SIM swapping is an attack in which a malicious actor convinces your mobile carrier to transfer your phone number to a SIM card they control. Once successful, they receive all SMS messages and calls, including 2FA codes.
The attack typically involves social engineering the carrier’s customer service using personal information from data breaches to impersonate you.
Mitigation: use authenticator apps instead of SMS 2FA, set a carrier PIN for account changes, use a number not publicly associated with your identity.
What it means in practice
A SIM swap transfers your phone number to a device the attacker controls. From that point, all SMS messages — including 2FA codes and password reset links — go to them. It typically requires social engineering a carrier support representative with basic personal information about the target (often available from data broker sites). The fix is to switch all sensitive accounts to authenticator app 2FA and add a carrier PIN.
Related articles
Your phone carrier sells your location data. — Digital privacy checklist before filing for divorce.