payment apps
- Shopping accounts
- Government portals
The FTC warns that once scammers have login credentials, they may access bank accounts, steal money, take over email or social media accounts, change passwords, and lock victims out.
Why SIM Swapping Is Getting So Dangerous
SIM swapping works because the modern internet still uses phone numbers for identity checks.
That is the weak point.
The FBI’s 2024 Internet Crime Report recorded 982 SIM swap complaints and $25,983,946 in reported losses in the United States. The report also shows that reported SIM swap losses were even higher in 2023 and 2022, which means the threat remains financially serious even when yearly figures move up or down.
In the UK, Cifas reported a 1,055% surge in unauthorised SIM swaps in 2024, with nearly 3,000 cases filed to the National Fraud Database. Cifas also reported that telecom-related identity fraud rose 87%, and nearly half of account takeover cases involved mobile phone accounts.
This is not just a “tech person” problem. It affects ordinary people because ordinary people have bank accounts, email accounts, phone numbers, tax records, social profiles, and identity documents.
Why Criminals Want Your Number
Your number can help criminals break into your digital life.
They may use it to:
- Reset your email password
- Intercept SMS banking codes
- Approve fraudulent transactions
- Take over WhatsApp, Telegram, or Signal accounts
- Access crypto exchanges
- Hijack social media accounts
- Steal cloud files and photos
- Apply for credit in your name
- Bypass weak account recovery systems
- Lock you out while they move fast
The real target is not always your phone number. The real target is what your number unlocks.
Warning Signs of a SIM Swap Attack
Act fast if you notice these signs.
- Your phone suddenly loses service without explanation.
- You cannot make or receive calls.
- You cannot receive SMS messages.
- Your carrier sends a message about a SIM change or port request you did not make.
- Your bank sends login or transaction alerts you did not trigger.
- Your email says your password or recovery phone was changed.
- Friends say they are receiving strange messages from your number.
- You are locked out of email, banking, crypto, or social media accounts.
ENISA lists loss of network connection, suspicious banking activity, loss of access to social media or email, and strange calls asking for codes as warning signs of SIM swapping.
If your phone suddenly dies and your bank starts sending alerts, treat it as an emergency.
How to Prevent SIM Swapping
You cannot control every carrier employee, data breach, or criminal tactic. But you can make your number much harder to steal and much less useful if it is stolen.
Lock Your Carrier Account First
Your mobile provider account is the front door.
Do this today:
- Add a unique account PIN or passcode.
- Turn on port-out protection, number lock, transfer lock, or SIM protection if your provider offers it.
- Use a strong, unique password for your carrier login.
- Remove old authorised users from your mobile account.
- Add a secure email address for account alerts.
- Ask your provider what extra protections exist for SIM swaps and number transfers.
- Make sure you receive alerts for account changes.
- Keep your carrier account details out of screenshots, emails, and public posts.
The FTC specifically advises setting up a PIN or password on your cellular account to help protect it from unauthorised changes.
If you are in Australia, the Telecommunications Industry Ombudsman says providers are expected to make reasonable attempts to identify anyone requesting a SIM swap and respond quickly to unauthorised swaps by cancelling the replacement SIM and adding protections such as account passwords.
Stop Using SMS Codes for Important Accounts
SMS two-factor authentication is better than having no second factor at all.
But it is weak against SIM swapping.
If a criminal controls your number, SMS codes may go straight to them. That is why the FTC recommends using an authentication app or security key for sensitive accounts if you are concerned about SIM swapping.
Microsoft is also moving personal accounts away from SMS codes, stating that SMS authentication is vulnerable to phishing and SIM-swap attacks and is being replaced with passkeys and verified email for stronger protection.
Use this ranking:
| Security Method | SIM Swap Risk | Best Use |
|---|---|---|
| SMS code | High | Only if nothing better is available |
| Email code | Medium | Safer only if your email is strongly protected |
| Authenticator app | Lower | Good default for most accounts |
| Passkey | Very low | Strong option where supported |
| Hardware security key | Very low | Best for email, crypto, banking, and admin accounts |
Protect Your Email Like It Controls Everything
Your email is usually the master recovery account.
If criminals get your email, they may reset passwords across your financial, social, cloud, and shopping accounts.
Do this:
- Use a strong, unique email password.
- Turn on passkeys or a hardware security key if available.
- Remove SMS recovery where possible.
- Add backup codes and store them offline.
- Check recovery email addresses and phone numbers.
- Review logged-in devices.
- Turn on login alerts.
- Sign out of old sessions.
- Never reuse your email password anywhere else.
If you only harden one account today, harden your main email account.
Use a Password Manager
Weak and reused passwords make SIM swapping worse.
If your password is already leaked, a criminal only needs your phone number to complete the takeover. A password manager helps you create unique passwords for every account, so one breach does not become a full identity compromise.
Use it for:
- Banking
- Mobile provider account
- Crypto exchanges
- Social media
- Cloud storage
- Government accounts
- Shopping accounts
- Payment apps
A unique password will not stop every SIM swap, but it removes one of the attacker’s easiest paths.
Reduce the Personal Information Criminals Can Use
SIM swapping often starts with identity data.
