What is SIM swapping?

SIM swapping is an attack where someone convinces your mobile carrier to transfer your phone number onto a SIM card they control — no physical access to your phone required, just a phone call, a chat session, or a store visit where they successfully impersonate you. Once the number moves, every text and call meant for you goes to them instead, including the SMS codes that reset your email, bank, and social media accounts.

Illustration representing a SIM swap attack transferring a phone number to an attacker's device

Why attackers want your phone number specifically

Your phone number is the recovery key for almost everything else you own online. It's the default second factor for SMS-based 2FA, the fallback for "forgot password" flows on email and banking accounts, and often the one piece of identity verification a support agent will accept over the phone. Compromise the number, and you inherit the ability to reset accounts that never directly shared a password with the attacker at all — which is exactly why SIM swapping is the preferred first step for taking over high-value cryptocurrency accounts and social media profiles, not just phone service. It's a different entry point from credential stuffing, but the same goal: take over an account without ever needing the real password.

How the attack actually happens

Most SIM swaps succeed through social engineering, not technical exploitation. An attacker gathers enough of your personal information — often from data broker sites, previous breaches, or public social media, sometimes via a targeted phishing message — to convincingly impersonate you to a carrier's support line or retail staff, then requests either a SIM replacement or a port-out to a new carrier. If the carrier's verification isn't strong enough to catch the impersonation, the number moves, and the legitimate device goes dark — no signal, no calls, no texts — the moment the transfer completes.

The SEC's own X account: a case study in exactly this attack

On January 9, 2024, the @SECGov account on X posted a fake announcement claiming the SEC had approved spot Bitcoin ETFs. Bitcoin jumped roughly $1,000 within minutes, then fell about $2,000 once the SEC confirmed the post was fraudulent — a real market swing caused entirely by a hijacked phone number. The SEC later confirmed the account had multi-factor authentication disabled at the time, at staff's own request, after the agency had trouble accessing the account months earlier. With MFA off, gaining control of the associated phone number and resetting the password was all that was needed.

The FBI later arrested Eric Council Jr., who admitted to creating a fake ID using stolen personal information, presenting it in person at a carrier store, and obtaining a new SIM tied to the victim's number — paid in Bitcoin for his role. He pleaded guilty in 2025. Nothing about the attack required breaking into the SEC's systems; it required breaking into a carrier's verification process for one phone number.

What carriers are now required to do about it

The FCC adopted new rules on November 15, 2023 requiring wireless carriers to use secure authentication methods before processing a SIM change or port-out, and to notify customers immediately when either request is made on their account. In practice, enforcement has been slower than the headline date suggests — carrier trade groups petitioned for delays tied to federal paperwork review, pushing full compliance well into 2024 and, for some provisions, into 2025. Don't assume every carrier has these protections fully live; ask directly.

How to protect yourself

Is SIM swapping the same thing as phone cloning?

No, and the mechanics are different. Phone cloning copies your SIM's identifying data onto a second physical card, letting both operate on the network simultaneously — it requires physical access to your original SIM and is largely obsolete against modern networks. SIM swapping needs no physical access to your device at all; it works entirely through convincing your carrier, remotely or in-store, to move your number to a SIM the attacker holds.

Does a strong PIN with my carrier fully stop SIM swapping?

It closes the most common route, but not every route. A port-out or SIM-change PIN stops an attacker who only has your name, address, and a bit of social engineering — which is how most SIM swaps succeed. It does not stop an attacker who has compromised a carrier employee directly, exploited a flaw in the carrier's own verification system, or obtained the PIN itself through a separate breach or SIM-swap-as-a-service scheme. A PIN is a strong baseline, not a guarantee.

Why is SMS-based two-factor authentication considered weak against this attack?

Because SMS 2FA verifies possession of a phone number, not possession of a specific physical device — and SIM swapping's entire purpose is transferring that number to a device the attacker controls. Once the swap succeeds, every SMS code meant for you goes to them instead, including password reset links and login verification codes. An authenticator app or hardware key ties verification to a specific device or secret, not a phone number, which is exactly what a SIM swap can't redirect.

Can I tell if I've been SIM swapped in real time?

The clearest signal is sudden, unexplained loss of cell service — no bars, no ability to make calls or receive texts — when your phone should otherwise have signal. That's often the first sign your number has just been moved to another device. FCC rules adopted in November 2023 now require carriers to notify customers of SIM change or port-out requests, which should narrow that detection window going forward as carriers finish implementing them.

Does an eSIM make SIM swapping harder?

Not meaningfully, because the vulnerability is administrative, not physical. An eSIM removes the need for a physical card to be swapped, but an attacker doesn't need the physical card either way — they need your carrier's account system to authorize moving your number to a device they control. eSIM changes how the transfer happens technically; it doesn't change the social-engineering or account-security weakness that makes the transfer possible in the first place.