SIM swaps: when the scam isn't a call to you, it's a call about you

Most phone scams come at you directly. Your phone rings, a stranger lies about who they are, and the whole attack happens across that single call. A SIM swap is different. The scammer never calls you at all. They call your carrier, pretend to be you, and ask to move your phone number onto a SIM card they control. If they succeed, your phone goes quiet — and every text, every call, every two-factor code lands in someone else's pocket.

How the attack works

A SIM swap is a social-engineering attack on a cellular carrier's support line. The scammer gathers enough information about you — name, address, date of birth, maybe the last four of a card — to sound convincing to a call-center agent reading from a script. Sometimes they add a plausible story: a lost phone, an upgraded device, a travel emergency across a border.

The agent ports your number to a new SIM. Maybe a physical card delivered to a PO box. Maybe an eSIM activated on the scammer's phone in seconds. From your side, the first sign is subtle: signal drops to "No Service" and stays there. You assume there's a tower problem, or that your phone is misbehaving, and you don't think about it for another twenty minutes. Meanwhile the attacker is already moving.

Why SMS two-factor codes are the prize

The reason this attack exists, in its current form, is that so many accounts still use SMS codes as a second factor. Once a scammer has your number, they can trigger a "forgot password" flow on your email, collect the reset code over text, and from your inbox they can pivot almost anywhere — bank accounts, brokerage logins, crypto exchanges, cloud backups, even the login to your carrier itself.

The entire chain takes the attacker anywhere from twenty minutes to a few hours. By the time you notice you have no bars and restart your phone, you may already be locked out of the accounts that mattered most.

If a single phone number can reset the password on your most important account, that account is only as secure as your carrier's support line.

Four steps that actually help

There is no way to eliminate SIM-swap risk as an individual — the weak link is inside the carrier, not on your device. But four things meaningfully reduce the odds that it happens to you, and the damage if it does.

• Set a port-out PIN with your carrier. Every major US carrier offers one. It's a separate PIN the support agent is supposed to verify before any number transfer. Call them, set it, and write it down somewhere that is not stored on your phone.
• Move off SMS 2FA where it matters most. Authenticator apps, passkeys, and hardware security keys do not travel with your phone number. For a bank, a primary email, or any financial account, the upgrade is worth the small setup cost.
• Lock the accounts that anchor the rest. Your main email and your password manager are the spine — almost everything else can be reset through them. Put the strongest available two-factor on those two, even if the rest of your accounts lag behind.
• Watch for the silent signal. A sudden "No Service" that does not recover after a minute, in an area where you normally have reception, is worth a second of suspicion. So is an out-of-the-blue text from your carrier about a change you did not make.

What to do if it has already happened

If your phone loses service without an obvious reason and you suspect a swap is underway, speed matters more than anything else. Use another phone or a trusted Wi-Fi connection to call your carrier's fraud line — not their general support number — and ask them to freeze the account. Then log in to your email from a computer, force-sign-out every active session, rotate the password, and check the recent-activity log. Your bank and any crypto or brokerage accounts come next.

Once the immediate bleed is stopped, file a report with the FTC at reportfraud.ftc.gov and, if money actually moved, a local police report as well. Your carrier will ask for that report number when you dispute the port. Keep copies of everything — timestamps, agent names, ticket numbers — because recovering stolen funds often hinges on paperwork from the first forty-eight hours.

The wider point

A scam call does not have to be aimed at you to cost you everything. The phone number sitting in your pocket is the master key for more of your life than most people stop to count, and the person who opens that lock may never dial your number. Treating an unfamiliar caller with a little friction, checking a number before you trust it, and keeping an eye on how your accounts are secured are all part of the same habit — treating your phone number like the credential it has quietly become.