One quiet afternoon, a freelance designer we will call Maya looked at her phone and saw two words where the signal bars used to be: “No Service.” Within twenty minutes her email password had been reset and money was leaving her bank account. This is what sim swapping looks like from the victim’s seat. An attacker convinced her phone carrier to move her number onto a SIM card they controlled, and from there they walked straight through every account that trusted her phone.
This post explains how the attack works, the warning signs you can actually notice, why text message codes are the weak link, and the concrete steps that shut the door.
What sim swapping actually is
Your phone number is not stored in your phone. It lives in your carrier’s system and is tied to whichever SIM card the carrier says it belongs to. A SIM swap is a legitimate process: when you buy a new phone or lose your old one, the carrier moves your number to a new SIM. Attackers abuse that same process.
The attacker calls or messages your carrier, pretends to be you, and asks to move your number to a SIM in their possession. To pass the carrier’s identity check they use details collected ahead of time: your full name, address, date of birth, the last four digits of a card, or answers to security questions. Much of this leaks from old data breaches and social media. Sometimes the attacker bribes or tricks a store employee instead.
The moment the swap completes, your real phone drops to “No Service” and every call and text now lands on the attacker’s device.
Why your text message codes are the prize
Most people protect important accounts with two factor authentication. The common version sends a one time code by SMS. The idea is sound: a password alone should not be enough. The problem is that an SMS code is delivered to a phone number, and a phone number can be stolen.
Once the attacker owns your number, the flow is simple:
- They go to your email provider and click “Forgot password”.
- The provider texts a reset code to your number, which now reaches their phone.
- They enter the code, set a new password, and lock you out of your own inbox.
- From that inbox they reset everything else: banking, social accounts, crypto exchanges, cloud storage.
Email is the master key for most of your digital life, and SMS is the spare key under the mat. Take the number, take the email, take the rest.
SMS codes were never built to be a second factor. They are a convenience that happens to work most of the time, and sim swapping is the day it does not.
The warning signs of sim swapping
The attack is loud if you know what to listen for. The clearest signal is sudden loss of service. If your phone shows “No Service” or “SIM not provisioned” in a place where you normally have coverage, and a quick restart does not fix it, treat that as an emergency, not an annoyance.
Other signs worth acting on right away:
- You stop receiving calls and texts while friends say their messages to you are not delivering.
- You get an unexpected email or push notice that your number was ported or a new SIM was activated.
- You are suddenly logged out of email, social, or banking apps on all your devices.
- You see password reset emails you did not request.
If you suspect a swap is in progress, call your carrier from another phone immediately and ask them to freeze your account. Minutes matter, because the attacker is racing through reset flows while they hold the number.
How to prevent sim swapping
You cannot fully control what your carrier does, but you can remove the easy paths and stop relying on your phone number as a security key. These steps stack, so do as many as you can.
1. Set a carrier port out PIN
Every major carrier lets you add a separate PIN or passcode that must be given before your number can be moved or a new SIM activated. This is not the same as your voicemail PIN or your account login. Call your carrier or open the account security settings and turn it on. Pick a number that is not your birthday, address, or anything that appears in a data breach.
2. Move off SMS two factor
Replace text message codes with an authenticator app such as the time based codes generated by apps on your device. Those codes are created on your phone itself and never travel over the cell network, so stealing your number gives an attacker nothing. Where an account offers a choice, pick the app over SMS. Keep SMS only for accounts that support nothing better.
3. Use passkeys and hardware keys where you can
The strongest option available today is a passkey or a physical security key. A passkey ties your login to a secret stored on your device that cannot be phished or texted to a stranger. More banks, email providers, and social platforms add support every month. If you want the longer comparison, see our write up on passkeys vs passwords. The short version: a passkey cannot be read off a stolen SIM, which is the whole point.
4. Stop using your phone number as a recovery method
Go into your most important accounts, starting with your primary email, and check the recovery and reset settings. If a phone number is listed as a way to reset the password, that number is a side door. Remove it where the account allows, or switch recovery to an authenticator app and backup codes printed on paper.
5. Shrink your public footprint
Attackers pass the carrier’s identity check using facts about you. The less of that is floating around, the harder you are to impersonate. Keep your birthday off public profiles, be cautious with quiz style posts that ask for your first car or street name, and freeze your credit so a stolen number cannot be used to open new accounts.
What to do if it already happened
Speed beats everything. Work in this order:
- Call your carrier from another line and have them deactivate the rogue SIM and restore your number.
- From a trusted device, reset your email password first, since it controls the rest.
- Contact your bank and any exchange to flag fraud and reverse transfers while they are pending.
- Turn on an authenticator app or passkey on every account as you regain access.
- Report the incident to your local authorities and your carrier’s fraud team, and ask for a written record.
Understanding who you are versus what you are allowed to do matters here too. A stolen number breaks the first check and lets an attacker inherit all your permissions, which is the line we draw in authentication vs authorization.
The takeaway
Sim swapping works because too many systems treat a phone number as proof of identity, and a phone number is surprisingly easy to take. The fix is not paranoia. It is a port out PIN, an authenticator app instead of SMS, passkeys where they exist, and email recovery that does not lean on your number. Set those up once and the attack that emptied Maya’s accounts simply has nothing to grab.
Most account takeovers start with a wrong assumption about what counts as proof, and finding those assumptions before attackers do is the kind of work we care about. You can read more on our about page.
Frequently asked questions
What is sim swapping?
Sim swapping is a takeover attack where someone convinces your mobile carrier to move your phone number to a SIM they control. Once they hold your number, calls and text messages come to them, which lets them catch the codes that protect your accounts.
What are the warning signs of a sim swap?
The clearest sign is a sudden loss of service when your phone shows no signal or says SOS only in a place where it normally works. Other signs are being unable to make calls or send texts, getting a carrier notice about a SIM change you did not request, or seeing login alerts you did not start.
Why is SMS two factor the weak link?
Codes sent by text ride on your phone number, and your number can be moved to another SIM. Once an attacker holds the number, every code sent by SMS lands on their device. App based authenticators and passkeys stay tied to your device, so they do not travel with the number.
How do I prevent sim swapping?
Set a port out PIN or account passcode with your carrier, switch your important accounts from SMS codes to an authenticator app or passkeys, and never share one time codes with anyone who calls you. Treat any unexpected loss of signal as a reason to call your carrier from another line right away.
What should I do if I am being sim swapped right now?
Contact your carrier immediately from another phone to lock the account and reverse the swap, then change passwords on your email and bank from a device that is still secure. Move those accounts off SMS codes and tell your bank to watch for fraud while you recover the number.
Put an autonomous researcher on your own systems
UnboundCompute is an autonomous security researcher that reasons about how an application fits together and proves the access control and injection bugs it finds. We are opening a small number of founding design partner seats: private early access pointed at a staging target you choose, a say in what it looks for, and founding pricing. If your team ships software worth pressure testing, apply to the design partner program.
