SIM swapping — also called SIM hijacking — is an attack where a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, they can intercept SMS verification codes, reset passwords on your accounts, and access your bank, email, and cryptocurrency wallets. The FBI reported over $68 million in SIM swapping losses in 2025, but the true figure is likely much higher because many cases go unreported.
How a SIM Swap Attack Works
Step 1: Gathering Your Information
The attacker collects personal information about you: your full name, phone number, address, date of birth, and the last four digits of your Social Security number. This data often comes from data breaches, social media, phishing emails, or dark web databases. Some attackers use social engineering to extract information directly from the victim through seemingly innocent conversations.
Step 2: Contacting Your Carrier
The attacker calls your mobile carrier (or visits a store in person) and impersonates you. They claim they lost their phone or damaged their SIM card and need the number transferred to a new SIM. Using the personal information they gathered, they answer security questions and verify identity.
In some cases, attackers bribe or coerce carrier employees directly. A T-Mobile store employee was arrested in 2025 for processing fraudulent SIM swaps for $1,000 each.
Step 3: Taking Control
Once the carrier processes the swap, your phone loses service. The attacker's device now receives all calls and texts intended for you — including SMS two-factor authentication codes.
Step 4: Draining Accounts
The attacker uses "forgot password" on your email, bank, or crypto accounts. The reset code goes to the phone number they now control. Within minutes, they can change passwords, disable security features, and transfer funds. Cryptocurrency wallets are primary targets because crypto transactions are irreversible.
Got a suspicious phone call?
Describe what they said — we'll identify the scam pattern.
No signup · 6 detection layers · Results in seconds · Cmd+Enter
Warning Signs Your SIM Has Been Swapped
- Your phone suddenly loses service. You have signal bars but cannot make calls, send texts, or use mobile data. This is the most common first sign.
- You receive unexpected password reset emails. If you get notifications about password changes you did not request, someone may be using your phone number to intercept 2FA codes.
- Your carrier notifies you of a SIM change. Some carriers send a confirmation text or email when a SIM change is processed. If you receive one you did not request, call your carrier immediately from a different phone.
- You are locked out of accounts. Suddenly unable to log into your email, bank, or social media despite using the correct password — someone has already changed it.
How to Protect Yourself from SIM Swapping
1. Set a PIN or Passcode with Your Carrier
All major US carriers allow you to set an additional PIN that must be provided before any account changes are made:
- T-Mobile: Set an account PIN in the T-Mobile app or by calling 611.
- AT&T: Set an "extra security" passcode in your account settings.
- Verizon: Set an account PIN through the My Verizon app.
Use a unique PIN that is not related to your birthday, address, or other easily guessable information.
2. Switch from SMS 2FA to Authenticator Apps
SMS-based two-factor authentication is vulnerable to SIM swaps. Switch to an authenticator app (Google Authenticator, Authy, or Microsoft Authenticator) or a hardware security key (YubiKey). Authenticator codes are generated on your device and cannot be intercepted via phone number hijacking.
3. Request a SIM Lock
Some carriers offer the ability to lock your SIM so it cannot be swapped without in-person verification with government-issued ID. Ask your carrier if this option is available.
4. Limit Personal Information Online
The less personal data available about you, the harder it is for an attacker to pass your carrier's security questions. Remove your phone number from social media profiles, use a separate email for sensitive accounts, and consider using a Google Voice number as your public-facing number.
5. Use a Password Manager
Unique, complex passwords for every account mean that even if one account is compromised, others remain safe. A password manager generates and stores these automatically.
What to Do If You Have Been SIM Swapped
- Contact your carrier immediately from a different phone. Explain that your SIM was swapped without authorization. They can reverse the swap and restore your number.
- Change passwords on all critical accounts (email, bank, crypto) using a device connected to Wi-Fi, since your mobile service is compromised.
- Contact your bank and freeze any affected accounts.
- File a report with the FTC at IdentityTheft.gov and with local law enforcement.
- Check for unauthorized activity across all accounts for the next 90 days.
SIM swapping is often preceded by phishing — the attacker needs your personal information first. If you receive suspicious emails, texts, or messages asking for personal details, check them at IsThisAScam.to before responding. Preventing the data collection phase stops the SIM swap before it starts.