Introduction
Imagine your phone suddenly loses service. No calls, no texts, no data. You assume it's a network issue and restart your phone. While you're troubleshooting, someone across the country — or across the world — is receiving your text messages. They're resetting your email password. They're draining your bank account. They're emptying your cryptocurrency wallet. Your phone number now belongs to them.
This is SIM swapping — a social engineering attack where criminals convince your mobile carrier to transfer your phone number to a SIM card they control. It's devastatingly effective, and it's been behind some of the largest individual financial losses in cybercrime history.
How It Works
The attack starts with reconnaissance. The attacker gathers personal information about the target: name, address, date of birth, last four digits of their Social Security number, account PIN, and other details that carriers use to verify identity. This information comes from data breaches, social media, public records, phishing, or even purchasing it from data brokers.
Armed with this information, the attacker contacts the target's mobile carrier — either by phone, in-person at a store, or through online support. They impersonate the target and request a SIM swap, claiming they've lost their phone or switched devices. They provide the stolen identity information to pass the carrier's verification checks.
Once the carrier processes the swap, the target's phone number is transferred to the attacker's SIM card. The target's phone immediately loses service. The attacker now receives all calls and text messages — including SMS-based two-factor authentication codes. They use these codes to reset passwords and access accounts that use the phone number for recovery or 2FA.
In some cases, attackers bribe or blackmail carrier employees to process the swap without proper verification. These "insider" SIM swaps are particularly hard to defend against because they bypass all identity verification procedures.
The Impact
SIM swapping has been linked to cryptocurrency thefts worth millions. In 2018, a 15-year-old SIM swapper stole $24 million in cryptocurrency from a single victim. In 2019, Twitter CEO Jack Dorsey's account was compromised through a SIM swap. The SEC charged a group that used SIM swapping to steal over $530,000 in cryptocurrency. In 2022, the FBI reported 2,026 SIM swapping complaints with losses exceeding $72 million — and that's just what was reported.
The attack is particularly devastating because phone numbers have become de facto identity tokens. Banks, email providers, social media platforms, and cryptocurrency exchanges all use phone numbers for account recovery and two-factor authentication. Steal the phone number, and you have the keys to everything.
How to Protect Yourself
Contact your carrier and set up a SIM swap PIN or passcode — an additional verification step required before any SIM changes can be processed. T-Mobile, AT&T, and Verizon all offer this feature, but you usually have to specifically request it.
Move away from SMS-based two-factor authentication. Use authenticator apps (Google Authenticator, Authy) or hardware security keys (YubiKey, Google Titan) instead. These methods aren't affected by SIM swaps because they don't rely on your phone number. For cryptocurrency and high-value financial accounts, hardware security keys are the gold standard.
Use unique, strong passwords for every account and store them in a password manager. This limits the damage if any single account is compromised. Use a separate, non-public email address for financial accounts — not the one posted on your social media profiles.
Minimize the personal information you share publicly. Every detail about you that's publicly available — your birthday, your address, your mother's maiden name — is a potential answer to a carrier's identity verification question.
The Bigger Picture
SIM swapping exposes a systemic vulnerability in how we've built our digital identity infrastructure. Phone numbers were designed as routing identifiers for voice calls — they were never meant to be security tokens. Yet the entire authentication ecosystem now depends on them. Carriers whose primary business is selling phone plans have become, by default, custodians of their customers' digital security — a role they're neither designed for nor particularly good at. Until phone numbers are decoupled from authentication (through universal adoption of app-based 2FA and hardware keys), SIM swapping will remain one of the most profitable and devastating attacks available to social engineers.
