The Rise of SIM Swapping and How to Protect Yourself

In October 2023, a cryptocurrency investor lost approximately 24 million dollars in a single afternoon. He was not hacked in any technical sense. His computer was not compromised, his passwords were not phished, his accounts were not brute-forced. An attacker simply convinced a mobile phone store employee to transfer his phone number to a new SIM card, and from there cascaded through every account protected by SMS verification.

This is a SIM swap attack, and it has become one of the most financially devastating categories of cybercrime in the world. Here is how it works, who is at risk, and what you can actually do to protect yourself.

What a SIM swap actually is

When you call your mobile carrier and say your phone was damaged or lost, they transfer your phone number to a new SIM card that you then activate in your replacement device. This is a legitimate service that carriers perform constantly. The problem is that the process relies almost entirely on human judgment at the customer service layer.

In a SIM swap attack, a criminal contacts your carrier pretending to be you. They provide enough personal information to pass the carrier verification check, and they request a SIM transfer to a new SIM card that the attacker already controls. If the carrier employee accepts the request, the victim phone number leaves their physical SIM within minutes and activates on the attacker device.

From that moment, the attacker receives every call and text sent to the victim number. Password reset codes, 2FA verification, account recovery messages, all of it.

How attackers get your information

The personal information required to pass carrier verification is not particularly hidden. Attackers typically gather it from a combination of:

• Public social media profiles that reveal your full name, date of birth, employer, and family members
• Data breach dumps circulating on criminal forums, which contain addresses, phone numbers, and even partial Social Security numbers
• Phishing attacks sent in advance of the SIM swap to collect last-four-digit verifications and security question answers
• Bribed carrier employees who bypass verification entirely for a flat fee, typically 500 to 2000 dollars per successful swap

The last category is the most alarming. Multiple federal indictments in the United States have revealed ongoing criminal partnerships between attackers and mobile store employees at every major carrier. Internal tools that were meant for legitimate customer service become weapons when an employee is willing to misuse them.

The attack cascade

A successful SIM swap is just the beginning. Once the attacker controls your phone number, they typically move through a predictable sequence.

First, they reset the password on your primary email account. Most email providers allow password resets via SMS code, which now goes to the attacker device. Within minutes, they own your email.

Next, they search your email for references to financial accounts: banks, brokerages, cryptocurrency exchanges, payment apps. Each of these typically allows password resets through your email or through SMS, both of which the attacker now controls.

Finally, they drain funds as quickly as possible, usually converting everything to cryptocurrency to make recovery difficult. High-value targets can be cleaned out within 30 minutes of the initial SIM swap.

Warning signs you are being targeted

A SIM swap attack often has subtle warning signs in the minutes before it succeeds. If you notice any of these, treat them as emergencies:

• Your phone suddenly shows No Service in an area where coverage is normally fine
• You receive unexpected texts about account changes, PIN resets, or port-out notifications
• You cannot make calls or send texts even though other people near you have full signal
• You receive a phishing call or text asking for personal information shortly before losing service

If this happens, contact your carrier immediately from another phone and request an emergency freeze on your account. Then log into your email from a device that does not use SMS for 2FA and change your password. Every minute counts.

How to defend yourself

Protection against SIM swapping requires defense at multiple layers, because any single measure can fail.

Layer 1: Carrier-level protections

Every major US carrier now offers some form of SIM swap protection. Verizon calls it Number Lock, AT&T calls it Extra Security, and T-Mobile calls it Account Takeover Protection. Enable these features. They typically require an additional PIN or in-person verification for SIM changes.

Layer 2: Remove SMS 2FA where possible

For any account that matters (email, banking, brokerages, crypto), replace SMS 2FA with an authenticator app or hardware security key. Even if a SIM swap succeeds, your accounts remain protected because the authentication never touches the phone number.

We cover the broader issues with SMS 2FA in our separate post on why SMS verification is broken.

Layer 3: Reduce your number exposure

Your phone number becomes a target only if attackers know it exists and associate it with valuable accounts. Using a temporary phone number for signups keeps your real number out of data breach dumps and marketing databases, reducing the amount of information attackers can gather to target you.

Layer 4: Separate phone numbers by purpose

Some security-focused users maintain separate phone numbers for their financial accounts, their day-to-day communications, and their public-facing presence. This way, even if one number is compromised, the damage is contained. A dedicated voice-over-IP number through a provider like Google Voice works for this purpose, because VoIP numbers cannot be SIM-swapped in the same way.

The bottom line

SIM swap attacks are not theoretical. They are happening right now to ordinary people whose phone numbers are simply associated with enough online value to make them targets. The defenses are real, effective, and mostly free. The only thing standing between your accounts and the next wave of attacks is whether you bother to set them up.