SIM swapping: What you need to know to stay protected

Your phone number is more powerful than you think: it’s a key to recovering access to your bank account, email, crypto wallet, and social feeds. But that convenience has a downside—criminals can steal your number without ever touching your handset, then raid accounts that rely on text-message codes for login or recovery. They can reset your passwords, access your accounts, and lock you out of your own identity.

This tactic, called SIM swapping, cost Americans nearly $49 million in 2023 alone. It was also recently revealed that one of the largest crypto heists in history was carried out using SIM swapping—$400 million worth of assets were stolen from the FTX crypto exchange.

This guide explains SIM swapping, how it works, how to spot the warning signs, and, most importantly, how to stop it. Whether you’re already dealing with suspicious activity or just trying to stay safe, you’ll find clear, practical advice you can act on.

What is a SIM card, and how does it work?

A SIM (subscriber identity module) is a fingernail-sized chip that tells your network who you are through:

1. Identity and location: The SIM stores your international mobile subscriber identity (IMSI) and an integrated circuit card identifier (ICCID). The IMSI identifies your subscription to the network, while the ICCID is the SIM card’s unique ID. Together, these identifiers let your mobile network authenticate and manage your connection.
2. Security keys: The SIM carries cryptographic keys used to authenticate your device with the mobile network before a call, text, or data session starts. These keys function like a shared secret between your SIM and the network, used to prove your identity securely. This “password exchange” happens behind the scenes every time your phone interacts with the network to make sure only authorized devices can access mobile services.

Without a valid SIM profile, your network won’t route calls, texts, or data. When you move your SIM card to a new phone, your identity goes with it. With eSIMs, your number can be transferred digitally through your carrier to a new device without needing a physical SIM card. This easy transfer is what makes SIM swapping so disruptive.

What is SIM swapping?

SIM swapping—sometimes called a SIM swap, SIM jacking, or SIM porting—happens when an attacker tricks or bribes a carrier into transferring your phone number to a SIM they control.

Once the transfer lands, every voice call and text code meant for you flows to their handset. With those one-time passcodes, the attacker can reset passwords, drain wallets, or buy crypto in your name.

It doesn’t take much to become a target. Phone numbers are tied to more accounts than most people realize. If a scammer gets access, they’re not just hijacking your number—they’re stealing your digital identity. Let’s break it down.

How does SIM swapping work?

Attackers typically follow a four-step playbook:

1. Data mining: They scrape public social media posts, run phishing emails, or use information exposed in data leaks to gather your birth date, address, and answers to common security questions.
2. Carrier contact: Using that data, they pose as you in an online chat or call center and claim, “My phone was stolen; I need a replacement SIM.” Successfully tricking the carrier at this stage often involves bypassing identity verification procedures, which can vary by country, especially depending on how strict the local SIM card registration laws are.
3. Number transfer: If the rep accepts the story, they transfer your phone number to a fresh SIM or eSIM profile, cutting off service to your device. At this point, all your calls and texts will go to the attacker.
4. Account takeover: If your accounts rely on text-message two-factor authentication (2FA), attackers can use those codes to reset passwords, drain wallets, or buy crypto in your name.

In some rarer cases, the SIM swap is carried out by an insider: a carrier employee bribed to make the switch. Regardless of the method, the result is the same—your digital life is routed through someone else’s pocket.

💡Tip: Be proactive. If you’re in the U.S., ExpressVPN’s data removal service—part of its Identity Defender suite—can help limit how much of your personal information is available to data brokers, making it harder for attackers to gather details about you in the first place.

Signs you may be a victim of SIM swapping

Here’s a breakdown of how to tell if you’ve been SIM-swapped.

You suddenly lose cell service

The most immediate and obvious sign is a sudden loss of cellular service. Your phone says “No service” or “Emergency calls only” even though you’re in a strong coverage area and your bill is paid. If rebooting your phone doesn’t help, that could be a sign your number has been moved to a different SIM.

You can’t send or receive texts or calls

If your phone has lost cellular service, you won’t be able to place calls or send or receive standard SMS texts. This will be true whether you’re connected to Wi-Fi or not, as calls and texts rely on your mobile network, which is disabled during a SIM swap.

Suspicious activity on bank or social accounts

SIM swappers move fast. Once they get your number, they try to access accounts that rely on SMS-based security codes. You might see password-reset emails arriving in bulk, new logins appearing from unfamiliar devices or locations, or a financial alert flagging a transfer you didn’t initiate.

