Back to Blog

SIM Swapping Attacks: How They Work and How to Protect Yourself

LeakedSource Team
|

What Is SIM Swapping?

A SIM swap attack occurs when a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. Once successful, the attacker receives all calls and text messages intended for you, including the one-time passcodes used for two-factor authentication. This effectively hands them the keys to your email, banking, cryptocurrency wallets, and social media accounts.

SIM swapping has grown into one of the most damaging forms of targeted cybercrime, with individual victims losing anywhere from thousands to millions of dollars.

How the Attack Works

The typical SIM swap follows a predictable sequence:

  1. Reconnaissance: The attacker gathers personal information about the target. This data often comes from data breaches, social media profiles, or data broker sites. Names, addresses, dates of birth, and the last four digits of a Social Security number are common targets.

  2. Social engineering the carrier: Armed with personal details, the attacker contacts the victim's mobile carrier. They pose as the account holder, claim their phone was lost or damaged, and request the number be transferred to a new SIM card.

  3. Bypassing security questions: The personal information collected during reconnaissance is usually sufficient to answer the carrier's verification questions. Some attackers bribe or recruit carrier employees directly.

  4. Taking control: Once the number is ported, the victim's phone loses service. The attacker now receives all SMS messages and calls, including authentication codes.

  5. Account takeover: The attacker triggers password resets on the victim's accounts, intercepts the SMS verification codes, and locks the victim out.

Who Gets Targeted

While anyone can be a victim, SIM swap attacks disproportionately target:

  • Cryptocurrency holders, because blockchain transactions are irreversible
  • High-profile social media accounts, which can be sold or used for scams
  • Business executives and public figures, who have more exposed personal information
  • Anyone with valuable online accounts tied to SMS-based authentication

Warning Signs You Have Been SIM Swapped

  • Your phone suddenly shows "No Service" or "Emergency Calls Only" in an area with normal coverage
  • You stop receiving text messages and calls
  • You receive email notifications about password changes you did not initiate
  • You are locked out of accounts unexpectedly
  • Your carrier sends confirmation of a device change you did not request

How to Protect Yourself

Set a PIN or passcode with your carrier. All major carriers allow you to add an account PIN that must be provided before any changes are made. This is separate from your device unlock code. Call your carrier and set one immediately.

Move away from SMS-based two-factor authentication. Use authenticator apps like Authy, Google Authenticator, or a hardware security key like YubiKey. These methods are not vulnerable to SIM swaps because they do not rely on your phone number.

Reduce your personal information exposure. Data breaches and data broker sites are the primary sources attackers use for reconnaissance. Remove yourself from people-search sites, use unique information for security questions, and monitor your exposure in breach databases.

Enable account-level protections:

  • T-Mobile: Enable Account Takeover Protection
  • AT&T: Set up Extra Security passcode
  • Verizon: Enable Number Lock
  • Visible/MVNOs: Check for available port protection features

Use a separate email for financial accounts. Keep a private email address that is not tied to any public profiles and use it exclusively for banking and financial services.

Consider a Google Voice number. For non-critical SMS verification, a Google Voice number provides a layer of separation from your actual carrier number and cannot be SIM swapped through a mobile carrier.

What to Do If It Happens

Act immediately. Call your carrier from another phone to report the unauthorized swap. Contact your bank and financial institutions to freeze accounts. Change passwords on all critical accounts starting with email. File a report with the FBI's Internet Crime Complaint Center (IC3) and your local police department. Document everything for potential identity theft claims.

Speed matters. Most SIM swap victims who act within the first hour limit their losses significantly.

Check LeakedSource to see what personal information of yours has been exposed in data breaches, since that data is often the starting point for SIM swap attacks.

Check Your Breach Exposure

Find out if your email address has been compromised in any known data breaches.

Scan Your Email Now
All Posts