How can I protect myself from SIM-swapping attacks?

By / October 10, 2025

How can I protect myself from SIM-swapping attacks?

SIM-swapping—also called SIM-jacking or port-out fraud—is when a criminal convinces your mobile provider to move your phone number onto their SIM/eSIM. The moment your number moves, they can intercept calls and texts (including one-time passcodes), reset logins, and drain financial or crypto accounts. This guide explains how SIM swaps happen, how to prevent them, and what to do immediately if it happens to you.

Key takeaways

  • Lock down your mobile account with carrier-level blocks (SIM/number locks, account PINs).
  • Stop using SMS codes for high-value logins; switch to phishing-resistant authentication (security keys/passkeys).
  • Train yourself (and your family) to spot phishing and pretexting; the “human layer” is where most SIM swaps begin.
  • Prepare an incident plan: the first 10 minutes matter.

What is a SIM-swap attack?

In a SIM swap, an attacker social-engineers a carrier support rep (or abuses stolen internal credentials) to move your number to a SIM/eSIM they control. Once they control your number, password resets and 2FA codes sent via SMS or voice go to them. In the US, the FCC updated rules in late 2023 to force carriers to use stronger customer authentication and alerts for SIM changes and number ports. Compliance took effect in mid-2024 and continues to roll out across carriers. (Federal Register)

Why do SIM swaps work?

  1. SMS is a weak second factor. One-time codes via SMS can be intercepted if your number is hijacked. Security standards bodies recommend moving to phishing-resistant multi-factor authentication (MFA), such as FIDO/WebAuthn security keys or passkeys. (CISA)
  2. Social engineering & data leaks. Attackers use public info, breached data, and convincing scripts to pass carrier verification, or they exploit insiders. The FCC’s new rules specifically require secure methods of authenticating customers before SIM swaps or ports. (Federal Register)

The fastest wins: turn on your carrier’s anti-hijack features

All major U.S. carriers now offer account locks that block SIM changes or number ports until you, the account owner, unlock them inside the carrier app.

Carrier features to enable (US examples)

  • Verizon: Turn on Number Lock (blocks port-outs) and SIM Protection (blocks SIM swaps). You can toggle these in the My Verizon app or web portal. (Verizon)
  • T-Mobile: Enable SIM Protection and account takeover/port-out protections from your T-Mobile account security page. (T-Mobile)
  • AT&T: Enable Wireless Account Lock in the myAT&T app; this disables key account changes such as SIM swaps and number transfers until you unlock it. (AT&T)

Tip (non-US readers): Ask your carrier for a port-out freeze/number lock, SIM swap lock, and a customer service passcode/PIN. Many providers worldwide offer similar controls under different names. Industry groups and consumer-protection sites recommend unique account PINs and non-SMS verification whenever possible. (ctia.org)

Stop relying on SMS codes for important accounts

SMS-based 2FA is better than nothing—but for banking, crypto, email, domain registrars, cloud storage, and social media with recovery power, switch to phishing-resistant MFA:

  • Use security keys / passkeys (FIDO/WebAuthn). These are resistant to phishing, SIM swaps, and push bombing. Government guidance labels them the gold standard for MFA. (CISA)
  • At minimum, use an authenticator app (TOTP) instead of SMS for services that don’t yet support passkeys/keys.
  • Consider Google’s Advanced Protection Program if you’re high-risk (journalists, public figures, crypto holders, admins). It enforces strong protections based on passkeys/security keys. (Google Help)
  • Many security-sensitive platforms (e.g., large crypto exchanges) explicitly recommend hardware keys over SMS. (Coinbase)

Harden your mobile account & device

A. With your carrier

  • Set or update your account PIN/passcode and ensure support reps must request it on every sensitive change. (US carriers: see Verizon/T-Mobile/AT&T features above.) (Verizon)
  • Turn on SIM/number locks (port-out freeze / SIM swap lock).
  • Make sure the account email used with your carrier login has phishing-resistant MFA.

B. On your phone

  • Set a strong device passcode and enable biometrics.
  • Disable sensitive lock-screen previews for SMS/email so one-time links or codes aren’t visible when the phone is unattended.
  • Consider setting a SIM PIN (separate from your phone passcode). This helps if your physical SIM is stolen, though it doesn’t stop a carrier-level port-out. Consumer protection resources often recommend SIM PINs as a layer among many. (securityplanner.consumerreports.org)
  • Keep iOS/Android updated; enable Find My / Find My Device for remote wipe.

