The attack is disarmingly simple. A criminal calls your mobile carrier's customer support line, impersonates you, and convinces the representative to transfer your phone number to a SIM card they control. From that moment, every SMS sent to your number — including every two-factor authentication code — goes to the attacker instead of you.
Within minutes, they can trigger password resets on email accounts. From email, they get into everything else: bank accounts, cryptocurrency exchanges, social media, cloud storage. By the time you notice your phone has lost service, the damage is frequently irreversible.
How a SIM Swap Actually Works
Carriers need to be able to transfer numbers — it's a legitimate function. If you get a new phone or lose your SIM, the carrier needs a way to give you back your number. The verification process to do this is the attack surface.
The attacker needs enough personal information to pass whatever identity checks the carrier uses. Depending on the carrier, this might be: the last four digits of your Social Security Number, your billing address, answers to security questions, the last four digits of a recent bill amount, or a PIN you previously set. Much of this information is available through data broker sites, previous data breaches, or social engineering the victim directly before the call.
Some attackers skip social engineering entirely and bribe carrier employees directly — a well-documented problem at major US carriers. In documented criminal cases, employees at Verizon, AT&T, and T-Mobile have been charged with taking payments to perform unauthorized SIM swaps from inside the carrier's own systems.
Phone-number-based identity is a structural vulnerability. Carriers are not security companies, and their authentication processes were not designed to defend against motivated adversaries with access to data breach databases.
Who Gets Targeted
Early SIM swap attacks in the mid-2010s targeted cryptocurrency holders almost exclusively. The math was straightforward: a successful swap could yield immediate, irreversible, and largely untraceable financial gain. Cryptocurrency exchanges at the time widely used SMS as their only 2FA option.
The profile has since broadened. High-value social media account holders are targeted for the accounts themselves — Instagram handles and Twitter usernames with large followings sell for thousands of dollars on black markets. Business executives are targeted for corporate email access. Public figures are targeted for extortion. High-net-worth individuals are targeted speculatively by criminals who assume wealth concentrates across all accounts.
In 2022, the FCC received a record number of SIM swap complaints. Several high-profile cases resulted in federal prosecutions, including a group that stole more than $400 million in cryptocurrency from a single victim by compromising the investor's phone number and cascading through their accounts.
What SMS 2FA Gets Wrong
SMS two-factor authentication was designed to add a second channel — something you have (your phone) to supplement something you know (your password). The security model assumes that your phone number is reliably yours. SIM swapping invalidates that assumption entirely.
Beyond SIM swapping, SMS-delivered codes are vulnerable to SS7 interception — a class of attacks on the underlying telephony infrastructure that allow an attacker with access to the SS7 network to intercept SMS messages in transit. SS7 was designed in 1975 with no authentication between network nodes; it remains the global standard. Real-time SMS interception is documented and within reach of criminal organizations with the right connections.
SMS codes are also vulnerable to real-time phishing: a fake login page captures both your password and the SMS code you enter, replays them to the real service within seconds, and establishes a session before your code expires. No SIM swap required.
The Carrier Authentication Problem
In 2023, the FCC mandated that US carriers implement stronger SIM swap authentication protections, including stricter identity verification and customer notifications before any SIM change completes. Implementation has been uneven. The CTIA and individual carriers have set internal policies, but enforcement is difficult and the underlying problem — that customer support representatives have the power to reassign phone numbers with limited verification — remains.
"The number portability system was built for convenience, not security. We're now using it as an identity layer it was never designed to carry." — Security researcher paraphrased from multiple public conference talks
Some carriers offer additional account PINs or port freeze options. These help but are not foolproof — insider threats bypass them, and social engineering attacks against less-trained representatives remain effective.
What Actually Protects Against SIM Swapping
The most direct mitigation is to stop using SMS as a second factor for any account that matters. The alternatives:
| Method | SIM Swap Resistant | Phishing Resistant | Notes |
|---|---|---|---|
| SMS 2FA | ✗ No | ✗ No | Vulnerable to swap, SS7, and real-time phishing |
| TOTP app (Authy, Google Authenticator) | ✓ Yes | ✗ No | Phone-independent; still phishable via real-time relay |
| Hardware security key (FIDO2) | ✓ Yes | ✓ Yes | Cryptographically bound to origin; cannot be phished |
| Passkeys (device-bound) | ✓ Yes | ✓ Yes | Strong; recovery depends on cloud backup model |
For accounts with significant financial or personal stakes — email, banking, crypto — a hardware security key like a YubiKey is the most robust option available. It ties authentication to a physical device you hold, cryptographically proves you are at the real site (not a phishing clone), and has no dependency on your phone number.
At minimum: enable a carrier account PIN or port freeze, set up a number transfer lock if your carrier offers one, and migrate critical accounts off SMS 2FA to a TOTP app or hardware key.
For communications specifically, the root issue is that email and messaging systems that use phone numbers as primary identity inherit the phone number's vulnerabilities. Systems that authenticate on cryptographic keys — not phone numbers or email addresses — eliminate this attack surface by design. Signal's reliance on phone numbers is a documented limitation for exactly this reason; systems that issue their own identifiers avoid it entirely.
SIM swapping is not a sophisticated attack. It exploits the gap between how carriers authenticate customers and how much power that authentication grants. Closing that gap, for accounts you control, is a straightforward project: move 2FA off SMS, freeze your number at the carrier level, and treat your phone number as a username — not a secret.