Remove or hide:
- Full date of birth
- Home address
- Personal phone number
- Family member names
- Pet names
- School history
- Employer details
- Public email addresses
- Old usernames
- Security-question answers
ENISA advises being cautious with personal information shared on websites and social media because attackers can use it to support SIM swap attempts.
Also stop answering security questions honestly.
If a site asks for your mother’s maiden name, first school, or childhood street, use random answers stored in your password manager. Publicly knowable facts are not security.
Harden Your Bank and Crypto Accounts
Financial accounts need stronger protection than ordinary accounts.
Do this:
- Replace SMS 2FA with an authenticator app, passkey, or hardware key.
- Turn on transaction alerts.
- Set withdrawal limits.
- Use account notifications through the banking app and email.
- Remove old devices.
- Check linked phone numbers and recovery emails.
- For crypto, use withdrawal address allowlisting where available.
- Keep long-term crypto holdings in cold storage, not on an exchange.
- Never store seed phrases in email, cloud notes, screenshots, or photo galleries.
SIM swapping is especially dangerous for crypto because blockchain transactions are often irreversible. Once funds move, recovery can be difficult or impossible.
eSIM Is Not a Magic Fix
eSIM can reduce some risks linked to physical SIM cards, but it does not solve carrier account takeover.
If a criminal can convince your provider to move your number, the attack can still happen. ENISA notes that SIM swapping is a legitimate process used for replacing SIM cards and connecting phones with eSIM, but attackers abuse the provider’s ability to transfer a number to another SIM.
Use eSIM if it suits you, but do not treat it as protection by itself.
Carrier locks, stronger authentication, and removing SMS from critical accounts matter more.
What To Do If You Think You Have Been SIM Swapped
Move fast. The attacker’s advantage is speed.
Step 1: Contact your mobile provider immediately
Use another phone, web chat, or an in-store visit.
Tell them:
- Your number may have been SIM swapped or ported without permission.
- You need the number frozen or restored.
- You need all active SIMs/eSIMs reviewed.
- You want a new carrier PIN or passcode.
- You want port-out protection or number lock enabled.
- You need written documentation of the fraud.
The FCC requires US wireless providers to maintain clear processes for customers to report SIM swap and port-out fraud, promptly investigate and remediate fraud, and provide documentation of fraud involving customer accounts.
Step 2: Freeze your financial accounts
Contact your bank, credit card provider, payment apps, and crypto exchanges.
Ask them to:
- Freeze suspicious transactions
- Lock online access temporarily
- Remove unknown devices
- Reset authentication
- Monitor attempted transfers
- Block withdrawals where possible
The FTC advises checking credit card, bank, and other financial accounts for unauthorised charges or changes after a SIM swap.
Step 3: Secure your email
From a clean device:
- Change your password.
- Remove unknown recovery options.
- Remove unknown devices.
- Turn on stronger MFA.
- Save new backup codes.
- Check forwarding rules.
- Check filters and app passwords.
Attackers often create hidden email forwarding rules so they can keep spying even after you regain access.
Step 4: Change passwords on critical accounts
Start with:
- Banking
- Mobile provider
- Crypto
- Government accounts
- Cloud storage
- Social media
- Payment apps
Do not change passwords from a device you suspect is infected.
Step 5: Report the attack
Reporting depends on your country.
| Location | Where to Report |
|---|---|
| United States | Mobile provider, bank, FTC IdentityTheft.gov, FBI IC3 |
| United Kingdom | Mobile provider, bank, Action Fraud, relevant platform support |
| Australia | Mobile provider, bank, ReportCyber, Scamwatch, IDCARE |
| European Union | Mobile provider, bank, national cybercrime police or fraud reporting body |
Australia’s Cyber Security Centre advises people who have lost money to report transactions to their bank immediately, complete a ReportCyber report, stop communication with the offender, change passwords, and secure affected accounts.
The Best Defence Is Layered
No single setting will protect everything.
Use layers:
| Protection Layer | What It Blocks |
|---|---|
| Carrier PIN | Makes unauthorised account changes harder |
| Port-out lock | Helps stop number transfers |
| Strong carrier password | Blocks online carrier account takeover |
| Authenticator app | Removes reliance on SMS codes |
| Passkey or hardware key | Adds phishing-resistant account protection |
| Password manager | Stops password reuse from spreading damage |
| Email hardening | Protects the account recovery chain |
| Bank alerts | Helps detect fraud quickly |
| Reduced public data | Gives scammers less material to impersonate you |
The goal is simple: make your phone number less valuable.
If criminals steal your number but cannot reset your email, cannot bypass your bank security, cannot enter your crypto account, and cannot access your recovery codes, the damage is contained.
The Bottom Line
SIM swapping is not a complicated hack. It is identity theft through the phone system.
Criminals collect your personal information, impersonate you, convince your carrier to move your number, then use that number to attack your money, email, crypto, social media, and identity.
The fix is blunt: lock your carrier account, stop relying on SMS codes, protect your email first, use stronger authentication, and reduce the personal information criminals can weaponise.
Your phone number should be treated like a risk point, not a security guarantee.
Do the hardening before your signal disappears.