Reduce your exposure to social engineering

Most SIM swaps start with phishing or pretexting—a convincing call, text, or email that tricks users or support reps. Industry and consumer-protection bodies recommend these fundamentals:

  • Never share one-time codes, PINs, or full account details by phone/text/email—even if the message “looks like” your bank or carrier.
  • If you receive unexpected “SIM changed” or “new device signed in” alerts, treat them as high-priority.
  • Call your carrier back via a verified number (from their website/app), not via the number that just texted you.
  • Use unique, strong passwords via a password manager. (CISA)

Segment your online identity (so one breach doesn’t sink you)

  • Separate emails and phone numbers: Use a dedicated email (and no-SMS MFA) for your carrier login, a different one for banking, and another for socials.
  • Avoid listing your primary number on public profiles. Use a secondary contact method for marketing or public forms.
  • Use role-based emails (e.g., security@yourdomain) for account recovery where supported.

Crypto holders: special safeguards

Because many exchanges still allow SMS recovery, SIM swaps often target crypto users. Strengthen your setup:

  • Enable hardware keys/passkeys on exchanges and wallets that support them; otherwise, use authenticator app codes (not SMS). (Coinbase)
  • Store seed phrases and recovery keys offline and never in cloud notes, email, or SMS.
  • Create withdrawal allow-lists and cool-off delays where supported.
  • Turn on login/withdrawal alerts to email and authenticator apps.

For businesses & admins

  • Enforce phishing-resistant MFA (FIDO/WebAuthn) on SSO, email admin, cloud consoles, and registrars. This is aligned with U.S. government and NIST digital identity guidance. (CISA)
  • Implement help-desk scripts that forbid changing MFA/phone numbers without strong identity proof.
  • Monitor for SIM-change signals via your IdP and set risk-based access controls.
  • Use just-in-time privileges and require security keys for admin actions.

The 15-minute incident playbook (what to do if you’re SIM-swapped)

Warning signs: sudden loss of service (“No Service”), messages about SIM activation on a new device, password-reset emails you didn’t request, or alerts about number-porting.

  1. Contact your carrier immediately (from another phone or landline). Ask them to revoke the swap/port, turn on all available locks, and document the fraud ticket. FCC guidance encourages carriers to authenticate securely and notify customers of SIM/port changes—use those policies to your advantage. (Federal Register)
  2. Lock down email first. Email controls password resets for almost everything. Change the password and enforce passkeys/security keys.
  3. Secure financial & crypto accounts. Change passwords, rotate 2FA to keys or app codes, and enable withdrawal locks/allow-lists.
  4. Check your Apple/Google ID (phone backups, device list, iCloud/Google Drive), then social media and messaging apps.
  5. Warn contacts you’ve been hijacked to reduce follow-on scams.
  6. Report fraud to your bank(s), relevant platforms, and your national consumer protection body. U.S. consumers can file with the FTC and follow identity-theft recovery steps. (Consumer Advice)
  7. Document everything (times, names, case numbers) for any dispute/claims.

A layered defense: your SIM-swap prevention checklist

Everyday hygiene

  • Use a password manager and unique passwords.
  • Turn on security keys/passkeys for email, cloud, finance, crypto, domains. (CISA)
  • Replace SMS 2FA with authenticator app where keys/passkeys aren’t supported.
  • Treat unsolicited calls/texts/emails as phishing until proven otherwise. (ctia.org)

Carrier account

  • Set a customer service PIN/passcode.
  • Enable SIM swap locks and number/port-out locks (Verizon Number Lock & SIM Protection; T-Mobile SIM Protection; AT&T Wireless Account Lock). (Verizon)
  • Use the carrier app to manage these settings and to receive alerts on changes. Many carriers now send notifications on any lock/unlock action. (AT&T)

High-value accounts

  • Email: enforce passkeys/security keys; disable SMS recovery where possible. (Google Help)
  • Banking/crypto: prefer hardware keys; enable transaction alerts and allow-lists. (Coinbase)
  • Social: lock down recovery options (remove phone numbers if not required).

