What Is SIM Swapping and How to Protect Your Number
SIM swapping lets criminals steal your phone number and bypass every account you own. Learn exactly how it works and how to protect yourself right now.
6/3/202611 min read
What Is SIM Swapping and How to Protect Your Number
Category: Mobile Security | Reading Time: 12 minutes
IN THIS ARTICLE
1. What SIM swapping actually is — in plain English
2. How a SIM swap attack happens step by step
3. What criminals do once they have your number
4. Warning signs your number has been swapped
5. How to protect yourself before it happens
6. What to do immediately if it happens to you
7. Frequently asked questions
Imagine waking up one morning to find your phone has no signal. You assume it is a network glitch and think nothing of it. But while you are waiting for service to return, a criminal on the other side of the country is using your phone number to receive your bank's one-time security codes and drain your accounts.
This is SIM swapping — and it is one of the fastest growing forms of financial fraud in the world.
According to data from the FBI's Internet Crime Complaint Center, there were 982 reported SIM swapping complaints in the United States in a recent year, resulting in losses of nearly 26 million dollars. Cybersecurity researchers note that the true scale is likely significantly higher, as many victims do not report the crime.
In the United Kingdom, the fraud prevention service Cifas documented a rise in SIM swap incidents of over 1,000 percent in recent years — one of the most dramatic increases of any category of financial fraud.
https://deepstrike.io/blog/sim-swap-scam-statistics-2025
The Federal Communications Commission (FCC) has described SIM swapping as a fraud that allows criminals to wreak havoc on people's financial and digital lives without ever gaining physical control of their phone.
This guide explains exactly how SIM swapping works, why it is so dangerous, and the specific steps you can take to protect your phone number before it is too late.
What SIM Swapping Actually Is — In Plain English
Your SIM card is the small chip inside your phone that links your device to your phone number. It is what allows your phone to make calls, send texts, and receive data.
When you get a new phone, or lose your SIM card, your mobile network can transfer your number to a new SIM card. This is a legitimate and routine process — but it is also the process that criminals exploit.
In a SIM swap attack, a criminal contacts your mobile network provider and convinces them to transfer your phone number to a SIM card that the criminal controls. Once the transfer is complete, your phone loses all signal — and every call and text meant for you, including one-time security codes from your bank and other accounts, goes to the criminal's device instead.
The FCC defines SIM swapping as a fraud in which a bad actor convinces a victim's wireless provider to transfer the victim's mobile service and number from the victim's phone to a device in the bad actor's possession.
The terrifying aspect of this attack is that your phone, your passwords, and your accounts are never physically touched. The criminal never needs to steal your device. They simply steal your phone number — and with it, the ability to bypass every security measure that relies on SMS verification.
The US consumer research group PIRG describes SIM swapping as particularly dangerous in the era of two-factor authentication, precisely because it turns a security feature — the one-time code sent to your phone — into the attack's primary weapon.
https://pirg.org/edfund/articles/sim-swap-scams-can-be-devastating/
How a SIM Swap Attack Happens Step by Step
Understanding the mechanics of a SIM swap attack is the best preparation for preventing one.
Step 1: The Criminal Gathers Your Personal Information
Before contacting your mobile network, a criminal needs enough personal information to impersonate you convincingly. They gather this through:
Social media research — Your name, date of birth, address, and other details that are publicly visible on your social media profiles.
Data breaches — Personal information leaked in previous data breaches is bought and sold on criminal marketplaces. Your date of birth, address, and account details from a breach years ago may be all a criminal needs.
Phishing — A targeted phishing email or message tricks you into entering personal details on a fake website, providing the criminal with exactly what they need.
Social engineering calls — A criminal calls you directly, pretending to be from your mobile network or a government agency, and tricks you into revealing security details over the phone.
Step 2: The Criminal Contacts Your Mobile Provider
Armed with your personal details, the criminal contacts your mobile network — by phone, online chat, or in person at a store — and impersonates you. They claim to have lost their phone or SIM card and request a transfer of your number to a new SIM.
The FCC's enforcement guidance notes that this fraudulent activity succeeds when mobile providers use weak identity verification processes that can be defeated using personal information gathered through social engineering or data breaches.
Step 3: Your Number Is Transferred
If the mobile provider is convinced, your number is transferred to the criminal's SIM card. Your phone immediately loses signal and displays no service. At this point, the criminal has control of your phone number.
Step 4: The Criminal Accesses Your Accounts
With your phone number, the criminal can now:
Request password resets on your email, banking, and social media accounts.
Receive the SMS verification codes sent to confirm those resets.
Use those codes to bypass two-factor authentication entirely.
Take full control of your accounts before you realise anything has happened.
The Cybersecurity and Infrastructure Security Agency (CISA) has specifically highlighted SIM swapping as one of the key methods attackers use to defeat SMS-based multi-factor authentication, and recommends that individuals and organisations move away from SMS verification towards more secure alternatives.
