How do I protect myself from SIM swapping?

Set a carrier PIN or passphrase with your mobile provider. Switch from SMS 2FA to an authenticator app. Use an authenticator app or hardware key for all sensitive accounts.

How do I know if I've been SIM swapped?

Your phone suddenly loses signal (shows No Service or SOS Only). You stop receiving calls and texts. You get account change notifications you didn't request.

Can SIM swapping be used against authenticator apps?

No. Authenticator apps generate codes locally on your device — they don't use your phone number. SIM swapping only affects SMS-based 2FA.

SIM Swapping: What It Is and How to Protect Yourself

SIM swapping is one of the most effective attacks against accounts protected with SMS-based 2FA. It requires no hacking skill — just a phone call to your carrier.

What Is a SIM Swap Attack?

An attacker calls your mobile carrier and impersonates you, claiming they've lost their phone or SIM card. Using personal information gathered from social media, data breaches, or phishing, they convince the carrier to transfer your phone number to a new SIM card they control.

Once your number is on their SIM, they can receive all your SMS messages — including every 2FA code sent to that number.

How Attackers Get Your Personal Information

Carriers typically ask verification questions like your billing address, last four digits of your Social Security number, or account PIN. Attackers obtain this through:

Data breaches — billions of records including SSNs are available on dark web markets
Social media mining — birthdays, addresses, pet names used in security questions
Phishing calls pretending to be carrier support
Insider threats — corrupt carrier employees

Real Consequences

SIM swapping has been used to steal cryptocurrency worth millions. In documented cases, attackers have drained entire exchange accounts within minutes of completing a SIM swap. By the time the victim notices something is wrong, the funds are gone.

Notable SIM Swapping Cases

SIM swapping has been responsible for some of the largest individual thefts in cybercrime history:

Michael Terpin (2018) — Lost $23.8 million in cryptocurrency through a SIM swap attack on AT&T, subsequently suing AT&T for $200 million.
Jack Dorsey (2019) — The then-CEO of Twitter had his own account compromised via SIM swapping.
Joel Ortiz (2019) — A 20-year-old who stole over $5 million in cryptocurrency through SIM swapping and was sentenced to 10 years in prison.

Technical Deep Dive: How the Attack Works

Target identification — The attacker identifies a victim with valuable accounts and gathers personal information through social media, data breaches, or phishing.
Carrier contact — The attacker calls the victim's mobile carrier, impersonating the victim with social engineering, fake IDs, or bribed employees.
SIM activation — The carrier transfers the phone number to a SIM card controlled by the attacker. The victim's phone immediately loses service.
Account takeover — The attacker uses SMS-based password reset flows to gain access to email, financial accounts, and crypto wallets.
Asset theft — The attacker drains accounts before the victim realizes what happened.

Carrier-Specific Protection Features

T-Mobile — "Account Takeover Protection" and "SIM Protection" can be enabled through the T-Mobile app
AT&T — "Extra Security" passcode required for account changes
Verizon — "Number Lock" prevents unauthorized port-outs

Contact your carrier and ask them to add a PIN or passcode requirement for any SIM changes or port-out requests. This is the single most important step you can take.

How to Protect Yourself from SIM Swapping

1. Switch from SMS 2FA to an Authenticator App

TOTP codes are generated on your device and are not tied to your phone number. SIM swapping has zero effect on authenticator app-based 2FA. This is the single most important step.

2. Set a Port Freeze / SIM Lock with Your Carrier

Most major carriers allow you to place a port freeze or number lock on your account. This requires in-store verification (with ID) to make any SIM-related changes — making remote SIM swapping nearly impossible.

3. Set a Unique Carrier PIN

Use a carrier-specific PIN or passcode (separate from your account password) that must be provided before any account changes. Don't use predictable numbers like your birthday.

4. Use a Google Voice Number for SMS 2FA

If SMS 2FA is required on a service that doesn't support authenticator apps, use a Google Voice number. Google Voice numbers require Google account authentication to access — much harder to hijack than a carrier number.

What to Do If You're SIM Swapped

Call your carrier immediately — report the SIM swap and restore your number
Change passwords on all accounts accessible via your number
Contact your bank and crypto exchanges if financial accounts were exposed
Review and disable SMS 2FA on all accounts, switching to authenticator apps

SIM Swapping: The Attack That Makes SMS 2FA Dangerous