Device

  • Strong passcode + biometrics; disable lock-screen previews of sensitive content.
  • Enable Find My / Find My Device; keep OS/apps updated.
  • Optional: SIM PIN for physical theft scenarios (layered defense). (securityplanner.consumerreports.org)

Frequently asked questions (FAQ)

1) Are eSIMs safer than physical SIMs?

eSIMs remove the risk of someone physically stealing your SIM, but they don’t prevent carrier-level SIM swaps. Your best defense is carrier account locks plus phishing-resistant MFA for your accounts. (See FCC rules requiring stronger authentication for swaps/ports, and carrier lock features above.) (Federal Register)

2) Should I remove my phone number from accounts?

For high-value services (email, banking, crypto, domain registrars), yes—avoid using a phone number for login or recovery if the service supports keys/passkeys or app-based codes. Security standards specifically endorse phishing-resistant options. (CISA)

3) Does a SIM PIN stop SIM swaps?

A SIM PIN helps if someone gets physical possession of your SIM. It does not stop a carrier-initiated swap/port. Use it as a supplement, not a substitute for carrier locks and strong MFA. (securityplanner.consumerreports.org)

4) What regulations protect me?

In the U.S., the FCC updated rules (Dec 2023; effective in 2024) requiring secure customer authentication and notifications for SIM swaps and number ports. This raised the bar industry-wide, including MVNOs. (Federal Register)

5) I manage a small business—what minimums should I enforce?

Require FIDO2/WebAuthn keys or passkeys on admin accounts and SSO; set a policy banning SMS 2FA for privileged users; and lock carrier accounts for all staff numbers. These align with modern government guidance on phishing-resistant MFA. (CISA)

How carriers are improving (and how you should use those improvements)

  • Verizon: Number Lock prevents port-outs; SIM Protection blocks SIM moves to another device until you toggle it off. Turn them on in My Verizon (web/app). (Verizon)
  • T-Mobile: SIM Protection is free for postpaid customers and is designed to prevent unauthorized swaps; they also document port-out protections. (T-Mobile)
  • AT&T: Wireless Account Lock (rolled out 2025) blocks SIM swaps, number transfers, billing updates, and device upgrades until you unlock it in the myAT&T app. (AT&T)

These controls don’t replace phishing-resistant MFA for your accounts, but they dramatically cut the odds that someone can move your number without your knowledge.

Sample hardening plan (you can copy/paste this into your notes)

Today (30 minutes)

  1. Turn on Number/Port-Out Lock and SIM-swap protection in your carrier app. (Verizon)
  2. Set or update your carrier account PIN.
  3. On your primary email and bank/crypto accounts, enroll passkeys/security keys; remove SMS as a recovery factor where possible. (CISA)
  4. Add login/transaction alerts to email, banks, exchanges.
  5. Disable lock-screen previews for texts/emails on your phone.

This week

  • Move critical logins off SMS to authenticator apps or keys.
  • Create a one-page incident plan (carrier phone number, account numbers, bank fraud lines).
  • Audit which services can reset other services (email, Apple/Google ID). Harden those first.

Quarterly

  • Rotate passwords for critical accounts.
  • Re-test passkeys/security keys and recovery options.
  • Re-verify that your carrier locks are still enabled (some toggles may turn off during device upgrades). (Verizon)

Conclusion

SIM-swapping succeeds when attackers can trick a carrier and when our accounts still rely on phone numbers as a gatekeeper. The solution is layered:

  1. Carrier locks to stop unauthorized number moves;
  2. Phishing-resistant MFA (passkeys/security keys) so that even if your number is hijacked, your accounts aren’t;
  3. Phishing awareness and rapid incident response.

Make those three changes and you’ll shut the door on the most common SIM-swap routes.

References & further reading

  • FCC: Protecting Consumers from SIM Swap and Port-Out Fraud (rulemaking and requirements). (Federal Register)
  • FCC: Compliance date and consumer guidance for SIM-swapping item. (Federal Communications Commission)
  • CISA: Implementing Phishing-Resistant MFA (why FIDO/WebAuthn beats SMS and push codes). (CISA)
  • NIST SP 800-63B (draft/series): Digital identity guidelines; phishing-resistant MFA. (NIST Publications)
  • Verizon: Number Lock & SIM Protection. (Verizon)
  • T-Mobile: Prevent unauthorized SIM swap / port out. (T-Mobile)
  • AT&T: Wireless Account Lock. (AT&T)
  • FTC: SIM Swap Scams: How to Protect Yourself (consumer report & recovery steps). (Consumer Advice)

Related Posts

Scroll to Top