The first sign is silence. Your phone, sitting on the table with full battery, drops to "No Service" and stays there. Most people assume it is a network outage and wait. That waiting hour is when their email password gets reset, then their bank password, then everything else, because every reset code is arriving on a phone across the country in someone else's pocket.
The attack is a phone call, not a hack
A SIM swap does not involve breaking into anything of yours. The attacker calls your mobile carrier, claims to be you, and asks to activate "their" number on a new SIM card, a routine request that carriers handle thousands of times a day for people with lost or upgraded phones.
To pass the identity check, the attacker needs your personal details: full name, address, date of birth, maybe the last four digits of a payment card or the answer to a security question. Where do those come from? Data breaches. This is the attack that old breach data was being saved for. A 2015 breach with your birth date, a 2019 breach with your address, a 2021 breach with your phone number: assembled, they are a costume of you, good enough to fool a call-center employee whose job is to be helpful.
The moment the carrier activates the new SIM, your number belongs to the attacker. Your phone goes dark. Theirs lights up as you.
Why the number is the prize
Your phone number is a skeleton key for two reasons. Text-message two-factor codes now arrive on the attacker's device, which unlocks any account protected by SMS verification. And most account recovery flows will happily text a reset link to "your" number, which means the attacker does not even need your passwords. They reset them, locking you out of your own accounts while you stand in a carrier store trying to prove you exist.
This is why SIM swapping shows up so often in cryptocurrency thefts and bank fraud cases: it converts breach-data crumbs into full account control in under an hour.
- Call your carrier, or use its app, and add a port-out PIN or account security PIN. All major US carriers offer one free. It forces any SIM change to require a code that is not in any breach database.
- Move two-factor authentication for your email and financial accounts off SMS and onto an authenticator app or passkey.
- Remove your phone number as the account recovery method for your email and bank, wherever settings allow it.
If it happens
Speed matters more here than in any other attack, because the attacker is racing through your accounts in real time. From any working phone or computer: call your carrier and tell them your number was fraudulently ported, the phrase that triggers their fraud process rather than their tech-support process. Then change your email password from a device that is still logged in, before the attacker gets to it. Then bank, then everything else. File a report at IdentityTheft.gov, the FTC's official recovery site, both for the paper trail and the step-by-step recovery plan.
And afterward, do the three prevention steps above, because victims who fix nothing are the easiest people to hit twice.
Is your phone number already in breach databases?
Our free scan shows which known breaches contain your email and whether phone numbers were among the data taken alongside it.
Run the Free Breach Scan →