How SIM Swapping Attacks Work and How to Stop Them

Fact-checked by the SnapMessages editorial team

A SIM swapping attack is a form of identity fraud in which an attacker impersonates you to your mobile carrier and ports your phone number to a new SIM card they own. According to the FBI’s Internet Crime Complaint Center, SIM swap complaints increased by more than 400% between 2018 and 2021, with losses climbing sharply each year.

The attack is particularly dangerous because it silently hijacks the one thing most security systems trust unconditionally: your phone number. Once it succeeds, every account secured by SMS-based two-factor authentication is immediately at risk.

How Does a SIM Swapping Attack Actually Work?

A SIM swapping attack succeeds by exploiting weak identity verification at the carrier level, not any flaw in your device. The attacker first collects personal data about you — your name, address, account number, and last four digits of your Social Security number — often purchased from data breach marketplaces or harvested through phishing.

Armed with that data, the attacker calls or visits your carrier in person, claims their SIM was lost or damaged, and requests a transfer of your number. Carrier representatives, under pressure to resolve calls quickly, frequently approve the swap based on a few easily guessable data points. The process can take under 10 minutes.

What Happens After the Swap

The moment the swap completes, your phone loses signal and the attacker’s device begins receiving all your calls and SMS messages. They immediately trigger password resets on email, banking, and cryptocurrency accounts, using the intercepted SMS codes to gain entry. This attack vector is why end-to-end encryption alone cannot protect you — the threat exists at the carrier layer, not the messaging layer.

Who Do Attackers Target in SIM Swap Fraud?

Cryptocurrency holders are the most frequently targeted victims, but any account that uses SMS two-factor authentication is at risk. High-profile cases have included executives at major tech firms, social media influencers with coveted usernames, and ordinary users with significant bank balances.

Personal data used in attacks typically originates from large-scale breaches. The 2021 T-Mobile breach, which exposed data on over 76 million customers, provided exactly the kind of account details attackers need. Carrier employees have also been bribed directly — the Federal Trade Commission (FTC) and Federal Communications Commission (FCC) have both cited insider threats as a documented attack path.

Insider Threats and Organized Crime

Organized SIM swap rings operate across multiple carriers simultaneously. The Department of Justice (DOJ) prosecuted a ring in 2023 that stole more than $400,000 in cryptocurrency from victims across multiple U.S. states. Social engineering scripts used in these attacks are sold on criminal forums, lowering the skill barrier for new attackers. If you are also concerned about other phone-based threats, our guide on how to detect and remove spyware from your phone covers complementary attack vectors.

How Do You Know If You Have Been SIM Swapped?

The clearest warning sign is a sudden, unexplained loss of cellular service on your device. If your phone shows “No Service” or “SOS Only” and a reboot does not resolve it, contact your carrier immediately. Do not wait — attackers move within minutes of completing a swap.

Secondary signals include unexpected password reset emails, notifications of login attempts on financial accounts, or contacts reporting they cannot reach you. Because SMS messages are now being delivered to the attacker’s device, you will receive no text-based alerts during the active attack window. This silence is itself a red flag.

Steps to Take Within the First Hour

• Call your carrier from a landline or a different phone — not your compromised number.
• Ask them to freeze your account and reverse any recent SIM changes.
• Change passwords on email and banking accounts using a device not tied to your phone number.
• Notify your bank directly to flag unauthorized transactions.
• File a report with the FTC at IdentityTheft.gov and with the FBI’s IC3.

How Do You Stop a SIM Swapping Attack Before It Happens?

The single most effective step is to contact your carrier and set a dedicated SIM PIN or account passcode that must be verified in person or over the phone before any number transfer is approved. AT&T, Verizon, and T-Mobile all offer this feature, though it must be enabled manually — it is not on by default.

