SIM Swapping Explained: How Attackers Steal Your Phone Number

Your phone number has become one of the most valuable pieces of your digital identity. It is tied to your bank accounts, your email, your social media, and dozens of other services that use it for verification. That makes it a high-value target — and attackers know it.

SIM swapping (also called SIM hijacking or a port-out scam) is an attack where a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, they receive your calls, your text messages, and — critically — your SMS-based two-factor authentication codes. From there, the dominoes fall fast.

How a SIM Swap Attack Works

The mechanics of SIM swapping are disturbingly simple. The attacker does not need to hack into any system. They exploit the human element — customer service representatives who are trained to be helpful.

Step 1: Gathering Information

Before contacting your carrier, the attacker collects personal information about you. This might include your full name, date of birth, address, the last four digits of your social security number, or answers to common security questions. This data is readily available from data breaches (for sale on dark web marketplaces), social media profiles, public records, or data broker websites.

Step 2: Contacting the Carrier

The attacker calls your mobile carrier (or visits a store) and impersonates you. They might say they lost their phone, their SIM card is damaged, or they are switching to a new device. They provide the personal information they gathered to pass identity verification.

Carrier support representatives handle hundreds of these requests daily. The process is designed to be quick and convenient — which is exactly what makes it exploitable.

Step 3: The Transfer

Once the representative is convinced, they activate a new SIM card with your phone number. Your current SIM immediately stops working. Your phone shows “No Service” or “SOS Only.” At this point, the attacker has full control of your number.

Step 4: Account Takeover

With your phone number in hand, the attacker moves quickly — often within minutes. They initiate password resets on your email, banking, and cryptocurrency accounts. The reset codes arrive via SMS to the phone they now control. They change your passwords, lock you out, and drain what they can.

Variations of the Attack

Social engineering a carrier representative is the most common method, but it is not the only one:

• Insider threats. Criminals recruit or bribe carrier employees to process SIM swaps without proper verification. Multiple arrests in the US and UK have revealed networks of carrier employees who were paid $500 to $1,000 per swap.
• Port-out fraud. Instead of swapping the SIM within the same carrier, the attacker ports your number to a different carrier entirely. The process is governed by regulations designed to make switching carriers easy, which unfortunately also makes it exploitable.
• Fake ID in stores. Some attackers visit carrier stores in person with fraudulent identification documents to request a new SIM card. In-person requests can sometimes bypass additional verification steps that phone-based requests trigger.
• Online account compromise. If the attacker gains access to your carrier account online (through credential stuffing or phishing), they may be able to initiate a SIM change through the self-service portal without talking to anyone.

What Attackers Gain

The immediate goal of most SIM swaps is to bypass SMS-based two-factor authentication. But the downstream consequences extend much further:

Email Account Takeover

Your email is the master key to your digital life. Password reset links for virtually every service you use go to your email. If the attacker can reset your email password using an SMS code, they now control the gateway to everything else. This is why protecting your email account is paramount, and why relying on SMS 2FA for email is especially dangerous.

Financial Theft

Bank accounts, payment apps, and cryptocurrency wallets are primary targets. Cryptocurrency is particularly attractive to SIM swappers because transactions are irreversible. There is no chargeback, no fraud department to call. Once the coins are transferred, they are gone.

Identity Theft

With control of your email and phone number, an attacker can open new accounts, apply for credit, or impersonate you to your contacts. They can intercept communication and maintain access for days or weeks before you realize the full extent of the damage.

Social Media and Professional Accounts

High-profile social media accounts, gaming accounts, and even corporate accounts have been targeted. The attacker may extort the victim, sell the account, or use it for further scams.

The Scale of the Problem

SIM swapping is not a theoretical risk. The FBI Internet Crime Complaint Center (IC3) has reported a sharp increase in SIM swapping complaints year over year. In 2021, the IC3 received over 1,600 SIM swapping complaints with losses exceeding $68 million. By 2023, that figure had risen dramatically. Individual victims have lost anywhere from a few thousand dollars to tens of millions in cryptocurrency.

