Your phone number was never meant to be a security key — but for years, SMS one-time codes turned it into one. A SIM swap attack exploits exactly that: by hijacking your number, an attacker receives your text-message 2FA codes and walks into your accounts. This guide explains how the attack works, the warning signs, and the concrete defenses that actually stop it in 2026.
How a SIM swap attack works
The mechanism is social engineering, not hacking your phone:
- The attacker gathers your personal data (from breaches, phishing, or your public social media).
- They contact your mobile carrier, impersonate you, and request that your number be moved to a new SIM (a "port" or SIM replacement) — sometimes helped by a bribed store employee.
- Your phone loses service; the number now lives on the attacker's SIM.
- Every SMS — including one-time 2FA codes — now arrives on their device. They trigger password resets and take over email, then banking, crypto and social accounts.
The root weakness is that SMS codes follow the phone number, not you.
Warning signs
- Sudden loss of cellular service (no calls/texts/data) while others around you are fine.
- A carrier alert about a SIM change or port-out you did not request.
- Being logged out of accounts unexpectedly, or password-reset emails you did not start.
If your phone goes dead and stays dead, assume a possible SIM swap and act immediately.
The defenses that actually work
1. Lock the number at the carrier. Add a PIN / port-freeze / Number Lock so your number cannot be transferred without it. This is the single carrier-side control that blocks most swaps.
2. Get off SMS 2FA — this is the key move. Because a SIM swap only defeats text-message codes, move your important accounts to 2FA that is not tied to your phone number:
- Authenticator app (TOTP) — codes generated on the device. See our best authenticator app guide.
- Hardware security key (FIDO2) — phishing- and swap-proof. See our hardware security key comparison.
- Passkeys — bound to your device. See passkeys setup.
3. Remove the phone number as a recovery method on critical accounts where the platform allows it.
4. Shrink your exposed data — the attacker needs personal details to impersonate you. Strong, unique passwords in a manager mean a SIM swap alone is not enough to cascade across accounts.
★ Audit Cure53 2024 · ✓ Plan gratuit · Cross-platform
Store strong, unique passwords with NordPass →Zero-knowledge vault + built-in authenticator (TOTP) · So SMS is never your only defense→If you are being SIM swapped right now
- Call your carrier from another phone to re-secure the number and reverse the swap.
- From a trusted device, secure your email first (it is the master key): change the password, revoke sessions, switch off SMS 2FA.
- Do the same for banking, crypto and social accounts, in that order.
- Contact your bank to flag fraud, and file a report with the relevant authority.
Speed is everything: your risk window is the gap between the swap and you regaining control. For the full incident playbook, see what to do when your account is hacked.
The bottom line
A SIM swap is powerful only against SMS-based verification. Lock your number at the carrier, move every important account to an authenticator app, hardware key or passkey, and keep strong unique passwords in a manager. Do that and hijacking your phone number stops being a master key to your digital life.
Editorial guide based on documented SIM-swap attack methods and the documented properties of SMS, TOTP, FIDO2 and passkey authentication. We name SMS 2FA's specific weakness plainly. Commercial links carry the rel="sponsored nofollow" attribute; an affiliate commission may apply at no extra cost to you.
★ Audit Cure53 2024 · ✓ Plan gratuit · Cross-platform
Get NordPass30-day money-back guarantee · Free plan available→
