SIM Swap Scams
Attackers convince your mobile carrier to transfer your phone number to a SIM they control, then use it to bypass SMS-based authentication and take over your accounts.
Last reviewed: 1 June 2026
What this scam is
A SIM swap — also called SIM hijacking or port-out fraud — is an attack in which a criminal convinces your mobile network operator to transfer your phone number to a new SIM card that they control. Once they hold your number, they can receive all SMS messages and calls sent to it — including one-time passcodes and authentication codes used by banks, email providers, and cryptocurrency platforms. Your accounts are then only as secure as your phone number, which the attacker now controls.
SIM swaps are not a hack of your phone or network in the technical sense. They are a social engineering attack on the mobile carrier's customer service process. The attacker uses personal information about you — sourced from data breaches, social media, or phishing — to impersonate you convincingly enough that the carrier transfers your number.
The attack can happen very quickly. From the moment the swap succeeds, the attacker begins requesting password resets to your email and financial accounts, which are confirmed by the SMS codes they now receive. Victims often become aware only when their phone loses service — the first sign the swap has occurred.
How it works
The attacker first collects personal information about you: your full name, home address, date of birth, the last four digits of your national insurance or Social Security number, your account number with the carrier, or answers to common security questions. This information may come from data breaches, your social media profile, or a targeted phishing attack.
Armed with this information, they contact your mobile carrier's customer service — by phone, chat, or in a retail store — and request a SIM card transfer, claiming they have a new phone and need their number moved. The carrier's identity verification process is passed using the personal details the attacker collected.
Once the number is on their SIM, your phone loses signal. You can no longer make or receive calls or messages. Meanwhile, the attacker receives all SMS codes sent to your number and begins requesting password resets for your most valuable accounts — email, banking, cryptocurrency exchanges, social media.
The time between a successful swap and complete account compromise can be minutes. Victims who notice the signal loss and investigate may already have had accounts drained by the time they reach their carrier.
Why this scam works
SIM swaps succeed because mobile carriers cannot perfectly verify identity over the phone or in chat. Customer service agents are trained to be helpful and to resolve account issues efficiently — which creates a window for social engineering. An attacker with enough personal information can pass identity checks that are sufficient for legitimate users but inadequate against a determined adversary who has done their research.
SMS-based authentication was added to many platforms as a second factor, but it is only as strong as the carrier's identity verification. Once the attacker holds the phone number, every platform that treats SMS codes as proof of identity is compromised simultaneously.
The attack is fast. The window between a successful swap and account compromise may be too short for a victim to intervene, even if they notice the signal loss immediately.
Common red flags
- Your phone suddenly loses signal or shows 'no service' for no apparent reason
- You receive a notification that your SIM has been changed or your account details updated
- You receive emails about password reset requests you did not initiate
- Online accounts show login activity from unfamiliar locations or devices
- Your carrier sends a notification about a new SIM or port request you did not make
- You received phishing messages or calls recently that may have collected your personal information
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Your mobile number has been transferred to a new SIM. If you did not make this request, contact our support team immediately.
A password reset has been requested for your [account]. If you did not request this, contact support immediately.
Your account was accessed from a new device. If this was not you, click here to secure your account.
Common variations
- Cryptocurrency-targeted SIM swap by financially motivated groups
- Corporate SIM swap targeting employees to access business accounts
- Port-out fraud via online carrier portal rather than phone or in-person
- SIM swap combined with phishing to collect the personal data needed for the impersonation
How to verify before you act
If you suspect a SIM swap, the most important step is to contact your carrier as quickly as possible using a different device. Do not wait — the attack proceeds quickly.
To reduce your vulnerability in advance: contact your mobile carrier and ask whether they offer a SIM lock, port-freeze, or additional account PIN that prevents number transfers without an extra verification step. Many carriers offer these features but do not advertise them prominently.
Replace SMS-based two-factor authentication with an authenticator app or hardware key for all financial and high-value accounts. Authenticator apps generate codes on the device itself and are not linked to your phone number — a SIM swap does not affect them.
Search data breach notification services (such as HaveIBeenPwned) to understand whether your email address and associated data have appeared in known breaches.
Payment methods used
- Bank accounts drained post-attack
- Cryptocurrency wallets emptied
- No direct payment from victim
Who is usually targeted
- Cryptocurrency holders
- High-value individuals whose accounts are worth targeting
- People who use SMS for two-factor authentication on financial accounts
- Those with significant online account portfolios linked to one phone number
What to do immediately
- Call your mobile carrier immediately using a different phone — report that you believe a SIM swap has occurred
- Ask the carrier to reverse the port and lock your account against further changes
- Change passwords on email, banking, and high-value accounts immediately using a device not connected to your phone number
- Contact your bank and cryptocurrency exchanges about suspicious activity on your accounts
- Enable account PINs or transfer-lock features with your carrier
- Report to your national fraud service and, if funds have been stolen, to police
How to prevent it
- Enable a SIM lock, number port-freeze, or account PIN with your mobile carrier
- Replace SMS-based two-factor authentication with an authenticator app or hardware key
- Minimise the amount of personal data publicly available on social media
- Use unique, strong passwords for all accounts and store them in a password manager
- Set up account activity alerts on all financial and high-value platforms
- Sign up for data breach alerts to know when your personal data may have been exposed
Evidence to preserve
- Screenshots of any account activity notices or password reset emails received
- Your mobile carrier account records showing the unauthorised port request
- Any phishing messages received prior to the attack
- Bank and exchange account transaction logs
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Can I still use SMS codes for two-factor authentication?
SMS codes are better than no second factor at all, but they are the weakest form of MFA available. For banking, cryptocurrency, and email accounts, switch to an authenticator app (such as Google Authenticator or Authy) or a hardware security key. These cannot be bypassed by a SIM swap.
My carrier says the swap was authorised — what does that mean?
It means the attacker provided enough personal information to pass the carrier's identity check. This is not your fault — it reflects the attacker's access to your data and the limitations of carrier verification. Escalate a complaint formally, as some carriers will reverse unauthorised swaps even when verification was superficially passed.