SIM Swapping Attacks: How Scammers Hijack Your Phone Number

SIM swapping lets scammers hijack your phone number and drain accounts. Learn the warning signs and how a carrier PIN stops it cold.

I got a call from my carrier’s fraud team at 11 p.m. asking why I’d just requested a new SIM in a city I’d never visited. I hadn’t. Someone had gathered enough of my details to convince a support rep to move my number onto their SIM, and for twenty minutes it belonged to a stranger.

That’s a sim swapping attack, and it can drain your bank account without a single click. The crux: your phone number is not a secure credential, it’s account metadata a call center employee can reassign in minutes — and every SMS login you rely on inherits that weakness.

Quick Answer

A SIM swap happens when a scammer tricks your carrier into porting your number to a SIM they control, using stolen personal data. Once they have it, they intercept SMS codes and reset your accounts. Stop it with a carrier PIN, a port-out lock, and app-based two-factor authentication instead of SMS.

What Is a SIM Swapping Attack?

A SIM swap is account takeover where an attacker impersonates you to your carrier. They call support with a name, billing address, and the last four of your social security number pulled from an old breach, and request a new SIM or a port to another carrier.

Once approved, your real SIM goes dead. Calls and texts meant for you route to the attacker instead. They use “forgot password” on your bank and email, intercept the SMS code, and lock you out while they clean you out.

A SIM swap is identity theft aimed at your phone number so an attacker can pass as you during account recovery.

How Do Attackers Steal Your Number?

Every swap I’ve read about or heard from readers follows the same rough sequence.

Collecting Your Details

Attackers buy or scrape data from breaches, phishing pages, or social media (birthday, mother’s maiden name). Sites like Have I Been Pwned show how often your email appears in a breach dump.

Contacting Your Carrier

Posing as you, they call or use chat, claim a “lost phone,” and request a SIM replacement or port. Weak carrier verification is why this works.

Losing Signal, Then Your Accounts

The tell to remember: your phone suddenly shows “No Service” with no explanation. That’s not a network hiccup — it’s evidence a swap is underway. Minutes later, attackers trigger resets on email and banking using your intercepted codes.

Watch for a sudden, unexplained loss of signal followed by unexpected account-lockout emails.

How Do I Stop a SIM Swap Before It Happens?

I treat this as a five-minute setup task, because the fix is cheap and the damage is not.

Set a Carrier Account PIN

Every major US carrier lets you add a separate PIN required for account changes, including SIM swaps and ports. This differs from your phone’s lock screen PIN — find it under “account security” in your carrier account.

Enable a Port-Out Freeze

Ask your carrier for a port freeze, which blocks any transfer to another carrier until you personally remove it — this stops the most damaging version of the attack.

Move Off SMS for Two-Factor Codes

Swap SMS-based two-factor authentication for an authenticator app or a passkey wherever supported. I moved my email and banking off SMS; if you haven’t set up 2FA yet, I cover the steps in my two-factor authentication setup guide.

Use a Password Manager

A SIM swap is less useful to an attacker if your accounts don’t share a password an old breach already exposed. I run everything through Bitwarden; here’s how I set it up for free, plus my notes on passwords you can remember.

Pro tip: Ask your carrier specifically for a “SIM swap PIN” or “number transfer PIN” — some reps default to describing your voicemail PIN, which does nothing to stop a swap.

Locking down carrier access and moving off SMS codes closes the two doors attackers rely on most.

What Should I Do if My SIM Was Already Swapped?

If your phone loses service unexpectedly and you didn’t request a change, treat it as an active incident.

Call Your Carrier From Another Phone

Use a friend’s phone or web chat to report the swap and request an immediate reversal, and ask them to lock the account.

Secure Your Email First

Email is the recovery key to everything else. Change its password from a trusted device and revoke active sessions. My post-breach identity checklist covers the same triage.

Check Bank and Crypto Accounts

Log in from a secure device, review recent transactions, and call your bank’s fraud line if anything looks off — banks reverse fraudulent transfers faster within the first 24 hours.

Troubleshooting tip: If your carrier app also needs SMS verification to log in, go to a physical store with photo ID — reps there restored my service and added a security PIN in about fifteen minutes.

Reclaiming your number and email within the first hour usually stops the damage before it spreads to financial accounts.

Which Two-Factor Method Is SIM-Swap Resistant?

Method SIM-Swap Resistant? Setup Effort Best For
SMS text codes No None (default) Accounts with no other option
Authenticator app Yes Low, 5 minutes Most personal accounts
Passkey Yes Low, 90 seconds Sites that support it
Hardware security key Yes Medium, one-time buy Email, banking, crypto

Anything that doesn’t touch your phone number is inherently safe from a SIM swap.

Common Mistakes to Avoid

Relying on SMS for Sensitive Accounts

Fix: switch email, banking, and crypto logins to an authenticator app or passkey first.

Skipping the Carrier PIN

Fix: set it anyway — your screen lock PIN protects the device, not your carrier support account.

Posting Personal Details Publicly

Fix: lock down birthday and family names on social profiles, since attackers use these to pass security questions.

Ignoring a Sudden “No Service” Message

Fix: treat it as urgent and call your carrier from another device.

Frequently Asked Questions

Can a SIM swap happen without me noticing?

No — the clearest sign is a sudden total loss of signal. My phone dropped to “SOS only” mid-evening with no reported outage, which tipped me off immediately.

Does a SIM swap require physical access to my phone?

No, the attacker never touches your device. They only need enough data to convince your carrier’s support team to reassign your number.

Will a new phone number stop future attempts?

Not by itself — the attacker’s real advantage is the data they’ve collected. A carrier PIN and app-based 2FA protect you regardless of your number.

Is eSIM safer than a physical SIM card?

Roughly the same risk — the vulnerability is the carrier’s verification process, not the SIM’s physical form. I still add a port-out lock on eSIM lines.

Can a password manager alone prevent a SIM swap?

No, it stops password reuse but not the carrier verification hole a SIM swap exploits. Pair it with a carrier PIN and app-based 2FA.

Conclusion

A SIM swap works because your phone number was never designed as a security credential, yet nearly every account treats it like one. Set a carrier PIN, add a port-out freeze, and move your two-factor codes to an authenticator app or passkey today.