Step 5: The Damage Is Done Rapidly
Once a criminal has access to your email account — which receives password reset links for every other account — the cascade of account takeovers can happen within minutes. Trend Micro's cybersecurity research team has documented cases where victims discovered the attack only after their bank accounts had already been emptied and their social media accounts taken over.
https://www.trendmicro.com/en/what-is/cyber-attack/types-of-cyber-attacks/sim-swapping-scams.html
What Criminals Do Once They Have Your Number
The goal of most SIM swap attacks is financial theft — but the damage can extend well beyond money.
Empty Your Bank Accounts
With access to your phone number, a criminal can reset your online banking password and receive the SMS verification code needed to confirm the reset. Once inside your banking app, they can transfer funds, set up new payees, and drain your accounts before you regain control of your number.
Take Over Your Email Account
Your email account is the master key to your entire digital life. A criminal who resets your email password using your phone number can then use your email to reset every other account you own. The FCC has noted that this cascading account takeover is one of the most damaging aspects of SIM swap fraud
Steal Cryptocurrency
Cryptocurrency accounts are a primary target of SIM swap attackers because transactions are irreversible. Once cryptocurrency is transferred out of a victim's wallet, it cannot be recovered. High-profile SIM swap cases have involved cryptocurrency thefts ranging from thousands to millions of dollars.
Commit Identity Fraud
With access to your email and personal accounts, a criminal has enough information to apply for loans, open credit accounts, and commit identity fraud in your name — damage that can take years to fully resolve.
Sell Your Number and Accounts
In some cases, criminals do not exploit the access themselves but sell the taken-over number and account credentials on criminal marketplaces, passing the damage on to a second set of criminals.
Warning Signs Your Number Has Been Swapped
The earlier you detect a SIM swap attack, the less damage it can cause. Watch for these warning signs — and act immediately if you notice them.
Your phone suddenly shows no signal, no service, or emergency calls only — without any obvious reason such as being in a low-coverage area. This is the most immediate and reliable warning sign of a SIM swap in progress.
You receive unexpected notifications about a SIM change or new device activation from your mobile provider — a message you did not request.
You receive password reset emails or two-factor authentication codes for accounts you are not trying to access. This indicates someone else is attempting to log into your accounts using your phone number.
You find yourself locked out of email, banking, or social media accounts you were previously able to access.
Your contacts receive unusual messages from your accounts — indicating that a criminal has already taken over and is using your accounts to target your network.
You receive bank alerts for transactions, new payees, or account changes you did not authorise.
Trend Micro's security research team notes that in practice, victims often notice something small — such as losing network coverage — before discovering unauthorised activity. By then, attackers may already be accessing sensitive accounts.
https://www.trendmicro.com/en/what-is/cyber-attack/types-of-cyber-attacks/sim-swapping-scams.html
CRITICAL: If your phone loses signal unexpectedly — particularly if you are in an area with normally good coverage — do not wait. Call your mobile provider immediately from a different phone. Time is the most important factor in limiting the damage of a SIM swap attack.
How to Protect Yourself Before It Happens
Set a SIM Lock or Port Freeze With Your Mobile Provider
Most mobile networks allow you to add a PIN, passcode, or additional security question to your account that must be provided before any SIM change or number transfer can be processed. This is your most direct protection against SIM swapping.
Contact your mobile provider directly and ask them to add a SIM lock, account PIN, or port freeze to your account. The FCC's new rules now require mobile providers to send customers immediate notification before any SIM change is processed — but adding a PIN creates an additional barrier that notification alone does not provide.
Switch From SMS-Based Two-Factor Authentication to an Authenticator App
SMS-based two-factor authentication — where a code is sent to your phone by text — is defeated entirely by a successful SIM swap. The CISA and the Cyber Safety Review Board both recommend moving away from SMS-based authentication towards authenticator apps, which generate codes on your device rather than receiving them by text.
Authenticator apps are free, available on all major app stores, and generate codes that work without any mobile signal — making them immune to SIM swap attacks. Switching your most important accounts — email, banking, and social media — from SMS codes to an authenticator app is one of the single most effective steps you can take.
Reduce Your Publicly Available Personal Information
SIM swap attacks begin with a criminal gathering your personal details. The less personal information you share publicly — on social media, in online forums, in public profiles — the harder it is for a criminal to gather the information needed to impersonate you convincingly to your mobile provider.
The National Cyber Security Centre (NCSC) advises reducing the amount of personal information available about you online as a foundational protective habit against a wide range of attacks, including SIM swapping.
https://www.ncsc.gov.uk/collection/phishing-scams
Use Strong, Unique Passwords for Every Account
While passwords are not the direct target of a SIM swap attack, accounts protected by unique strong passwords are harder to take over even after a SIM swap — because the criminal still needs to know the current password before requesting a reset.
Using a password manager to maintain strong, unique passwords across all accounts adds a layer of protection that slows a criminal even if they succeed in swapping your SIM.
Be Extremely Cautious With Personal Information Over the Phone
Social engineering calls are one of the primary methods criminals use to gather information before a SIM swap. Never confirm your date of birth, account details, or security questions to someone who calls you — regardless of who they claim to be. If in doubt, hang up and call the organisation back on a verified number.
