Your phone number is the second factor protecting most of your important accounts. SMS codes sent to your number are what stand between an attacker and your bank, your email, and your crypto wallet — if you have not set up anything stronger. A SIM swap attack transfers your phone number to a SIM card the attacker controls. After that, every SMS code goes to them.
SIM swap attacks bypass SMS-based two-factor authentication entirely. The fix is a SIM PIN — a 4-8 digit code your carrier requires before making any changes to your account. Takes five minutes to set up. Blocks the most common path to account takeover used in targeted attacks today.
How a SIM Swap Attack Works
The attacker calls your carrier's customer support — or walks into a retail store — and convinces a representative to transfer your phone number to a new SIM card. They use personal information gathered from data breaches, social media, or phishing to pass identity verification. Once the transfer is complete, your phone loses service and every call and text meant for you goes to the attacker.
With your number, they trigger SMS-based password resets on your email, then your bank, then anything else that sends codes to your phone. The entire sequence can take less than 30 minutes.
Who Gets Targeted
SIM swaps were initially used to steal cryptocurrency from high-value targets. They have since expanded to target anyone with valuable accounts — online banking, brokerage accounts, PayPal, Venmo, and email accounts used to control other accounts. You do not need to be wealthy or prominent to be targeted. You need only have something worth stealing.
Set Your SIM PIN — Every Major Carrier
A SIM PIN requires anyone attempting to make account changes — including transferring your number — to provide the PIN. Without it, social engineering alone is enough. With it, the attacker needs something they cannot get from a data broker or your Facebook profile.
- AT&T: Log into your AT&T account online → Profile → Sign-in Info → Wireless Passcode → set a 4-8 digit passcode. Enable "Extra Security" to require it for account changes in stores.
- Verizon: My Verizon app → Account → Security → Account PIN. Also enable Number Lock under Account Security settings.
- T-Mobile: T-Mobile app → Profile → Security → SIM Card Lock. Set a 6-15 digit PIN. Also enable Account Takeover Protection under Security settings.
- Google Fi: Account → Personal Info → Security → SIM PIN — toggle on and set PIN.
Do not use obvious PINs — no birthdays, no 1234, no 0000. Treat it like a strong password. Write it down and store it somewhere physically secure.
Go Further: Replace SMS 2FA With an Authenticator App
A SIM PIN protects your number. But SMS-based two-factor authentication is still weaker than an authenticator app or a hardware key — even with a PIN in place. On your most critical accounts (email, bank, brokerage), replace SMS codes with an authenticator app like Google Authenticator or Authy, or upgrade to a hardware security key.
The YubiKey 5 NFC (~$50) eliminates SMS entirely for supported accounts — your Gmail, your password manager, and many financial accounts. A physical key that must be present cannot be SIM-swapped, phished, or intercepted.
What to Do If You Think You've Been SIM Swapped
If your phone suddenly loses service unexpectedly, call your carrier immediately from a different phone. Ask if your number has been ported or a new SIM activated. If yes, report it as unauthorized, have the number transferred back, and immediately change passwords on your email and financial accounts from a secure device. File a report with the FBI IC3 and the FTC.
Transparency: Some links in this post are affiliate links. If you purchase through them, Silent Security.net earns a small commission at no additional cost to you. We only recommend products we would suggest to our own families. Our editorial opinions are never influenced by affiliate relationships.