How does a SIM-swap scam actually work?
In a SIM swap, a fraudster convinces your mobile carrier to transfer your phone number to a SIM they control, which lets them intercept SMS one-time codes and take over your accounts.
Last reviewed: 10 June 2026
Explanation
The attack starts with reconnaissance. The scammer gathers personal details about you from data breaches, social media, or phishing emails — enough to answer the security questions your carrier uses to verify identity. They then contact your mobile provider, either by phone, online, or through a corrupt insider, and claim to be you reporting a lost or stolen phone.
Once the number is ported, every SMS message intended for you — including bank verification codes, two-factor authentication texts, and password-reset links — goes to the attacker's device. Within minutes they use these codes to reset passwords on email, banking, and cryptocurrency accounts. Your phone simultaneously loses signal, which is often the first sign something is wrong.
The window of damage is short but catastrophic. Attackers prioritise high-value targets: crypto wallets (which have no bank dispute process), investment accounts, and email (because email access enables resetting everything else). By the time you reach your carrier and reclaim the number, funds may have been moved multiple times.
SIM swaps are also used in targeted 'port-out' fraud on number-transfer portals, where a number is simply moved to a different carrier the attacker controls. Prevention centres on removing phone numbers from account security wherever possible and using authenticator apps or hardware keys instead of SMS codes.
Common red flags
- Your phone suddenly has no signal despite being in a normal coverage area
- You receive a carrier notification about a SIM change or account update you did not request
- Password-reset emails arrive in your inbox that you did not initiate
- You are locked out of email or banking apps unexpectedly
- Someone contacts you claiming to be from your bank asking to confirm a transfer
What to do now
- Call your carrier immediately from another phone and report an unauthorised SIM swap
- Ask the carrier to add a PIN or passphrase required for any future account changes
- Change passwords on email, banking, and crypto accounts from a secure device
- Switch all critical accounts from SMS two-factor to an authenticator app or hardware key
- Report the fraud to your bank and national cybercrime unit
- Monitor your credit reports for any accounts opened in your name
Frequently asked questions
Can I prevent a SIM swap entirely?
You can make it much harder. Set a carrier account PIN, use authenticator apps instead of SMS codes, and limit the personal information you share publicly online.
Are cryptocurrency losses from SIM swaps recoverable?
Rarely. Blockchain transactions are irreversible. Report to law enforcement immediately — in some cases exchanges have frozen accounts before full withdrawal.
How do scammers get enough personal data to pass carrier security checks?
From previous data breaches, social media posts, phishing emails, and dark-web purchased data files that often include names, addresses, and last four digits of SSNs.