Monitor Your Accounts Regularly
Set up transaction alerts on your bank accounts so that any movement of funds triggers an immediate notification. Check your email account's login history periodically for unrecognised access. The faster you detect suspicious activity, the faster you can respond.
What to Do Immediately If It Happens to You
Speed is critical. Every minute of delay gives the criminal more time to access and drain your accounts.
Step 1: Call your mobile provider immediately — from a different phone, a landline, or a borrowed device. Explain that you believe you are the victim of a SIM swap. Ask them to deactivate the fraudulent SIM and restore service to your account immediately.
Step 2: Contact your bank's fraud team as soon as possible. Ask them to freeze your accounts and flag any recent transactions as potentially fraudulent. Many banks can reverse unauthorised transactions if they are reported quickly enough.
Step 3: Change the passwords on your most important accounts — particularly email and banking — from a device that does not rely on SMS verification to confirm the change.
Step 4: Switch your two-factor authentication from SMS to an authenticator app on every account that offers this option.
Step 5: Document everything. Record the date, time, and details of when you noticed the attack, every call you make to your provider and bank, and every piece of evidence of unauthorised activity.
Step 6: Report to the authorities. In the US, report to the FTC at identitytheft.gov and to the FBI's Internet Crime Complaint Center at ic3.gov.
In the UK, report to Action Fraud at actionfraud.police.uk.
https://www.actionfraud.police.uk
In India, report to the National Cyber Crime Reporting Portal at cybercrime.gov.in or call the National Cyber Crime Helpline on 1930.
Step 7: Warn your contacts. If the criminal accessed your accounts before you stopped them, let your contacts know through a different channel — they may have already received fraudulent messages sent in your name.
Frequently Asked Questions
How do criminals get enough information to impersonate me to my mobile provider?
They gather personal information through a combination of sources — social media profiles, data breaches, phishing attacks, and social engineering calls. The security questions used by mobile providers to verify identity — such as your date of birth, address, or mother's maiden name — are often answers that can be found or guessed from publicly available information.
Is two-factor authentication still worth using after learning about SIM swapping?
Yes, absolutely. Two-factor authentication still protects against the vast majority of account attacks. SIM swapping targets specifically the SMS-based version of two-factor authentication. Switching to an authenticator app — rather than abandoning two-factor authentication entirely — gives you the protection of two-factor authentication without the SIM swap vulnerability. CISA strongly recommends two-factor authentication for all accounts, with an authenticator app preferred over SMS.
Can I prevent a SIM swap entirely?
No protection is absolute, but setting a SIM lock or account PIN with your mobile provider, using an authenticator app instead of SMS verification, and keeping your personal information private collectively make a SIM swap attack significantly harder and less rewarding to attempt. Most criminals move on to easier targets.
How quickly can the damage happen after a SIM swap?
Very quickly. Trend Micro's security researchers have documented cases where victims' bank accounts were accessed and drained within minutes of the SIM swap being completed. This is why detecting the warning signs early — particularly the sudden loss of mobile signal — and acting immediately is so important.
https://www.trendmicro.com/en/what-is/cyber-attack/types-of-cyber-attacks/sim-swapping-scams.html
Are eSIMs safer than physical SIM cards against SIM swapping?
An eSIM is embedded in the device and cannot be physically stolen like a physical SIM card — but the underlying vulnerability remains. The process of transferring a number to an eSIM can be exploited using the same social engineering techniques as a physical SIM swap. The protective measures described in this article — particularly setting an account PIN and using an authenticator app — apply equally to eSIM users.
What if my mobile provider refuses to help quickly?
Escalate immediately. Ask to speak to the fraud department rather than general customer service. Reference the fact that you are the victim of a SIM swap fraud, not a routine account query. If you cannot reach the fraud team quickly, go to the nearest physical store with photo identification. In parallel, contact your bank to freeze accounts without waiting for the mobile provider to resolve the SIM issue.
Can I get my money back after a SIM swap?
Whether you can recover lost funds depends on how quickly you report the fraud and your bank's policies. Many banks will investigate and in some cases reimburse unauthorised transactions — but speed of reporting is critical. Cryptocurrency losses are almost never recoverable due to the irreversible nature of blockchain transactions. Report to your bank and the relevant authorities immediately and retain all documentation.
Related Articles
How Malicious Apps Secretly Steal Your Data (and How to Stop Them) | CyberSafe
What Happens When You Sell Your Old Phone Without Wiping It | CyberSafe
The Bottom Line
SIM swapping is one of the most dangerous forms of cyber fraud precisely because it turns your phone number — the thing you use to prove your identity — into the attacker's primary weapon. As the FCC, CISA, the FBI, and cybersecurity researchers from Trend Micro and others have all documented, the attack is growing rapidly and the financial consequences can be devastating.
But it is also highly preventable.
Set an account PIN with your mobile provider today. Switch your most important accounts from SMS verification to an authenticator app. Reduce the personal information you share publicly. And if you ever notice your phone losing signal unexpectedly — act immediately. Do not wait.
Share this article with someone who uses SMS-based two-factor authentication. One conversation about switching to an authenticator app could be the difference between a secure account and a drained bank balance.