Security Education
How attackers hijack your phone number to bypass security
SIM swapping is a targeted attack where criminals convince your mobile carrier to transfer your phone number to a SIM card they control. Once successful, they receive all your calls and text messages—including those two-factor authentication codes you thought were keeping your accounts secure.
The attack begins with reconnaissance. Attackers gather information about their target—name, address, phone number, account details, and answers to common security questions. Data breaches are a primary source for this information.
Armed with this data, the attacker contacts the victim's mobile carrier. They pose as the legitimate account holder, claiming they need to transfer their number to a new SIM card—perhaps because their phone was lost, stolen, or damaged.
If the carrier's representative is convinced, they deactivate the victim's SIM and activate the attacker's. Suddenly, the victim's phone loses service, and the attacker begins receiving all their calls and texts.
SIM swapping relies on social engineering, and social engineering relies on information. Every data breach that exposes your name, address, phone number, or security question answers makes you more vulnerable.
Attackers piece together profiles from multiple breaches. Your address from one leak, your phone number from another, your mother's maiden name from a third. The more data available, the more convincing their impersonation becomes.
With control of your phone number, attackers can bypass SMS-based two-factor authentication on virtually any account. Email accounts are typically the first target—once compromised, they enable password resets on everything else.
Bank accounts, cryptocurrency wallets, social media profiles, and cloud storage can all be compromised in quick succession. Victims have reported losing access to dozens of accounts within hours of a successful SIM swap.
Financial losses can be devastating. High-profile cryptocurrency investors have lost millions to SIM swapping attacks. For average consumers, the loss of access to accounts and the effort required to recover can be equally traumatic.
SIM swappers target people whose information is already leaked. Search for your phone number to see if it appears in breach databases.
Search Your Phone Number