This article explains how SIM swapping steals your number, hijacks your accounts, and how to reduce your risk fast.
Your Phone Number Can Unlock More Than Calls
A SIM swap scam does not usually start with someone hacking your phone. It starts with someone tricking your mobile provider into moving your phone number to a SIM card or eSIM controlled by a criminal.
Once that happens, your phone can suddenly lose service. Their phone starts receiving your calls, texts, password reset codes, and SMS two-factor authentication codes. That is why SIM swapping can lead to drained bank accounts, stolen crypto, hijacked email, social media takeovers, and identity fraud.
The FBI defines SIM swapping as social engineering against mobile providers to transfer a victim’s phone service to a device in the criminal’s possession. In 2024, the FBI’s IC3 recorded 982 SIM swap complaints and $25,983,946 in reported losses in the United States alone.
This is not only an American problem. In the U.K., Cifas reported a 1,055% surge in unauthorised SIM swaps in 2024, with nearly 3,000 cases filed to the National Fraud Database.
The real danger is simple: many companies still treat your phone number like proof that you are you. Criminals know that.
What SIM Swapping Actually Means
SIM swapping is when your mobile number gets moved from your legitimate phone connection to a SIM or eSIM controlled by someone else.
That transfer can happen in two main ways:
| Attack Type | What Happens | Why It Matters |
|---|---|---|
| SIM swap | Your number is moved to another SIM or eSIM on the same or related network process. | Criminals receive your calls, texts, and verification codes. |
| Port-out fraud | Your number is transferred to another carrier without permission. | Criminals can take the number away from your provider entirely. |
| Account takeover through telecom access | Criminals gain access to your mobile account and make unauthorised changes. | They can alter settings, request new SIMs, or weaken protections. |
The result is usually the same: you lose control of your number, and the attacker uses it to break into other accounts.
In Canada, the Canadian Anti-Fraud Centre warns that SIM swapping and phone number porting are used to access email, social media, and financial accounts, allowing criminals to empty bank accounts, apply for credit, and impersonate victims.
How SIM Swapping Scams Work
SIM swapping is not magic. It is a repeatable fraud process built around stolen information, weak verification, and speed.
1. Criminals collect your personal information
Attackers gather details that help them impersonate you. That can include:
- Full name
- Date of birth
- Address
- Phone number
- Email address
- Partial government ID details
- Answers to weak security questions
- Data from breaches, phishing, social media, or people-search sites
They do not always need everything. They only need enough to sound convincing to a mobile provider, bank, or account support team.
2. They contact your mobile provider
The criminal pretends to be you. They may claim:
- Their phone was lost
- Their SIM stopped working
- They bought a new phone
- They need an eSIM transfer
- They are switching carriers
- They cannot access their old device
The goal is to convince the provider to move your number to a SIM or eSIM they control.
3. They pass weak identity checks
If the provider relies on basic personal information, the attacker may pass. This is where public data, breached data, phishing, and social engineering become dangerous.
A criminal does not need to defeat your phone’s encryption if they can trick a support process.
4. Your phone loses service
This is the warning sign many victims notice first.
Your phone may show:
- No Service
- SOS only
- No calls
- No texts
- No mobile data
- Failed login attempts
- Password reset alerts
Meanwhile, the attacker receives your calls and texts.
5. They reset your accounts fast
Once they control your number, criminals often hit the most valuable accounts first:
- Banking apps
- Crypto exchanges
- Payment apps
- Social media
- Cloud storage
- Shopping accounts
- Government service accounts
They use “forgot password” flows, intercept SMS codes, change passwords, add their own recovery details, and lock you out.
The Canadian Anti-Fraud Centre describes this exact pattern: criminals use the stolen number to receive verification codes, confirm account ownership, create new passwords, and take over accounts.
Why SMS Two-Factor Authentication Is Not Enough
SMS two-factor authentication is better than having no second factor. But it is weak against SIM swapping because the code goes to your phone number, not necessarily to you.
If a criminal controls your number, they may receive the code.
NIST, the U.S. digital identity standards body, warns that services using phone networks for authentication should consider risk indicators such as SIM changes, device swaps, and number porting before sending authentication secrets by phone.
