A SIM swap attack doesn’t need your password. It doesn’t need your device. It needs one thing: convincing your carrier that you are you. Once your phone number is transferred to the attacker’s SIM card, every text message sent to your number — including every two-factor authentication code for your bank, email, and crypto accounts — goes to them instead of you.
A SIM swap — also called SIM hijacking or port-out fraud — is an attack in which a criminal convinces your mobile carrier to transfer your phone number from your SIM card to one they control. Once the transfer is complete, your phone loses service entirely and the attacker’s device begins receiving all calls and texts sent to your number.
The attack’s critical impact is on two-factor authentication. Tens of millions of online accounts use SMS-based 2FA — sending a verification code to your phone number when someone attempts to log in. When an attacker controls your number, they receive those codes. Combined with your password — obtained from a prior data breach, phishing attack, or data broker — they can access your email, bank accounts, cryptocurrency exchanges, and any other service tied to that number.
The FBI reported 2,026 SIM swap complaints in 2023, with losses exceeding $48 million. These figures represent only reported cases — the actual volume is significantly higher, particularly given the targeted nature of high-value attacks against cryptocurrency holders that often go unreported. Individual losses in crypto-related SIM swap cases have reached millions of dollars in documented cases.
Before contacting your carrier, the attacker collects the information needed to pass customer service verification. Your name, address, phone number, account number, and the last four digits of your Social Security number are often available from data broker databases, prior data breaches available on dark web markets, or through targeted phishing. Social media profiles frequently reveal security question answers — mother’s maiden name, pet names, hometown — that carriers use for identity verification.
The attacker calls your carrier’s customer service line posing as you — reporting a lost or damaged phone and requesting a SIM transfer to a new card they have in hand. Carrier customer service representatives are trained to be helpful, and verification processes vary significantly in rigor between carriers and individual agents. Some attackers use insider contacts at carrier stores or bribe retail employees to process fraudulent transfers without going through standard verification at all.
Once the carrier processes the transfer, your phone immediately loses all service. You cannot make calls, send texts, or receive any communication. The attacker’s device is now receiving everything sent to your number. You may not notice immediately — many people assume a network outage or coverage issue and do not contact their carrier right away. Every minute of delay extends the window in which the attacker can use your number for account takeovers.
With your number active on their device, attackers initiate password resets on your email account first — because email access enables resets of everything else. They trigger SMS-based 2FA on your bank, brokerage, and cryptocurrency exchange accounts and use the codes they receive to authorize access and transfers. The entire account takeover sequence from successful SIM swap to emptied accounts can take under 30 minutes in practiced operations.
Replace SMS-based two-factor authentication with an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) on every account that supports it — starting with your email and banking accounts. Authenticator apps generate codes on your device, not through your phone number. A SIM swap has zero effect on authenticator app codes. This one change eliminates the primary attack vector that makes SIM swapping so devastating. Do it before it happens to you.
SIM swap attacks succeed because attackers can gather enough personal information to pass carrier verification — and that information is commercially available. Data brokers compile profiles containing your name, address, phone number, date of birth, and partial Social Security information from public records, retail purchases, and data breaches. A motivated attacker can purchase a profile containing most of the information needed to impersonate you to your carrier for under $20.
The security questions used in carrier verification — and in the broader account takeover sequence — are frequently answered by public social media posts. “What was the name of your first pet?” “What street did you grow up on?” “What is your mother’s maiden name?” These answers appear routinely in anniversary posts, family photo captions, and nostalgic social media threads. Attackers research targets before making the carrier call — the call itself is often the easiest part of the attack.
Once an attacker controls your number, account takeover happens in minutes. Identity theft protection services with real-time account monitoring and dark web alerts can detect the early signals before damage compounds. We tested every major service — here’s which one actually responds fast enough to matter.
The average SIM swap victim loses far more than just what’s in their bank account — there are recovery costs, lost time, and downstream financial impacts most people never calculate. Use our identity theft cost calculator to see your real exposure.
