What is SIM swap fraud?

SIM swap fraud (also called SIM hijacking) is an attack where a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they control your number, they receive your SMS messages — including SMS-based two-factor authentication codes — which they use to take over your bank accounts, email, and other services.

How do I know if I've been SIM swapped?

The most immediate sign is a complete loss of mobile service — calls and texts stop working even though you have signal. You may also receive unexpected alerts from your carrier about a SIM change, or find yourself suddenly locked out of email, banking, or crypto accounts. If this happens, call your carrier immediately from a landline or another phone.

Does enabling a carrier PIN or account lock prevent SIM swap attacks?

Yes — a carrier account PIN or lock is currently the most effective single step. AT&T Wireless Lock, Verizon Number Lock, and T-Mobile's SIM lock all block unauthorized SIM swaps and port-outs. Enable these features in your carrier's app. Without them, a caller who knows your name, address, and account number may be enough to impersonate you.

Does switching to an eSIM protect me from SIM swap fraud?

eSIM reduces some attack vectors. Since there is no physical card to claim was 'lost or damaged,' criminals cannot walk into a store to swap. However, account-level attacks (social engineering over the phone or online) still work on eSIM accounts. eSIM is more secure than physical SIM, but it does not eliminate the risk entirely.

Should I stop using SMS two-factor authentication entirely?

SMS 2FA is significantly weaker than authenticator apps (Google Authenticator, Authy) or hardware security keys (YubiKey). For high-value accounts — banking, email, crypto — switch to an authenticator app or hardware key. SMS 2FA is still better than no 2FA at all, so do not disable it unless you replace it with something stronger.

What should I do if I have already been SIM swapped?

1) Call your carrier immediately from a landline or another device and report the unauthorized SIM swap. 2) Change passwords for all critical accounts, starting with email. 3) Revoke active sessions for email, banking, and crypto accounts. 4) File a complaint with the FBI IC3 (ic3.gov) and the FTC (reportfraud.ftc.gov). 5) Monitor your credit reports for signs of identity theft.

SIM Swap Fraud: How It Works and How to Protect Yourself

SIM swap fraud gives an attacker control of your phone number — and within minutes they can drain your bank account, take over your email, and empty a crypto wallet. The attack does not require malware on your device; it relies entirely on social engineering your mobile carrier.

This guide explains exactly how SIM swap works, how to recognize it before or as it happens, and the specific steps you can take today to make your account significantly harder to attack.

How SIM Swap Fraud Works

The attack chain

A SIM swap attack typically follows this sequence:

Reconnaissance. The attacker gathers your personal information — name, address, phone number, last four digits of your Social Security Number (or equivalent), account number, and email address. This data comes from data breaches, phishing emails, social media, or the dark web.
Impersonation. The attacker contacts your carrier’s customer service — by phone, chat, or in person at a retail store — and claims to be you. They say your SIM was lost or damaged and ask to transfer your number to a new SIM they control.
Social engineering the carrier. If the agent is convinced by the information provided, they execute the transfer. Authentication failures on the agent’s part are the primary enabling factor in most reported attacks.
Number takeover. Your phone immediately loses service. The attacker’s device now receives all calls and SMS messages sent to your number.
Account takeover. The attacker triggers “forgot password” flows on your email, banking, or crypto accounts. Password reset codes arrive via SMS to their device. They set new passwords and lock you out — often within minutes.

Why SMS-based 2FA is the critical vulnerability

SMS two-factor authentication was designed to add a second layer of security. In the context of SIM swap, it becomes the attack’s primary target. Once an attacker controls your number, SMS codes are delivered directly to them. The protection inverts: the 2FA mechanism intended to protect you now helps the attacker take over your account.

This is why security researchers and regulators recommend moving high-value accounts away from SMS-based 2FA toward authenticator apps or hardware security keys.

Who are the primary targets?

Any account that uses SMS-based 2FA is theoretically at risk, but attackers concentrate effort where the payoff is highest:

Cryptocurrency exchange accounts and wallets
Online banking and brokerage accounts
Primary email accounts (which are used for password recovery on everything else)
Social media accounts with large followings or monetization

Prominent cases have involved losses in the hundreds of thousands to millions of dollars. The FBI’s IC3 recorded 982 SIM swap complaints in the US in 2024, with reported losses of approximately $26 million — averaging over $26,000 per victim.

Warning Signs and Immediate Response

Signs you are under attack right now

Sudden loss of mobile service. Your phone shows “No Service,” “SOS Only,” or similar, even in an area with normal coverage. This is the most reliable real-time indicator.
Unexpected carrier notification. A text or email from your carrier saying a SIM change was requested or completed.
Locked out of accounts. You receive “password changed” or “new login” alerts for accounts you did not touch.
Calls and texts not being received. Friends report calling you but reaching a different voicemail or getting no answer.

What to do immediately

If you suspect a SIM swap is in progress:

Call your carrier from a landline or a different phone immediately. Do not wait.
Ask the carrier to reverse the SIM swap and lock your account against further changes.
Change your email password from a device not connected to your phone number.
Revoke active sessions on email, banking, and cryptocurrency accounts.
Enable a new, stronger authentication method on critical accounts.
File reports with:
- FBI Internet Crime Complaint Center: ic3.gov
- US Federal Trade Commission: reportfraud.ftc.gov
- Your local police (required by some financial institutions for fraud claims)

How to Protect Yourself

Step 1: Enable your carrier’s SIM lock or account lock

This is the single highest-impact protective action. All three major US carriers now offer free account lock features:

AT&T — Wireless Lock AT&T introduced Wireless Account Lock in 2025. When enabled, it blocks 12 categories of account changes, including SIM swaps, device changes, number transfers (port-outs), and certain billing modifications. Enable it via the myAT&T app under account security settings.