A safer ranking looks like this:
| Authentication Method | Protection Level | Why |
|---|---|---|
| Hardware security key | Very high | The attacker needs the physical key. |
| Passkeys | Very high | Strong phishing-resistant login when supported. |
| Authenticator app | High | Codes are generated on your device, not sent to your phone number. |
| Push approval with strong safeguards | Medium to high | Safer than SMS if protected against approval fatigue. |
| SMS codes | Low to medium | Vulnerable if your number is stolen. |
| Password only | Very low | Easy to break through phishing, reuse, or breaches. |
The FTC gives similar advice: if you are worried about SIM swapping, use an authentication app or security key instead of relying on text message verification.
Real-World Damage: The SEC X Account Hack
SIM swapping is not only used against ordinary consumers.
In January 2024, attackers used a SIM swap connected to the U.S. Securities and Exchange Commission’s X account. The account posted a false Bitcoin ETF announcement, briefly moving the price of Bitcoin. In 2025, the U.S. Department of Justice said Eric Council Jr. was sentenced to 14 months in prison for his role in the conspiracy.
That case matters because it proves the larger point: a phone number can become the weak link in a much bigger system.
If a SIM swap can help compromise a government regulator’s social account, it can absolutely threaten your bank account, email, crypto wallet, or business login.
Warning Signs You May Be Under Attack
Do not ignore sudden phone problems. SIM swap victims often lose precious time because they assume it is a network outage.
Red flags include:
- Your phone suddenly shows No Service or SOS only
- You cannot make calls or send texts
- You receive a carrier alert about a SIM change you did not request
- You get password reset emails or login alerts
- Your banking, email, or social media accounts log you out
- Friends receive strange messages from your accounts
- Your carrier account password no longer works
- Your email recovery phone number changes
One warning sign alone does not prove SIM swapping. But sudden loss of service plus account alerts should be treated as urgent.
What To Do Immediately If Your Number Is Stolen
Speed matters. Criminals move fast because they know the window is short.
Act in this order:
- Call your mobile provider from another phone.
Tell them you suspect SIM swap or port-out fraud. - Ask the provider to freeze the account.
Request that they stop further SIM changes, port-outs, device changes, or account edits. - Ask them to reverse the unauthorised SIM swap or port.
Get your number returned to your control. - Ask for documentation.
You may need proof for your bank, police, credit bureau, or fraud report. - Secure your email first.
Your email is often the recovery hub for everything else. - Change passwords from a trusted device.
Do not use a compromised phone or computer. - Remove SMS recovery from critical accounts.
Switch to authenticator apps, passkeys, or hardware security keys. - Contact your bank, crypto exchange, and payment apps.
Ask them to freeze suspicious activity and review recent transactions. - Report the fraud.
In the U.S., the FTC advises victims to contact the mobile provider immediately, regain control of the number, change passwords, and check financial accounts for unauthorised activity.
How To Reduce Your Risk Before It Happens
You cannot make yourself impossible to target. But you can make yourself harder, slower, and less profitable to attack.
Lock Down Your Mobile Carrier Account
Start with your mobile provider.
Ask for every anti-SIM-swap and anti-port-out protection they offer. The names vary by carrier and country, but look for terms like:
- Account PIN
- Account passcode
- Number Lock
- SIM Protection
- Port-Out Protection
- Wireless Account Lock
- Number Transfer PIN
- High-risk account protection
- Extra verification for SIM changes
Major U.S. carriers now offer different forms of account locking. AT&T’s Wireless Account Lock blocks sensitive changes such as SIM/eSIM swaps, device changes, number transfers, billing changes, and authorised-user changes while enabled.
T-Mobile offers SIM Protection to prevent bad actors from moving a number to another device, plus Port Out Protection to block unauthorised number transfers to another carrier.
Verizon offers Number Lock to block moving a number to another carrier and SIM Protection to block moving a mobile number to another device.
Replace SMS Codes on Important Accounts
Prioritise the accounts that would hurt most if compromised:
- Primary email
- Bank accounts
- Crypto exchanges
- Payment apps
- Cloud storage
- Password manager
- Social media
- Government service accounts
- Business tools
Use:
- Passkeys where available
- Hardware security keys for high-value accounts
- Authenticator apps instead of SMS
- Backup recovery codes stored offline
- Strong unique passwords in a password manager
Do not use the same password across accounts. A reused password plus a stolen phone number is a gift to criminals.
