SIM Swap Scam
A SIM swap attack doesn’t need your password. It doesn’t need your device. It needs one thing: convincing your carrier that you are you. Once your phone number is transferred to the attacker’s SIM card, every text message sent to your number — including every two-factor authentication code for your bank, email, and crypto accounts — goes to them instead of you.
What Is a SIM Swap Attack?
A SIM swap — also called SIM hijacking or port-out fraud — is an attack in which a criminal convinces your mobile carrier to transfer your phone number from your SIM card to one they control. Once the transfer is complete, your phone loses service entirely and the attacker’s device begins receiving all calls and texts sent to your number.
The attack’s critical impact is on two-factor authentication. Tens of millions of online accounts use SMS-based 2FA — sending a verification code to your phone number when someone attempts to log in. When an attacker controls your number, they receive those codes. Combined with your password — obtained from a prior data breach, phishing attack, or data broker — they can access your email, bank accounts, cryptocurrency exchanges, and any other service tied to that number.
The FBI reported 2,026 SIM swap complaints in 2023, with losses exceeding $48 million. These figures represent only reported cases — the actual volume is significantly higher, particularly given the targeted nature of high-value attacks against cryptocurrency holders that often go unreported. Individual losses in crypto-related SIM swap cases have reached millions of dollars in documented cases.
How a SIM Swap Attack Works — Step by Step
Gathering Your Personal Information
Before contacting your carrier, the attacker collects the information needed to pass customer service verification. Your name, address, phone number, account number, and the last four digits of your Social Security number are often available from data broker databases, prior data breaches available on dark web markets, or through targeted phishing. Social media profiles frequently reveal security question answers — mother’s maiden name, pet names, hometown — that carriers use for identity verification.
Social Engineering the Carrier
The attacker calls your carrier’s customer service line posing as you — reporting a lost or damaged phone and requesting a SIM transfer to a new card they have in hand. Carrier customer service representatives are trained to be helpful, and verification processes vary significantly in rigor between carriers and individual agents. Some attackers use insider contacts at carrier stores or bribe retail employees to process fraudulent transfers without going through standard verification at all.
The Transfer Completes
Once the carrier processes the transfer, your phone immediately loses all service. You cannot make calls, send texts, or receive any communication. The attacker’s device is now receiving everything sent to your number. You may not notice immediately — many people assume a network outage or coverage issue and do not contact their carrier right away. Every minute of delay extends the window in which the attacker can use your number for account takeovers.
Rapid Account Takeover
With your number active on their device, attackers initiate password resets on your email account first — because email access enables resets of everything else. They trigger SMS-based 2FA on your bank, brokerage, and cryptocurrency exchange accounts and use the codes they receive to authorize access and transfers. The entire account takeover sequence from successful SIM swap to emptied accounts can take under 30 minutes in practiced operations.
Warning Signs You’ve Been SIM Swapped
- Your phone suddenly shows “No Service,” “SOS Only,” or “Emergency Calls Only” in an area where you normally have coverage — this is the primary immediate signal.
- You stop receiving calls and text messages without explanation.
- You receive email notifications of password reset requests you did not initiate — especially for email, banking, or cryptocurrency accounts.
- Your mobile carrier sends a confirmation of a SIM change you did not request.
- You are unable to log into accounts that previously worked — passwords have been changed after an attacker used your SMS codes to take them over.
- Unexpected transactions appear on financial accounts — bank transfers, cryptocurrency withdrawals, or purchases you did not authorize.
💡 The Single Most Effective SIM Swap Defense
Replace SMS-based two-factor authentication with an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) on every account that supports it — starting with your email and banking accounts. Authenticator apps generate codes on your device, not through your phone number. A SIM swap has zero effect on authenticator app codes. This one change eliminates the primary attack vector that makes SIM swapping so devastating. Do it before it happens to you.
Why Your Personal Data Is the Root Cause
SIM swap attacks succeed because attackers can gather enough personal information to pass carrier verification — and that information is commercially available. Data brokers compile profiles containing your name, address, phone number, date of birth, and partial Social Security information from public records, retail purchases, and data breaches. A motivated attacker can purchase a profile containing most of the information needed to impersonate you to your carrier for under $20.
The security questions used in carrier verification — and in the broader account takeover sequence — are frequently answered by public social media posts. “What was the name of your first pet?” “What street did you grow up on?” “What is your mother’s maiden name?” These answers appear routinely in anniversary posts, family photo captions, and nostalgic social media threads. Attackers research targets before making the carrier call — the call itself is often the easiest part of the attack.
SIM Swap Is an Identity Theft Attack — Is Your Protection Keeping Up?
Once an attacker controls your number, account takeover happens in minutes. Identity theft protection services with real-time account monitoring and dark web alerts can detect the early signals before damage compounds. We tested every major service — here’s which one actually responds fast enough to matter.
See Our Identity Theft Protection Rankings →What Would a SIM Swap Attack Cost You Specifically?
The average SIM swap victim loses far more than just what’s in their bank account — there are recovery costs, lost time, and downstream financial impacts most people never calculate. Use our identity theft cost calculator to see your real exposure.
Calculate Your Identity Theft Risk →What To Do If You’ve Been SIM Swapped
- Call your carrier immediately from a different phone — not your affected device — and report an unauthorized SIM transfer. Request an immediate reversal and a SIM lock placed on your account.
- While your carrier reverses the swap, change passwords for your email account first — email access is the master key to every other account reset.
- Contact your bank and cryptocurrency exchange directly using official numbers and report potential unauthorized access — request a temporary account freeze if you cannot verify account status.
- Enable authenticator app 2FA on every account the moment you regain access — remove SMS as a 2FA option wherever possible.
- Report to the FBI at ic3.gov and the FTC at reportfraud.ftc.gov — include your carrier’s name, the date and time of the swap, and any financial losses.
- Place a credit freeze with all three bureaus — Equifax, Experian, and TransUnion — as SIM swap attacks frequently accompany broader identity theft using the same personal data.
- File a complaint with the FCC at fcc.gov/consumers/guides/filing-informal-complaint if your carrier failed to follow reasonable verification procedures.