SIM Swapping Explained

SIM swapping is a targeted attack where criminals convince your mobile carrier to transfer your phone number to a SIM card they control. Once successful, they receive all your calls and text messages—including those two-factor authentication codes you thought were keeping your accounts secure.

How SIM Swapping Works

The attack begins with reconnaissance. Attackers gather information about their target—name, address, phone number, account details, and answers to common security questions. Data breaches are a primary source for this information.

Armed with this data, the attacker contacts the victim's mobile carrier. They pose as the legitimate account holder, claiming they need to transfer their number to a new SIM card—perhaps because their phone was lost, stolen, or damaged.

If the carrier's representative is convinced, they deactivate the victim's SIM and activate the attacker's. Suddenly, the victim's phone loses service, and the attacker begins receiving all their calls and texts.

Why Data Breaches Enable SIM Swapping

SIM swapping relies on social engineering, and social engineering relies on information. Every data breach that exposes your name, address, phone number, or security question answers makes you more vulnerable.

Attackers piece together profiles from multiple breaches. Your address from one leak, your phone number from another, your mother's maiden name from a third. The more data available, the more convincing their impersonation becomes.

The Aftermath

With control of your phone number, attackers can bypass SMS-based two-factor authentication on virtually any account. Email accounts are typically the first target—once compromised, they enable password resets on everything else.

Bank accounts, cryptocurrency wallets, social media profiles, and cloud storage can all be compromised in quick succession. Victims have reported losing access to dozens of accounts within hours of a successful SIM swap.

Financial losses can be devastating. High-profile cryptocurrency investors have lost millions to SIM swapping attacks. For average consumers, the loss of access to accounts and the effort required to recover can be equally traumatic.

Warning Signs

• Your phone suddenly loses cellular service with no explanation
• You receive unexpected "SIM card updated" notifications
• Password reset emails arrive that you didn't request
• You're locked out of accounts that previously worked fine

How to Protect Yourself

• Add a PIN to your carrier account — Most carriers allow you to set a PIN or passphrase required for any account changes.
• Use authenticator apps instead of SMS — Google Authenticator, Authy, or hardware keys like YubiKey can't be SIM swapped.
• Limit personal information online — The less data available about you, the harder it is for attackers to impersonate you.
• Monitor your breach exposure — Regularly check if your phone number or personal details appear in breaches.