Reduce the Personal Data Criminals Can Use
Many SIM swaps start with basic impersonation. Make that harder.
Do this:
- Remove your phone number from public profiles
- Hide your date of birth from social media
- Avoid posting your address, workplace, family names, or travel details
- Use fake but memorable answers for security questions
- Store those answers in a password manager
- Watch for phishing emails and fake carrier messages
- Be careful with data broker and people-search sites
New Zealand’s Own Your Online guidance makes the same point: personal information can be used to impersonate you, especially when providers rely on it for identity checks. It also recommends using app-based 2FA where possible.
Secure Your Email Like It Controls Everything
Because it often does.
Your email account is usually the reset button for your digital life. If attackers control your email, they can reset passwords across banking, shopping, social media, cloud, and work accounts.
Use the strongest protection on your email:
- Passkey or hardware security key
- Authenticator app backup
- Strong unique password
- Recovery codes stored offline
- Updated recovery email
- No SMS recovery if you can avoid it
- Login alerts enabled
If you only secure one thing today, secure your email.
What Western Regulators and Carriers Are Doing
Governments and telecom regulators are not ignoring the problem.
In the U.S., the FCC adopted rules requiring wireless providers to use secure customer authentication before redirecting a customer’s phone number to a new device or provider. The rules also require immediate customer notification for SIM change or port-out requests and require providers to offer account lock options.
In Europe, ENISA describes SIM swapping as a threat affecting banking, cryptocurrency, social media, and email accounts, and says attacks often rely on weak customer authentication, poor cyber hygiene, and lack of risk awareness.
In Australia, ACMA and the National Anti-Scam Centre warned in 2026 that mobile number fraud can give criminals access to bank accounts, myGov, subscription services, and rewards programs.
In New Zealand, the Telecommunications Forum says providers tightened SIM swap identification checks and introduced a 2FA step for number porting, requiring customers to reply “yes” to authorise a port request.
These protections help. They do not remove your responsibility.
Carrier controls can fail. Support staff can be manipulated. Personal data can be exposed. SMS codes can still be intercepted if your number is taken.
eSIM Is Not a Magic Fix
Some people assume eSIM automatically solves SIM swapping. It does not.
An eSIM may reduce some physical SIM risks, but the core weakness is often the account process. If a criminal can convince the carrier to move your number, the attack can still happen.
The better question is not “Do I have a physical SIM or eSIM?”
The better question is:
Can someone impersonate me well enough to move my number?
That is why carrier locks, account PINs, stronger authentication, and reduced public personal information matter more than the SIM format alone.
The Best Protection Stack
Use layered protection. One defense can fail. Several defenses together are much harder to beat.
| Protection Step | Why It Helps | Priority |
|---|---|---|
| Carrier PIN or passcode | Makes support impersonation harder | High |
| SIM Protection / Number Lock / Port-Out Protection | Blocks unauthorised number movement | High |
| Authenticator app instead of SMS | Removes SMS as the weak link | High |
| Hardware key or passkey | Strong protection for critical accounts | Very high |
| Password manager | Stops password reuse | High |
| Private social media details | Gives criminals less identity data | Medium |
| Account alerts | Helps you react faster | High |
| Offline recovery codes | Prevents permanent lockout | Medium |
| Secure email first | Protects your account recovery hub | Very high |
Final Takeaway: Lock Your Number Before Criminals Do
SIM swapping works because too many systems still trust your phone number as proof of identity.
That is the flaw.
Your number can receive banking codes. It can reset passwords. It can unlock email. It can help criminals hijack social accounts, crypto wallets, payment apps, and government service logins.
The fix is not complicated, but it does require action.
Lock your carrier account. Add a strong PIN. Turn on SIM protection, number lock, or port-out protection. Remove SMS codes from your most important accounts. Secure your email first. Use authenticator apps, passkeys, or hardware security keys wherever possible.
A SIM swap can happen fast.
Your protection should already be in place before the attack starts.