SIM swapping is an account takeover technique where an attacker gets your mobile carrier to move your phone number to a SIM they control.
Once they control the number, they can receive calls and texts meant for you, including sign-in codes, password reset links, and fraud alerts.
Why it matters for account recovery
Your phone number is often part of the control plane: it can reset email, banking, and social accounts. If the number is taken, 'reset your password' stops being a defense and becomes an attacker tool.
Common failure modes and misconceptions
- Assuming SMS-based verification is strong: It helps against some threats, but it is vulnerable when the phone number can be reissued or ported.
- Missing the early signal: Sudden loss of service, SIM activation notices, or repeated 'no longer active on this device' prompts can be the start of the takeover.
- Weak carrier account security: If a carrier account has no PIN, reused passwords, or easy-to-guess recovery, it becomes the path to everything else.
Safe best practices
- Set a carrier account PIN or port-out lock and keep it private.
- Prefer strong authentication methods that do not depend on a phone number for critical accounts.
- Treat unexpected loss of service as a security incident. Secure email and identity accounts quickly from a trusted device.
- Keep backup recovery methods that do not require SMS in case the number is unavailable.
Related terms
Related guides
- SIM swapping: how it works, warning signs, and how to protect your number
- Venmo account hacked: stop transfers, secure access, and prevent repeat fraud
- Protect your wealth from hackers: account takeover and fraud controls
- How to secure your Google account
SIM swapping is rarely a 'phone problem' in isolation. Treat it as a control plane compromise and rebuild trust from the accounts that can reset everything else.