SIM swapping — also called SIM hijacking — is an attack where a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, they can intercept SMS-based 2FA codes and reset passwords on any account tied to that number.
How the attack works
Attackers gather personal information about their target — name, address, last four digits of Social Security number, account PIN — often from social media, data brokers, or previous breaches. They call the carrier's customer service, impersonate the victim, claim they lost their phone, and request the number be transferred to a new SIM.
Once successful, the attacker receives all SMS messages sent to that number. They then go to your email provider, bank, or crypto exchange, click "Forgot password," and receive the reset code via SMS — directly to their phone.
⚠️ High-profile victims: SIM swap attacks have drained millions from crypto accounts, compromised Twitter/X accounts of public figures, and been used to steal from major executives. The FBI received over 1,600 SIM swap complaints in 2023 alone.
Why SMS 2FA is vulnerable
SMS-based authentication was never designed as a security mechanism — it was designed for convenience. The mobile carrier network (SS7 protocol) has known vulnerabilities, and social engineering of customer service agents bypasses the technical layer entirely. SMS 2FA is better than no 2FA, but it's the weakest form available.
How to protect yourself
- Switch from SMS 2FA to an authenticator app — codes generated on your device can't be intercepted via SIM swap
- Use a hardware security key for your most important accounts — completely immune to SIM swapping
- Set a carrier PIN or passcode — call your mobile carrier and add an extra PIN required before any account changes
- Enable port freeze — some carriers offer this, preventing number transfers without in-person verification
- Limit personal info online — the less attackers can find about you, the harder social engineering becomes
- Use a separate number for 2FA — a Google Voice or similar number is harder to SIM-swap than a carrier number
✅ Action today: Call your carrier and set an account PIN. Then switch any SMS-based 2FA on your email and financial accounts to an authenticator app. These two steps eliminate most SIM swap risk.