High-profile cases include the 2019 hack of Twitter CEO Jack Dorsey’s account (used to post offensive content), numerous cryptocurrency investors losing their holdings, and journalists and activists being targeted for surveillance.

How to Protect Yourself

Set a PIN or Passphrase on Your Carrier Account

Most carriers now allow you to set a PIN or passphrase that must be provided before any account changes (including SIM swaps) are processed. This is your most important defense. Contact your carrier and ask for:

• Account PIN/passcode — A separate code from your online account password, required for in-store and phone support changes.
• Port freeze or number lock — Prevents your number from being ported to another carrier without additional verification.
• Extra security flags — Some carriers offer enhanced security that requires in-person verification with government ID for any SIM changes.

Move Away from SMS-Based 2FA

Wherever possible, switch from SMS 2FA to an authenticator app (TOTP) or a hardware security key. TOTP codes are generated on your device and have nothing to do with your phone number. A hardware key like YubiKey cannot be intercepted remotely at all. See our complete guide to two-factor authentication for details on setting this up.

Use a Separate Email for Recovery

Create a dedicated email address that you use only for account recovery and critical logins. This email should not be associated with your phone number anywhere, should use TOTP or hardware key 2FA, and should not be an address you give out to anyone or use for general communication.

Limit Your Phone Number Exposure

The less your phone number appears in databases and online profiles, the harder it is for attackers to associate it with your accounts. Avoid using your phone number as a contact method on social media. Remove it from data broker listings. Consider using a secondary VoIP number for online signups.

Compartmentalize Your Identity with Email Aliases

One of the reasons SIM swap attacks are so effective is that attackers can piece together your identity across services. If they find your phone number in a data breach alongside your email, they have a starting point. If that same email appears on your bank, your crypto exchange, and your social media, they know exactly which accounts to target.

Using unique email aliases for each service breaks this chain. If a breach exposes the alias you used for a shopping site, the attacker cannot connect it to your banking email because they are different addresses. Cleanbox makes this practical by letting you create and manage unlimited aliases, each forwarding to your real inbox while keeping your actual email address hidden.

Monitor for Warning Signs

If your phone suddenly loses service for no apparent reason, treat it as an emergency. Contact your carrier immediately from a different phone. Other warning signs include:

• Unexpected “SIM changed” or “Welcome to [carrier]” messages
• Password reset emails you did not request
• Notifications of new logins to your accounts from unfamiliar locations
• Being unable to log into accounts where the password was recently changed

What to Do If You Have Been SIM Swapped

Speed is critical. If you suspect a SIM swap, act within minutes:

1. Contact your carrier immediately from another phone. Explain that your number has been stolen and request the swap be reversed.
2. Change your email password from a secure device (not your compromised phone). Enable the strongest 2FA available.
3. Change passwords on financial accounts and any service that used SMS 2FA.
4. Check for unauthorized transactions and contact your bank or exchange to freeze your accounts if needed.
5. File a report with your local police and with the FBI’s IC3 (if in the US) or equivalent authority.
6. Document everything. Screenshots, timestamps, and communications will be important for any investigation or insurance claim.

The Bigger Picture

SIM swapping exposes a fundamental problem: the phone number was never designed to be an identity verification tool. It is a routing address for voice calls on a network built in the 1970s. Yet we have made it a cornerstone of modern authentication.

Until carriers implement stronger verification universally (and some are making progress with solutions like T-Mobile Account Takeover Protection and similar programs), the responsibility falls on you to minimize the damage a SIM swap can cause. Set your carrier PIN today. Move your critical accounts to TOTP or hardware keys. And stop giving your real phone number and email address to every service that asks for it.

The goal is not paranoia. It is reducing the blast radius of a single point of failure. The less your phone number can unlock, the less an attacker gains by stealing it.