Verizon — SIM Protection and Number Lock Verizon offers two separate controls: SIM Protection (blocks unauthorized SIM or device changes) and Number Lock (prevents your number from being ported out). Both are free and available through the My Verizon app.

T-Mobile — SIM Lock T-Mobile allows customers to lock their SIM against swaps and block unauthorized port-outs through the T-Mobile app or their online account.

Carriers in other countries have equivalent features under various names — check your carrier’s account security settings or security center.

Important: Under FCC rules adopted in 2023 and fully effective in 2025, US wireless providers are required to offer customers a free account lock option and to notify customers immediately when a SIM swap or port-out request is received on their account. If your carrier does not appear to offer this, contact their support and request it explicitly.

Step 2: Set a carrier account PIN

A separate PIN (distinct from your phone’s screen lock) adds a second authentication factor that a customer service agent must verify before making account changes. Choose a PIN that is not derived from your birthday, address, or the last four digits of your Social Security Number — all of which may be available to an attacker.

Step 3: Replace SMS 2FA on high-value accounts

Move your most critical accounts from SMS-based 2FA to one of these stronger alternatives:

Authenticator app (Google Authenticator, Authy, Microsoft Authenticator): Generates time-based one-time passwords (TOTP) locally on your device. Not vulnerable to SIM swap because codes are never sent over your phone number.
Hardware security key (YubiKey, Google Titan Key): Physical device that must be plugged in or tapped near your phone. The strongest protection available for consumer accounts.
Passkeys: A newer standard replacing passwords entirely, tied to your device’s biometrics. Increasingly supported by major platforms as of 2024–2025.

Priority order for migrating away from SMS 2FA: primary email account first (because it controls password recovery everywhere else), then financial accounts, then cryptocurrency, then other accounts.

Step 4: Minimize your public footprint

Attackers build their dossier from publicly available information. Audit what personal data is visible:

Review your social media profiles and remove or restrict your phone number, address, and date of birth.
Opt out of data broker sites that aggregate and sell personal information (services like DeleteMe or manual opt-outs).
Use a separate email address for financial accounts — one that is not publicly associated with your name or phone number.
Be cautious about what you post after travel, purchases, or financial events that might mark you as a high-value target.

Step 5: Add a passphrase or verbal password to your carrier account

Many carriers allow you to set a verbal passphrase or secondary password that agents must ask for when handling account changes in person or over the phone. This is different from the account PIN used for automated authentication. Enable both if your carrier supports them.

eSIM and SIM Swap Risk

Does eSIM eliminate the risk?

eSIM (embedded SIM) offers meaningful security improvements over physical SIM in the context of SIM swap:

There is no physical card to claim was “lost” or “damaged.” This removes the most common pretext used in in-store attacks.
eSIM activation requires digital authentication, typically involving QR codes, account passwords, and device-level verification.
Your carrier can see that the eSIM is bound to a specific device, making unauthorized transfers more detectable.

As a result, eSIM is considered more resistant to social engineering attacks at the physical point of sale.

However, eSIM does not eliminate all risk. Account-level attacks — where an attacker convinces a carrier’s phone support team to transfer an eSIM profile to a new device — remain possible. UK data shows eSIM-related fraud cases rising from 18 in 2022 to 763 in 2024 as eSIM adoption increased.

The practical conclusion: Switching to eSIM and enabling your carrier’s account lock together provide substantially better protection than either measure alone. eSIM without an account lock leaves you exposed to phone-based social engineering.

For more on how eSIM works and its security architecture, see the eSIM guide.

Dual SIM and SMS 2FA abroad

A related concern: if you travel internationally with a travel eSIM for data, ensure your home SIM remains active for receiving 2FA codes. Removing or deactivating your home SIM while abroad can leave you unable to receive authentication codes for banking and other services. See the travel eSIM guide for how to set up dual SIM correctly for travel.

International Perspective

SIM swap fraud is a global problem, with particularly high case volumes in the United States, United Kingdom, and South Africa.

United States: The most documented market. FBI IC3 data shows 2,026 complaints in 2022 ($72.6M in losses), dropping to 1,075 in 2023 and 982 in 2024 ($26M in losses). The decrease coincides with FCC rule changes and carrier security improvements.
United Kingdom: Cifas reported nearly 3,000 unauthorized SIM swaps in 2024, with a reported 1,055% surge in cases. UK cases often involve telecom insider threats where retail employees are recruited by criminal networks.
Australia: IDCARE reported a 240% increase in people seeking help for phone porting and SIM swap fraud in 2024 versus 2023.
South Africa: Reports high rates of SIM swap fraud, commonly used against banking customers via “one-time password” interception.

The underlying mechanism is identical across markets — only the carrier procedures and regulatory protections vary. The protective steps in this guide apply universally; the specific lock/PIN feature names vary by carrier and country.

Summary: Your Protection Checklist

Action	Priority	Effort
Enable carrier account lock (AT&T Wireless Lock / Verizon Number Lock / T-Mobile SIM lock)	Critical	5 minutes
Set a carrier account PIN (not birthday or SSN digits)	Critical	5 minutes
Move primary email to authenticator app 2FA	High	15 minutes
Move banking accounts to authenticator app 2FA	High	15 minutes
Move crypto accounts to hardware key or authenticator app	High	30 minutes
Remove phone number from public social media profiles	Medium	15 minutes
Set a verbal passphrase on your carrier account	Medium	10 minutes
Consider switching to eSIM	Medium	Varies by carrier

No single measure provides complete protection. Combining a carrier account lock, a strong carrier PIN, and authenticator-app-based 2FA on your most important accounts eliminates the overwhelming majority of SIM swap attack vectors.