SIM Swapping Attacks: How They Work and How to Prevent Them
In January 2024, the SEC's official X (Twitter) account was compromised through a SIM swap attack. The attacker used the hijacked account to post a fake announcement about Bitcoin ETF approval, briefly moving cryptocurrency markets. This wasn't an exotic attack — it was the same technique used to steal millions from cryptocurrency holders, take over celebrity social media accounts, and compromise corporate executives.
SIM swapping is one of the most devastating yet underappreciated cybersecurity threats facing individuals today. It exploits the weakest link in mobile security: human customer service representatives at telecom carriers.
What Is SIM Swapping?
A SIM swap (also called SIM hijacking or SIM jacking) is an attack where a criminal convinces your mobile carrier to transfer your phone number from your SIM card to one they control. Once the transfer is complete, the attacker receives all calls and text messages intended for you — including SMS-based verification codes.
The attack doesn't require any technical sophistication. No malware, no hacking tools, no exploitation of software vulnerabilities. It relies entirely on social engineering: manipulating a carrier employee into performing a legitimate action (transferring a number) for an illegitimate purpose.
How the Attack Works, Step by Step
Reconnaissance
The attacker gathers personal information about the target — full name, address, date of birth, last four digits of SSN, carrier account PIN. This data often comes from data breaches, social media, phishing, or data broker sites.
Carrier Contact
The attacker calls the target's mobile carrier (or visits a store) and impersonates the victim. They claim they've lost their phone or need a new SIM card. They provide the stolen personal information to pass identity verification.
Number Transfer
The carrier representative, convinced they're speaking with the legitimate account holder, activates a new SIM card with the victim's phone number. The victim's phone immediately loses service.
Account Takeover
The attacker now receives all SMS messages and calls. They immediately trigger "forgot password" flows on the victim's accounts, receiving the 2FA codes on their device. Email, banking, crypto wallets, social media — anything secured by SMS 2FA is now accessible.
Extraction
The attacker drains financial accounts, transfers cryptocurrency, changes passwords and recovery options, and locks the victim out of their own accounts. This typically happens within minutes — speed is essential before the victim realizes what's happening.
Real-World Cases
SIM swapping isn't theoretical. It has caused millions of dollars in documented losses and continues to grow as an attack vector.
The $24 Million Cryptocurrency Theft (2018)
Michael Terpin, a prominent crypto investor, lost $24 million in cryptocurrency after his phone number was SIM-swapped. The attacker used the hijacked number to access Terpin's cryptocurrency accounts and transfer his holdings. Terpin later sued AT&T for $224 million, arguing the carrier's negligence enabled the attack.
The SEC Twitter Hack (2024)
The U.S. Securities and Exchange Commission's official X account was compromised via SIM swap in January 2024. The attacker posted a fake announcement about Bitcoin ETF approval from the official @SECGov account. The post briefly moved Bitcoin's price before being identified as fraudulent. The SEC later confirmed that multi-factor authentication had been disabled on the account and that the compromise was accomplished through a SIM swap of the phone number associated with the account.
Twitter's Own CEO (2019)
Jack Dorsey, then-CEO of Twitter, had his own Twitter account compromised through a SIM swap in August 2019. Offensive tweets were posted from his account before control was restored. The irony — the CEO of a major tech company falling victim to a basic social engineering attack — highlighted how universal the vulnerability is.
The FBI's IC3 reported over $68 million in SIM swapping losses in 2021 alone, with 1,611 complaints filed. The real numbers are certainly higher, as many victims don't report or don't realize they've been SIM-swapped.
Who Gets Targeted?
While anyone can be a victim, certain profiles attract more attention from SIM swappers. Cryptocurrency holders are the primary target because crypto transactions are irreversible — once funds are transferred, they can't be recovered through a bank chargeback. Public figures and influencers are targeted for account access and blackmail. Business executives are targeted for corporate espionage and business email compromise. And anyone with a visible online presence who has shared personal details (birth date, hometown, etc.) is vulnerable.
Warning Signs You're Being SIM-Swapped
The most immediate sign is sudden loss of cellular service. If your phone unexpectedly shows "No Service" or "Emergency Calls Only" and restarting doesn't fix it, a SIM swap may be in progress. Time is critical at this point.
Other indicators include unexpected "SIM changed" notifications from your carrier, inability to make calls or send texts, receiving emails about password changes you didn't request, notification that your email account recovery options have been changed, and unusual login alerts from services you use.
If you suspect a SIM swap is happening: Call your carrier immediately from a different phone. Go to a physical carrier store with ID if possible — this is faster than phone support. Change passwords for critical accounts (email first) from a computer, not from your phone. Alert your bank and freeze accounts if necessary.
How to Protect Yourself
At Your Carrier (Most Important)
- Set a strong account PIN: All major carriers allow this. Make it unique — not your birthday or last 4 SSN digits.
- Enable SIM/number lock: T-Mobile offers "Account Takeover Protection." AT&T has "Extra Security." Verizon offers "Number Lock." Enable these features in your carrier's app or account settings.
- Add a port-out PIN: This is a separate PIN required specifically for transferring your number to another carrier.
- Request "do not port" status: Some carriers can flag your account to prevent porting without in-person verification with government ID.
On Your Accounts
- Switch from SMS 2FA to app-based 2FA: This is the single most impactful step. Use Google Authenticator, Authy, or a hardware key. A SIM swap is useless if the attacker doesn't receive your 2FA codes.
- Use unique, strong passwords everywhere: A password manager makes this manageable.
- Set up account recovery email (not phone): Where possible, use email-based recovery instead of SMS-based recovery.
- Enable login notifications: Know immediately when someone accesses your accounts.
Personal Information Hygiene
- Minimize personal information shared on social media — birthday, hometown, mother's maiden name are all common security questions.
- Opt out of data broker sites that publish your personal information.
- Be skeptical of phone calls or emails asking for personal information, even if they appear to be from your carrier.
- Use a secondary number for online activities to keep your primary number out of breach databases.
The Carrier Responsibility Problem
A fundamental issue with SIM swapping is that carriers bear minimal consequences for failing to protect customers. The incentive structure is misaligned: carriers prioritize customer convenience (quick number transfers, easy account access) over security. A customer locked out of their account is an immediate support cost; a SIM swap victim is a rare liability.
Some progress is being made. In November 2023, the FCC adopted new rules requiring carriers to implement better customer authentication before processing SIM swaps and port-outs. Carriers must now notify customers of any SIM change or port-out request and must offer customers the ability to lock their accounts against unauthorized changes. However, enforcement remains a question, and the rules primarily apply to US carriers.
Until carriers bear real financial liability for SIM swap attacks, the responsibility for protection falls primarily on individuals. The steps outlined above — particularly switching away from SMS-based 2FA — are your best defense.
Conclusion
SIM swapping is a low-tech attack with potentially devastating consequences. It exploits the fundamental weakness of using phone numbers as identity verification: the carrier, not you, ultimately controls who receives messages sent to your number.
The best protection combines carrier-level security (account PINs, SIM locks) with account-level changes (app-based 2FA instead of SMS). If you do nothing else after reading this article, switch your email and financial accounts from SMS 2FA to an authenticator app. That single change eliminates the primary attack vector for SIM swap victims.
Looking into virtual numbers?
Temporary virtual numbers avoid SIM swap risk entirely — there's no SIM to swap. Try our free tool for non-sensitive verifications.
Use the Free Tool