SIM swapping is when an attacker convinces your mobile carrier to move your phone number to a SIM or eSIM they control.
Once they control the number, they can receive calls and texts meant for you, including sign-in codes, password reset links, fraud alerts, and recovery checks meant to verify identity.
Why it matters for account recovery
Your phone number is often part of the control plane: it can reset email, banking, and social accounts. If the number is taken, 'reset your password' stops being a defense and becomes an attacker tool.
Common failure modes and misconceptions
- Assuming SMS-based verification is strong: It helps against some threats, but it is vulnerable when the phone number can be reissued or ported.
- Missing the early signal: Sudden loss of service, SIM activation notices, or repeated 'no longer active on this device' prompts can be the start of the takeover.
- Weak carrier account security: If a carrier account has no PIN, reused passwords, or easy-to-guess recovery, it becomes the path to everything else.
Safe best practices
- Set a carrier account PIN or passcode and enable a port-out lock or transfer freeze when your carrier offers one.
- Prefer stronger authentication methods that do not depend on a phone number for critical accounts, such as passkeys, security keys, or authenticator apps.
- Treat unexpected loss of service as an active security incident. Secure email, banking, and identity accounts quickly from a trusted device.
- Keep backup recovery methods that do not rely on the same phone number in case the number is unavailable.
Related terms
Related guides
- SIM swapping: how it works, warning signs, and how to protect your number
- Venmo account hacked: stop transfers, secure access, and prevent repeat fraud
- How to secure your Yahoo account
- How to secure your Google account
SIM swapping is rarely a 'phone problem' in isolation. Treat it as a control plane compromise and rebuild trust from the accounts that can reset everything else.