SIM Swapping Attacks: How to Protect Your Phone Number

SIM swapping (also called SIM hijacking or port-out fraud) is a social engineering attack where criminals convince your mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, they receive all calls and SMS messages — including two-factor authentication codes for your bank, cryptocurrency exchange, email, and other accounts. High-profile victims have lost millions in cryptocurrency within minutes.

How SIM Swapping Works

Step 1: Reconnaissance

Attackers gather information about you before calling your carrier:

Full name, date of birth, address (often from data breaches or public records)
Last 4 digits of SSN (leaked from breaches or obtained through phishing)
Account numbers for your carrier (from earlier account compromise or social engineering)
Recent calls or billing information (if they already accessed your email)

The attacker calls your mobile carrier’s customer service:

“Hi, I’m [your name]. I dropped my phone in water and it’s destroyed. I’ve already purchased a new SIM card at [store location] and I need to transfer my number to it.”

The agent asks security questions — the attacker has prepared answers from their reconnaissance. Many carriers’ security protocols are surprisingly weak — answers to these questions are often findable via social media or data brokers.

Some attackers bribe carrier employees rather than relying solely on social engineering. Former carrier employees have been convicted for accepting payments to perform unauthorized SIM swaps.

Step 3: Account Takeover

Once the port completes (often within minutes), the attacker:

Requests “forgot password” on target accounts
SMS verification code goes to the attacker’s phone
Password is reset, email is changed
MFA is disabled or changed to the attacker’s device

For cryptocurrency accounts where transactions are irreversible, funds can be drained before the victim realizes anything is wrong.

High-Profile SIM Swap Cases

Michael Terpin (2018): Lost $23.8M in cryptocurrency; AT&T sued for failing to prevent the swap
Twitter CEO Jack Dorsey (2019): Personal Twitter account hijacked via SIM swap + texting feature
Cryptocurrency community: Dozens of documented cases of $1M+ losses
US DOJ cases: Multiple arrests of SIM swapping rings targeting crypto investors

Signs You’ve Been SIM Swapped

No cell service: Your phone suddenly shows “No Service” or “SOS Only” despite being in a coverage area
Carrier notifications: Text about a SIM change you didn’t initiate
Can’t log into email/banking: Password reset requests you didn’t make
Missing funds: Cryptocurrency or banking apps showing unauthorized transactions

If you’re SIM swapped: Call your carrier immediately from another phone to reclaim your number. Contact your financial institutions. Change all account passwords from a different device.

Protection Strategies

Carrier-Level Protections

Set a SIM PIN (port freeze / SIM lock):

T-Mobile: Account settings → Security → SIM Protection (or call 611)
AT&T: myAT&T app → Profile → Sign-in info → Account security passcode
Verizon: My Verizon → Account → Security → Account PIN
Google Fi: Security settings → SIM lock

A SIM PIN requires the numeric code before any changes to your number can be processed. This is the most direct protection.

Request a port freeze or “Do Not Port”:

Some carriers offer a flag on your account that prevents any port-out or SIM swap without in-person visit with ID. Contact customer service and request this specifically.

Remove phone number from account authentication:

Work with your carrier’s fraud department to note on your account that no changes should be made without in-person ID verification.

Account-Level Protections

Stop Using SMS for 2FA: SMS-based two-factor authentication is defeated by SIM swapping. Replace it with:

TOTP apps (Google Authenticator, Aegis Authenticator, Authy): Codes generated on your device, not delivered via SMS
Hardware security keys (YubiKey, Google Titan): Physical key required — cannot be remotely intercepted
Passkeys: FIDO2-based authentication tied to device hardware

Most major services (Google, Microsoft, Coinbase, etc.) support TOTP and hardware key 2FA — disable SMS 2FA after setting these up.

Email account security: Your email is the master key to all other accounts. Secure it with hardware key authentication:

Google: Account → Security → 2-Step Verification → Add security key
Microsoft: Security settings → Advanced security → Security key

Cryptocurrency exchanges: Enable hardware key 2FA on any exchange holding significant funds. Consider hardware wallets (Ledger, Trezor) for cold storage — off-exchange funds are immune to exchange-side SIM swap attacks.

Minimize Public Information

Reduce the reconnaissance attackers can do:

Audit your social media for posts revealing your carrier, phone purchase date, or location
Remove phone numbers from public LinkedIn, Instagram, and other profiles
Opt out of data broker sites that publish personal information including carrier information

SIM swapping is entirely preventable with the right controls. A SIM PIN at the carrier level combined with removing SMS 2FA from important accounts eliminates this attack vector. Given the potentially catastrophic financial losses, these are among the highest-priority security hygiene steps for anyone holding valuable online accounts.