SIM swap scam

A SIM swap is a fraud where an attacker convinces a wireless carrier (Verizon, AT&T, T-Mobile) to move your phone number to a SIM card the attacker controls. Once the swap completes, your phone loses signal and the attacker's phone now receives your calls and texts — including SMS-based two-factor authentication codes.

From there the attacker can reset passwords on your bank, email, exchange, and social-media accounts. Crypto holders are the most-targeted victim profile because crypto transfers are irreversible. Losses can hit hundreds of thousands of dollars within an hour.

The attacker typically gets past carrier verification using personal info bought from data brokers, leaked breaches, or social-engineering of customer-service reps. In high-profile cases, the attacker has bribed carrier-store employees.

You usually have minutes to react.

• Your phone loses signal and shows "No Service" or "SOS only" — without you having changed anything.
• You can't send / receive texts.
• You suddenly get many "your password was changed" emails for accounts you didn't change.
• You receive a flood of MFA push notifications for accounts.
• A bank or exchange app logs out unexpectedly.

If you're not actively in a no-signal area, this is the SIM-swap signature.

• Social engineering of carrier customer service: attacker calls in, claims to be you, provides personal info (DOB, last 4 of SSN, address) bought from data brokers, asks to "transfer to a new SIM."
• Insider abuse — carrier-store employees paid to perform swaps.
• Phishing of your carrier account — credentials grab the account, then the attacker provisions a swap themselves.
• Eavesdropped one-time PIN — sometimes the attacker phishes the carrier port-out PIN from you directly.
• SS7 attack (rare, sophisticated) — at the telecom-protocol layer, intercepting messages without a physical SIM swap.

1. Set a port-out PIN with your carrier — a separate password required before any number transfer. All US carriers offer this. Verizon calls it Account PIN; AT&T calls it Wireless Passcode; T-Mobile calls it Account PIN. Set it now if you haven't.
2. Move off SMS-based 2FA for high-value accounts. Use TOTP apps (Authy, Google Authenticator, 1Password), hardware keys (YubiKey, Titan), or passkeys. SMS 2FA is the worst common 2FA option.
3. Set up a recovery email that isn't tied to your phone number.
4. Use a separate, secret phone number for high-value financial accounts. Google Voice or a second carrier line, not given to anyone.
5. Limit personal info in your public profile. Birthdays, mothers' maiden names, hometowns — these are the keys carrier reps ask for.
6. Enable account alerts on your bank, email, and exchange. Push notifications via app — not SMS.

• Call your carrier immediately on a different phone (a spouse's, a friend's, a landline). Tell them you suspect a SIM swap; ask them to lock your account and reverse the swap.
• From a different device, log into your email and bank and change passwords. Use a long, new password not tied to your phone.
• Disable SMS-based 2FA on every account that allows it. Move to authenticator apps.
• Contact your bank and brokerage directly. Many have rapid-response fraud teams.
• Move crypto to cold storage if you suspect ongoing access. Don't wait.
• Capture timestamps of when your service dropped — you'll need them for reports.

• File a police report in your jurisdiction. SIM-swap fraud is a recognized crime; police are increasingly equipped to investigate.
• File complaints with the FCC and your state public utility commission about the carrier failure.
• Sue the carrier in some cases. Several published lawsuits have produced multi-million-dollar judgments against carriers for negligent SIM swaps. Talk to a lawyer who specializes in this.
• Report to the FTC, IC3, and IdentityTheft.gov.
• Place credit freezes at all three bureaus.

• Do not rely on SMS 2FA for crypto, banking, or email recovery.
• Do not assume your carrier's default account protection is sufficient. Set a port-out PIN explicitly.
• Do not share your carrier PIN with anyone, including someone claiming to be from the carrier.
• Do not click links in "your service is suspended" texts — those are often setup phishing for carrier credentials.

• FTC: reportfraud.ftc.gov — the broadest US fraud intake; reports flow to thousands of law-enforcement agencies.
• FBI IC3: ic3.gov — the right destination when the scam is internet-enabled (phishing, BEC, romance, crypto).
• CFPB: consumerfinance.gov/complaint — for complaints about banks, money transmitters, payment apps, credit cards, debt collection.
• IdentityTheft.gov — if any identity information (SSN, driver's license, account credentials) was shared.
• Your bank or payment platform. Call the number on the back of your card or use the app's in-product help. Time matters — wires can sometimes be recalled within hours; ACH and Zelle are harder but worth trying.

My carrier said they have "advanced fraud detection." Is that enough? Probably not. SIM swaps continue at scale across all major US carriers. A port-out PIN you control is more reliable than any backend detection.

Are passkeys really safer than SMS? Yes, dramatically. Passkeys are bound to your device and resist phishing entirely. They don't depend on your phone number, so a SIM swap can't bypass them.

My exchange only supports SMS 2FA. What now? Pressure the exchange to add authenticator-app or hardware-key support. In the meantime, use a separate secret phone number that isn't publicly tied to you, and consider moving funds off-platform.

What about Google Voice — is it safer? Google Voice numbers can't be SIM-swapped in the carrier sense, but they can be hijacked if your Google account is compromised. Defend the Google account with a hardware key or passkey first.