SIM swap attack: when your phone number becomes the weak link

Stanislovas Kalašnikovas

A SIM swap is one of the most dangerous forms of account takeover. The attacker takes control of your phone number and receives all SMS codes—meaning access to your email, social media, banking, and other accounts.

In most cases, you don't click anything or approve anything—the attack happens through your mobile carrier.

Warning signs

  • “No SIM” or emergency calls only
  • Password reset SMS you did not request
  • Notifications of number porting
  • Unable to log into banking or social with SMS 2FA

First hour actions

Contact carrier fraud line from another phone or store visit with ID. Ask to reverse unauthorised changes. Simultaneously check bank/crypto accounts for transfers.

Why SMS 2FA still matters

SIM swap is targeted and relatively rare compared to bulk password theft. For most people SMS 2FA remains the most practical protection versus no 2FA. High-risk users may add app-based factors on top—not instead of awareness.

Carrier protections

Ask about account PINs, port validation, number freeze options, and notification when SIM changes. Remove unused authorised users on the mobile account.

Recovering accounts after

Work through locked out flows per platform once the number is back. Expect identity checks. Update 2FA methods everywhere.

Link to other guides

Telegram and banking apps tied to SMS are common follow-on targets. Also read suspicious login alerts.

Documentation

Keep carrier ticket IDs, timestamps of unauthorised transactions, and police report numbers if filing helps with fraud reversals.

Suspect a SIM swap?

In SIM swap attacks, speed is everything. Every hour can mean new logins or financial losses. If the situation seems more complex than described—it's worth assessing before taking further steps.

Start account recovery Consultation

Frequently asked questions

Will authenticator apps stop SIM swap?
They reduce reliance on SMS for those accounts—but you must still secure the phone account itself.
Can I sue the carrier?
Jurisdiction-dependent; lawyers assess negligence. Document every call with carriers.
Does eSIM increase risk?
Attack surface depends on carrier processes; use all available account locks.
Should I abandon SMS 2FA entirely?
For average users, SMS 2FA is still far better than none; add layers if you are high-risk.
Crypto users special advice?
Use hardware wallets, minimise SMS-only protections on exchanges, and whitelist withdrawals where possible.