SIM swapping is a form of number takeover. The attacker convinces a mobile carrier to move your phone number to a SIM or eSIM they control. Once that happens, they can receive SMS recovery codes, intercept calls, and reset accounts that treat your phone number as proof of identity.
The fastest way to reduce harm is to treat SIM swapping as a control-plane incident. Your phone number is not just communications, it is a recovery key for email, banking, and social accounts.
First 30 minutes: stop the cascade
| Signal | Do this first | Goal |
|---|---|---|
| You suddenly lose cell service (no signal), or calls/texts stop working | Contact your carrier from another phone and ask if a SIM swap or port-out occurred. | Reclaim the number before it is used to reset accounts. |
| You receive carrier alerts about a new SIM/eSIM or port-out you did not request | Lock the carrier account (PIN, port freeze), then secure the email inbox immediately. | Prevent SMS and email based resets from being abused. |
| Your email, bank, or social accounts show password reset activity | Secure the inbox, end unknown sessions, and change passwords from a known-good device. | Stop the attacker from using recovery to pivot. |
| You see new payees, transfers, or card-not-present charges | Contact the bank immediately and preserve evidence. | Financial dispute options can be time-sensitive. |
Rule of thumb: when your number is taken, assume your accounts are next. Secure the inbox and financial accounts in parallel with the carrier call.
How SIM swapping works
Carriers have to support number moves. That creates a social-engineering opportunity. Attackers typically use:
- personal data from breaches to pass identity checks
- impersonation and pressure tactics on support staff
- account access via a weak carrier PIN or no port-out protection
Once the number is moved, attackers use it to receive SMS codes, bypass password resets, and impersonate you. Messaging apps tied to your number can be taken over quickly, including WhatsApp. Use how to recover a hacked WhatsApp account after you stabilize the carrier layer. The FTC explains SIM swap scams and how to protect yourself here: SIM swap scams: how to protect yourself (FTC).
Containment sequence (what to do in order)
1) Reclaim the number with the carrier
Use a known support channel for your carrier and escalate quickly. Ask specifically whether a SIM swap, eSIM change, or port-out was processed. If the carrier can restore your number, request a stronger account PIN and port-out protection immediately.
Do not assume service will "come back" on its own. If this is a SIM swap, every minute is an opportunity for account resets.
2) Secure the email inbox first
Email is the reset button for most services. If the attacker resets the inbox, they can persist even after you reclaim the number. End unknown sessions on email, change the email password to a unique value, and review forwarding rules.
3) Remove SMS as the recovery method where possible
After containment, reduce dependency on the phone number. Enable app-based authentication where supported and move critical accounts away from SMS-only security. Use two-factor authentication (2FA) as the baseline and prefer stronger methods when available.
4) Reset passwords and end sessions on high-value accounts
Focus on accounts that can reset other accounts or move money: email, banking, payment apps, Apple/Google accounts, and social accounts that can be used for impersonation. Use unique passwords stored in a password manager and force logout of other devices where possible.
5) Check financial accounts for new activity
Look for new payees, password resets, and unusual transactions. If you see fraud, contact the institution quickly. If you need a checklist for banking incidents, use bank account hacked.
6) Preserve evidence
Keep screenshots of carrier alerts, timestamps, support ticket numbers, and any account security emails. Evidence helps with disputes and with downstream recovery.
Warning signs you should not ignore
- unexpected "SIM change" or "eSIM activated" notifications
- password reset emails you did not request
- repeated MFA prompts or verification codes arriving unexpectedly
- sudden loss of cell service with no outage explanation
If you see repeated prompts, treat it as an active attack. Use MFA fatigue (push bombing) for containment patterns that apply beyond SIM swaps.
Prevention that actually reduces SIM swap risk
Carrier account hardening
- set a strong carrier account PIN that is not reused anywhere else
- enable port-out protection or a port freeze if available
- remove stale authorized users and old contact channels from the carrier profile
Reduce number-based recovery dependence
When your phone number is the recovery key for everything, number takeover becomes identity takeover. Make the inbox the most protected account you own and use stronger factors that do not depend on the carrier.
Reduce public exposure and targeting
Attackers use public data to pass verification and to target you. Reduce what is public when it is not needed. A practical baseline is reduce your digital footprint.
What this means in practice
SIM swapping is scary because it breaks a common mental model: that your phone number is "yours". In reality, your number is a carrier-managed account feature that can be moved through support processes. The defense is to assume the process can be abused and to design recovery so the number is not a single point of failure.
When the carrier account is locked and when SMS is not your main security factor, the attacker loses leverage. They can still try other paths, but the takeover becomes slower and noisier, which gives you time to respond.
The goal is a posture where losing phone service is an inconvenience, not an identity collapse. Strong inbox security, strong authentication, and minimized recovery dependencies are what make that goal realistic.