Skip to content
ScamSniff
← Back to Home

scam alerts

SIM Swap Scams: How Thieves Steal Your Phone Number and What to Do

6 min readBy ClearShield Team

Imagine picking up your phone and seeing "No Service" where your signal bars used to be. You restart — still nothing. You connect to Wi-Fi and check your email. There are password reset confirmations for accounts you did not request. Your bank sends a notification about a wire transfer you did not authorize. By the time you call your carrier, someone has already emptied your accounts.

This is a SIM swap attack, and it is one of the fastest-growing forms of identity theft in the country. The FBI reported over $70 million in SIM swap losses in a single year — and that only counts what was reported.

How SIM Swapping Works

A SIM swap attack does not require a hacker to touch your physical phone. Here is how it works:

Step 1: The criminal gathers your personal information. Your name, phone number, address, date of birth, and the last four digits of your Social Security number. They get this from data broker sites, social media, previous data breaches, or even phishing.

Step 2: They call your cell carrier. They impersonate you and tell customer service they lost their phone or got a new one and need to transfer the number to a new SIM card. Using the personal information they gathered, they pass the carrier's identity verification questions.

Step 3: Your number is transferred. Your phone loses service. Their phone now receives all your calls and text messages — including the two-factor authentication codes that banks, email providers, and financial institutions send via SMS.

Step 4: They break into your accounts. With your phone number, they trigger password resets on your email, bank, investment, and crypto accounts. The verification codes go to their phone. They change your passwords, transfer your money, and lock you out.

The entire attack can happen in under an hour. Most victims do not realize what happened until it is too late.

Who Gets Targeted

SIM swap attacks are not random. Criminals target people who have:

  • Cryptocurrency holdings — crypto transfers are irreversible, making it the #1 target
  • High-value financial accounts — retirement accounts, brokerage accounts, large bank balances
  • Visible online presence — social media profiles that reveal personal details
  • SMS-based two-factor authentication — the exact security measure that is supposed to protect you becomes the attack vector

Seniors are increasingly targeted because they are more likely to have substantial savings and less likely to recognize the attack in its early stages.

How to Protect Yourself

1. Add a PIN or Passphrase to Your Carrier Account

Every major carrier offers a security PIN or passphrase that must be provided before any account changes can be made — including SIM transfers.

  • AT&T: Set a passcode in your account settings or call customer service
  • T-Mobile: Add a PIN through the T-Mobile app or by calling 611
  • Verizon: Set a PIN in the My Verizon app under Account Security

This is the single most important step. Without the PIN, a criminal cannot convince your carrier to transfer your number — no matter how much personal information they have.

2. Switch From SMS to App-Based 2FA

SMS-based two-factor authentication (where you receive a text message code) is the vulnerability that SIM swaps exploit. Switch to an authenticator app instead:

  • 1Password — stores TOTP codes alongside your passwords, syncs across devices
  • Google Authenticator or Microsoft Authenticator — free, widely supported
  • Authy — cloud backup of your 2FA codes (convenient but slightly less secure than local-only)

When you set up 2FA on any account, choose "Authenticator app" instead of "Text message." The codes are generated on your device and cannot be intercepted through a SIM swap.

Remove your personal data from the internet

SIM swap attacks start with personal data from broker sites. DeleteMe removes your information from 750+ data broker websites — name, address, phone number, relatives — making it dramatically harder for criminals to gather what they need to impersonate you.

Learn More

3. Remove Your Personal Info From Data Brokers

Criminals gather the personal details they need to impersonate you from data broker sites like Spokeo, Whitepages, and BeenVerified. These sites list your phone number, address, date of birth, and relatives' names — exactly the information carriers use for identity verification.

Removing this data significantly reduces the attacker's ability to pass carrier security questions.

4. Use a Hardware Security Key for Critical Accounts

For your most important accounts (email, bank, crypto), consider a hardware security key like YubiKey. This physical device must be plugged into your computer or tapped on your phone to authenticate. It cannot be intercepted, phished, or SIM-swapped.

5. Set Up Account Alerts

Enable notifications for every login attempt, password change, and financial transaction on your important accounts. If a SIM swap attack begins, the email notifications to your still-accessible email may be your first warning.

What to Do If You Are SIM Swapped

If your phone suddenly shows "No Service" or "Emergency Calls Only" and restarting does not fix it:

Immediately (within minutes):

  1. Call your carrier from another phone — report the unauthorized SIM swap and have them reverse it. Use a family member's phone, a landline, or go to a carrier store in person.
  2. Change your email password from a computer (not your affected phone) — your email is the master key to all other account resets.
  3. Change your bank and financial account passwords — before the attacker can initiate transfers.

Within the first hour:

  1. Freeze your credit at all three bureaus (Equifax, Experian, TransUnion)
  2. Contact your bank directly and report the situation — they can freeze outgoing transfers
  3. Document everything — screenshot notifications, note times, save emails

Within 24 hours:

  1. File a report with the FTC at IdentityTheft.gov
  2. File a police report — you will need this for bank and insurance claims
  3. File a complaint with the FCC — they regulate carriers and track SIM swap complaints
  4. Switch all accounts from SMS 2FA to authenticator app 2FA — prevent repeat attacks

Store all your 2FA codes securely

1Password stores your authenticator codes alongside your passwords — no more juggling a separate app. When you switch from SMS to app-based 2FA (which you should do today), 1Password makes it seamless across all your devices.

Learn More

Key Takeaways

  • SIM swap attacks hijack your phone number to intercept SMS verification codes
  • Add a PIN to your carrier account — this is the #1 prevention step
  • Switch from SMS to app-based 2FA on every account that supports it
  • Remove your personal data from broker sites to make impersonation harder
  • If your phone suddenly loses service, act within minutes — call your carrier immediately from another phone
  • The FBI reports tens of millions in annual SIM swap losses — this is not a rare attack

Get our weekly scam alerts

The latest scams, how they work, and exactly how to protect yourself. Plain language, no jargon. Join 3,000+ readers.

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.

SIM swapphone number thefttwo-factor authenticationidentity theft