SIM Swapping Protection: How to Stop Attackers From Hijacking Your Phone Number

What Is SIM Swapping and Why Should You Care

SIM swapping — also called SIM hijacking or port-out fraud — is an attack where a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, every phone call and SMS message intended for you goes to them instead. That means every SMS-based two-factor authentication code, every account recovery text, and every verification call is intercepted before you ever see it.

The consequences can be devastating. Attackers have used SIM swapping to drain cryptocurrency wallets, take over email accounts, reset passwords on banking apps, and lock victims out of their own devices for days or weeks. High-profile cases include the theft of over $100 million in cryptocurrency from individual victims and the compromise of Twitter accounts belonging to public figures. But SIM swapping is not limited to wealthy targets — anyone who uses SMS-based 2FA on a valuable account is potentially at risk.

The attack works because mobile carriers rely on knowledge-based verification — asking for the last four digits of your Social Security number, your billing address, or your account PIN — and that information is often available through data breaches, social engineering, or public records. A skilled attacker can impersonate you convincingly enough to pass these checks.

How Attackers Execute a SIM Swap

Understanding the mechanics of a SIM swap helps you understand exactly where the vulnerabilities are and how to close them. The attack typically follows this sequence.

First, the attacker researches you. They compile your phone number, your carrier, and personal identifiers from data broker sites, previous data breaches, social media profiles, and sometimes LinkedIn or public records. Tools that aggregate leaked breach data can provide your name, address, date of birth, and the last four digits of your SSN from a single search query.

Next, they either call your carrier's customer support line directly or visit a retail store location. They claim to be you, say they lost their phone or damaged their SIM, and request a transfer to a new SIM card they already have in hand. If the carrier's verification process is weak — or if they've bribed a carrier employee, which has happened in documented cases — the transfer goes through within minutes.

Finally, with your number in their control, they trigger password resets on your accounts using the "forgot password" flow, which sends a recovery code via SMS. They change your passwords, disable your legitimate 2FA, and methodically work through your accounts before you even notice your phone has lost service.

How to Know If You've Been SIM-Swapped

The first sign is usually sudden loss of cellular service on your phone — calls fail, SMS stops delivering, and your phone shows "No Service" or "SOS Only." This happens because your number has been moved off your SIM. If this occurs unexpectedly, especially if you also notice unusual login alerts or password reset emails arriving in your inbox, treat it as a potential SIM swap emergency.

Act immediately: call your carrier from a different phone or Wi-Fi calling, visit a retail store in person with government ID, and lock down your most critical accounts — email and financial — from a trusted device before the attacker can access them. Time matters. Most SIM swap attacks are carried out within 30 to 60 minutes of the number transfer.

Step-by-Step: How to Protect Yourself From SIM Swapping

The following steps address the specific vulnerabilities that SIM swap attacks exploit. Work through them in order — the first three are the highest impact.

1. Set a carrier account PIN or port-freeze. Every major US carrier (AT&T, Verizon, T-Mobile) allows you to set a separate PIN or passcode on your account that must be provided before any SIM changes are made. This is different from your account password. Set one now: log in to your carrier's website or app, go to account security settings, and set a unique PIN that you haven't used anywhere else. Use our free password generator to create one that's random and hard to guess. T-Mobile additionally offers "NOPORT" — a free block that prevents your number from being ported out without a visit to a store with government ID. AT&T offers "Extra Security" which requires your passcode for any account changes.

2. Replace SMS-based 2FA with an authenticator app or hardware key. Remove SMS as the authentication method on every important account and replace it with an authenticator app (Google Authenticator, Authy, or Aegis on Android) or a hardware security key like a YubiKey. App-based TOTP codes are generated on your device and never sent via SMS — a SIM swap doesn't give an attacker access to them. A hardware key is even stronger. Check every financial, email, and social media account you own and migrate away from SMS-based 2FA wherever the service supports it.

3. Use a dedicated, private email address for account recovery. Your primary email address is known to many services and may be in breach databases. Create a second email address used only for account recovery that you don't share with anyone and don't use for communications. Store the credentials in a password manager like NordPass or 1Password and never mention this address publicly. This makes it much harder for an attacker who has compromised your phone number to chain into your accounts via email recovery.

4. Freeze your credit with all three bureaus. SIM swapping is often a component of broader identity theft. Freezing your credit at Equifax, Experian, and TransUnion prevents attackers from opening new credit accounts in your name even if they obtain your personal information. Credit freezes are free and can be temporarily lifted when you need to apply for credit.

5. Reduce your exposure in data brokers. Sites like Spokeo, Whitepages, BeenVerified, and Intelius compile and sell your personal information — address, phone number, relatives, date of birth. Remove yourself from these services periodically, or use a service like DeleteMe or Privacy Bee to automate the opt-out process. Less data available makes social engineering attacks harder to execute convincingly.

Which Accounts to Prioritize First

Not every account carries equal risk. Focus your SIM swap protections on accounts in this priority order. Your primary email account is first: it's the master key to every other account's password reset flow. Lock it down with a hardware key or TOTP, remove SMS 2FA, and enable login notifications. Financial accounts — bank, brokerage, cryptocurrency exchanges — are second. Crypto exchanges in particular are high-value targets because transactions are irreversible. Your mobile carrier account itself is third — a compromised carrier account enables the SIM swap. Set the carrier PIN immediately if you haven't already. Social media accounts with large followings or linked financial integrations are fourth.

SIM Swapping Protection Checklist

• ☐ Set a carrier account PIN at AT&T, Verizon, or T-Mobile — use a unique random PIN
• ☐ Enable port freeze or "NOPORT" if your carrier offers it
• ☐ Removed SMS 2FA from email accounts — replaced with TOTP or hardware key
• ☐ Removed SMS 2FA from financial accounts — replaced with TOTP or hardware key
• ☐ Removed SMS 2FA from social media accounts
• ☐ Created a dedicated, private recovery email address stored in password manager
• ☐ Frozen credit at Equifax, Experian, and TransUnion
• ☐ Submitted data broker opt-out requests
• ☐ Set up login alerts on critical accounts so unexpected logins trigger a notification

Recommended Tools

For storing the unique carrier PINs, recovery email credentials, and account passwords that protect against SIM swap attacks, we recommend NordPass (zero-knowledge encryption, free tier available) or 1Password for family or team use. Both support storing secure notes alongside passwords, which is useful for keeping carrier PINs and recovery codes organized.

See our full security tools guide for more recommendations on building a resilient personal security stack.