Beyond the carrier level, replace SMS two-factor authentication with an authenticator app. Google Authenticator, Authy, and Microsoft Authenticator generate time-based one-time passwords (TOTP) that are stored on your device, never transmitted over your phone number. For high-value accounts, a FIDO2-compatible hardware key such as a YubiKey provides the strongest available protection. The NIST Digital Identity Guidelines (SP 800-63B) explicitly advise against SMS-based authentication for high-assurance use cases.

Carrier-Level and Account-Level Checklist

• Enable a SIM PIN and port-out freeze with your carrier today.
• Remove your phone number from accounts where it is the primary recovery method.
• Switch all critical accounts (email, banking, crypto) to TOTP or hardware keys.
• Use a unique, strong password for each account — a password manager removes the burden.
• Be cautious about sharing your phone number publicly online; it is the seed of most SIM swap attacks.

If you rely heavily on your phone for day-to-day connectivity, understanding how your carrier infrastructure works is important. Our overview of why RCS messaging is a significant upgrade over SMS explains how the network layer is evolving — context that also helps explain why SMS authentication remains structurally weak. You should also be aware of related social engineering threats like smishing attacks, which attackers often use to harvest the personal data needed for a SIM swap.

What Are Carriers and Regulators Doing About SIM Swap Fraud?

Regulators have stepped up enforcement, but industry change has been slow. In November 2023, the FCC adopted new rules requiring carriers to implement additional authentication before processing SIM swaps or number ports. Carriers must now notify customers immediately when a SIM change request is made — giving victims a narrow window to intervene.

The rules, detailed in the FCC’s November 2023 order on SIM swap and port-out fraud, build on earlier FTC guidance and represent the first federal mandates specifically targeting SIM swap attacks. Compliance timelines vary by carrier, and enforcement is still in early stages as of July 2025.

Ongoing Enforcement and Civil Litigation

Victims have also pursued carriers directly in civil court. Several lawsuits against AT&T and T-Mobile have resulted in settlements, creating financial incentive for carriers to tighten verification. Meanwhile, the DOJ continues to prosecute SIM swap rings under wire fraud and identity theft statutes, with sentences of up to 10 years in federal cases. Understanding broader phone privacy threats — from stalkerware to carrier-level fraud — is increasingly essential for any smartphone user.

Frequently Asked Questions

What is a SIM swapping attack in simple terms?

A SIM swapping attack is when a criminal convinces your mobile carrier to move your phone number to a SIM card they control. This lets them receive your calls and texts — including two-factor authentication codes — without touching your device. Most attacks are completed through social engineering, not hacking.

Can a SIM swap happen without my knowledge?

Yes. Many victims do not realize a SIM swapping attack has occurred until their phone loses service or they notice unauthorized account activity. Carriers are now required by FCC rules to notify customers of swap requests, but notification speed varies and attackers act fast.

Does using an authenticator app protect you from SIM swapping?

Yes, an authenticator app fully removes SMS from the two-factor authentication chain, making a SIM swap ineffective against those accounts. Apps like Google Authenticator and Authy generate codes locally on your device and are not transmitted over your phone number. This is one of the most impactful steps you can take.

What should I do immediately after a SIM swap attack?

Call your carrier from a different phone immediately and request a freeze on your account and reversal of the swap. Then change passwords on email and financial accounts from a separate, unaffected device. File reports with the FTC at IdentityTheft.gov and the FBI’s IC3 to create an official record.

Is SMS two-factor authentication still worth using?

SMS two-factor authentication is far better than no second factor at all, but it is the weakest available option. NIST explicitly classifies it as “restricted” due to SIM swap and interception risks. Upgrade to an authenticator app or hardware key for any account containing sensitive financial or personal data.

How do attackers get the personal information needed for a SIM swap?

Attackers typically source personal data from data breach databases, phishing emails, or social media research. Information as basic as your full name, billing address, and the last four digits of your Social Security number is often enough to pass carrier verification. Minimizing your public digital footprint reduces your exposure.