SIM Swap Attack: What It Is and How to Protect Yourself in 2026
Daniel Kowalski
Mobile Security Expert & Former Telecom Fraud Investigator
In 2019, Twitter CEO Jack Dorsey had his account hijacked via a SIM swap attack. In 2021, a US man was arrested for SIM-swapping over 75 victims and stealing more than $1 million in cryptocurrency. In 2023, the SEC's official Twitter account was compromised through a SIM swap. SIM swap attacks are not theoretical — they are a growing, sophisticated threat that can empty your bank account in under an hour.
Alarming Trend: The FBI reported over 1,600 SIM swap complaints in 2023, with adjusted losses exceeding $68 million — a 400% increase from 2018 (FBI IC3 Report, 2024).
What Is a SIM Swap Attack?
A SIM swap attack — also called SIM hijacking or SIM porting fraud — is when a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. Once successful, the attacker receives all calls and SMS messages intended for you. This means every SMS-based OTP and 2FA code goes to the attacker instead. They can then reset passwords on your bank, email, and social media accounts — and lock you out completely.
How SIM Swap Attacks Work — Step by Step
Phase 1: Reconnaissance
The attacker collects personal information about you: full name, date of birth, address, account number, and the last 4 digits of your social security number. This is gathered from data breaches, social media, data broker sites, and phishing attacks.
Phase 2: Social Engineering the Carrier
Armed with your personal details, the attacker calls your mobile carrier's customer service and impersonates you. They claim their phone was lost or damaged and request a SIM transfer to a new SIM card they possess. Carrier employees, despite training, are susceptible to confident, well-researched social engineering.
Phase 3: Number Transfer Completed
The carrier transfers your number. Your real phone immediately loses service — calls and texts stop working. This is often the first sign a SIM swap is occurring. The attacker's phone now receives everything sent to your number.
Phase 4: Account Takeover
The attacker immediately triggers password resets on your Gmail, bank, and crypto exchange accounts. The reset OTP codes arrive on their phone. Within minutes, your accounts are compromised.
Phase 5: Financial Theft and Lockout
Cryptocurrency is transferred. Bank wire transfers are initiated. Valuable social media handles are hijacked and sold. The attacker then locks you out by changing passwords and recovery methods.
Expert Quote: 'The terrifying efficiency of SIM swap attacks is that they weaponize the carrier's own customer service system against the victim. The attacker doesn't need to hack anything — they just need to be convincing on the phone.' — Dr. Angela Rivera, Cybercrime Researcher, MIT Media Lab
Warning Signs You're Being SIM Swapped Right Now
- Your phone suddenly shows 'No Service' or 'SOS Only' when it was working fine
- You stop receiving calls and texts without explanation
- You receive a text from your carrier about a SIM change you didn't request
- You can no longer log in to accounts that previously worked
- You receive unexpected password reset emails
- Your bank sends fraud alerts for transactions you didn't make
Immediate Action: If you suspect a SIM swap, call your carrier from a landline or different phone IMMEDIATELY and ask them to lock your account. Then contact your bank to freeze transactions.
12 Ways to Protect Yourself from SIM Swap Attacks
- 1Set a carrier PIN or passcode: Contact your carrier and set a unique PIN required for ANY account changes.
- 2Enable carrier account lock: Many carriers offer a 'port freeze' or 'number lock' feature. Activate it immediately.
- 3Switch to app-based 2FA: Use Google Authenticator, Authy, or Microsoft Authenticator instead of SMS-based 2FA.
- 4Use a hardware security key: For your most important accounts, a YubiKey or FIDO2 hardware key is immune to SIM swapping.
- 5Don't post your phone number publicly: Remove it from social media, public directories, and data broker sites.
- 6Use a separate number for high-security accounts: Use a dedicated verification number for financial accounts.
- 7Monitor your credit: Place a credit freeze at all three major bureaus.
- 8Use strong, unique passwords: Combine with a password manager.
- 9Enable account alerts: Set up instant alerts for all password changes and financial transactions.
- 10Be wary of phishing: SIM swap attackers first gather your data through phishing. Never click unexpected links.
- 11Ask your carrier about in-store-only verification: Require in-person, photo-ID verification before any account changes.
- 12Consider privacy-focused carriers: Some MVNOs offer enhanced account security with additional verification layers.
What to Do If You've Been SIM Swapped
- 1Call your carrier immediately from a different device and report the fraud
- 2Contact your bank and cryptocurrency exchanges to freeze accounts
- 3Change all passwords from a secure device using a different network
- 4Report to the FTC (reportfraud.ftc.gov) and your local police
- 5File a complaint with the FBI IC3 (ic3.gov) for financial losses
- 6Monitor credit reports for new accounts opened in your name
Frequently Asked Questions
SIM swap attacks exploit the trust relationship between you and your mobile carrier. The good news is that most attacks can be blocked with a few proactive steps: setting a carrier PIN and switching away from SMS-based 2FA. Your phone number is your most vulnerable digital asset. Treat it accordingly.
Tags
About Daniel Kowalski
Daniel spent 7 years investigating mobile fraud cases for a major European carrier before transitioning to consumer security education. He has directly analyzed hundreds of SIM swap cases and testified before industry regulators on carrier-level protections.