SIM swapping is an attack where the attacker takes control of your phone number by convincing your carrier to transfer the number to a SIM in their possession. Once the number is theirs, every SMS-based 2FA code, every password-reset link sent by SMS, and every voice-authentication call goes to the attacker, not you. The attack works because carrier customer service has historically authenticated the caller against information that data brokers expose for $20.
What it means in practice
The mechanics: attacker calls the carrier impersonating you, claims a lost phone, requests the number ported to a new SIM the attacker controls. The customer-service rep asks identity-verification questions (date of birth, last bill amount, security question) all of which leak through data-broker profiles or social-engineering reconnaissance. Some attacks bypass customer service entirely by bribing or coercing carrier employees; the 2022 T-Mobile case documented an internal-actor channel selling port-outs to organized crime for $200 per number. Once the swap completes, the attacker has 30 to 90 minutes (sometimes longer) before the victim notices, which is more than enough to drain crypto wallets, take over the email account, and pivot from there to financial accounts.
Who is targeted, and by whom
Targets are clustered around specific value patterns: cryptocurrency holders (the fastest-monetizable target; the entire SIM-swap industry was built around this category from 2017 onward), high-net-worth individuals visible enough to be targeted by name, executives at companies the attackers want to social-engineer, social-media influencers (account takeover monetizes through extortion or fraud), and increasingly anyone whose primary email recovery is tied to SMS. Attackers range from organized crime crews running industrial-scale operations (the Krebs on Security archive documents many) to opportunistic individuals exploiting personal information from a breach corpus.
What you can change today
Five-minute defense, in order of importance. First, call your carrier and add a port-out PIN or “do not port” lock to the account (Verizon “Number Lock”, AT&T “Wireless Account Lock”, T-Mobile “Account Takeover Protection”). The lock requires a separate verification before any port can complete. Second, remove SMS as a 2FA method everywhere it is the only second factor; replace with TOTP (Aegis, Raivo) or hardware keys (YubiKey). Third, change recovery contact methods on email and password manager from SMS to TOTP or hardware key. Fourth, switch to a SIM-swap-resistant carrier if your threat model justifies it (Google Fi requires a Google account login to port, Efani specializes in port-out protection for high-value targets). Fifth, remove your phone number from public-facing contact methods; use a Google Voice or MySudo number for anything that can be looked up.