You’re alerted that your number is on a new device

In some countries, mobile carriers now send alerts such as “SIM swap pending” or an SMS confirming that your phone number has been activated on a new device. If you get this type of notification and you didn’t request the change, your number may be under attack. Remember: never approve a request you didn’t initiate.

What to do if your SIM gets swapped

Speed is your best defense. The moment you notice lost service or unfamiliar activity, work through the steps below and keep notes as you go:

1. Call your mobile carrier

Use a different phone to contact support and report that you suspect a SIM swap. Ask the rep to suspend the new SIM and restore your number to a SIM or eSIM profile under your control. Keep a record of the date, time, and agent’s name.

2. Lock down your money

Call your bank or card issuer next. Explain the swap, freeze transactions, and review recent activity while a support agent is on the line. If you spot unauthorized transfers, start the dispute process right away. Keep real-time spending alerts active so fresh charges can’t slip past you.

💡Tip: U.S. users can also take advantage of ExpressVPN’s identity protection service—Identity Defender with Credit Scanner—which can closely monitor your credit reports for any suspicious new accounts or activity.

3. Reset passwords and switch from SMS-based 2FA to an app

Begin with your primary email account, then move on to banking, social media, and any cloud services. Change every password and replace SMS codes with an authenticator app like Google Authenticator that the attacker can’t intercept. When the carrier restores your line, re-enable 2FA using the new method to close the gap for good.

4. Report the crime

File a report with your national cybercrime unit. Share the reference numbers with your bank and carrier—official paperwork often speeds up reimbursements and internal investigations.

5. Track every step you take

Write down every call, ticket number, and promised action, then follow up within 24 hours to confirm progress. A clear timeline helps resolve disagreements later and reinforces that you’re actively following up on the issue.

How to prevent SIM swapping

Don’t link your phone number to online accounts

Avoid using your phone number as a login or recovery method whenever possible. Instead, use an email address or authenticator app for accessing and recovering your account. This reduces the risk if you fall victim to phone number hijacking. But remember, email accounts can also be compromised (and email accounts are also frequent targets for hackers), so of the two options, an authenticator app is the stronger choice.

Use multi-factor authentication

Beyond relying on just a password, multi-factor authentication (MFA) adds extra layers of security to your accounts:

• Authenticator apps: These generate codes on your device, not through text messages, making them immune to SIM swap attacks. That means even if someone gets control of your number, they can’t access your 2FA codes. Apps like Google Authenticator, Authy, or Microsoft Authenticator are good options.
• Biometrics: Many devices and apps now offer biometric authentication like fingerprint or face ID, which adds a strong layer of device-level security, preventing access to certain apps or actions even if someone gains access to your phone number.
• Physical security keys: Hardware tokens like YubiKeys provide a highly secure way to authenticate. They often require physical interaction and use cryptographic keys, making them very difficult to compromise. They’re especially useful for protecting email and financial accounts.

Ask your carrier for an account PIN or lock

Most carriers let you set up an account-specific PIN or security question. This makes it harder for attackers to impersonate you.

Some also offer number lock or account lock features, which add an extra verification step before your number can be transferred to another SIM.

Others provide callback verification, where they’ll call your registered number to confirm any account changes. If enabled, this extra step could stop a SIM swap in progress.

Set up alerts on your accounts

Many banks and online services let you enable alerts for login attempts, password changes, or withdrawals. These can give you early warnings if something’s wrong.

Audit your most sensitive accounts regularly

Check the security settings of your financial, email, and social media accounts. Look for signs of unauthorized access, update your recovery methods, and review which accounts rely on your phone number for logins or recovery.

Follow the basic rules of online safety

Finally, smart online habits can help you shut down most SIM-swap attempts before they start.

• Pause before you click: Skip links and attachments in unexpected messages, even if they look familiar. This keeps phishers from stealing the personal clues they use to impersonate you in a swap request.
• Keep details off‑limits: Don’t post or share your phone number, address, or ID numbers on public sites. Less exposed info means fraudsters have fewer answers to pass a carrier’s security check.
• Verify every caller: If someone claims to be from your carrier, hang up and call your carrier’s official support line. Calling back on a verified number stops social engineers from hijacking your service in real time.
• Never hand over account credentials: Your provider won’t ask for passwords, PINs, or banking data by phone, email, or text. Guarding these codes locks attackers out of the data they need to migrate your number.
• Use unique passwords everywhere: By using distinct logins for each online service, including your carrier account, you significantly limit the damage of a data breach. If one site is compromised, the criminals won’t automatically gain access to your other sensitive accounts. A password manager like ExpressVPN Keys helps you create and store strong passwords without reusing them.
• Skip in-app autofill: Avoid using built-in autofill features in browsers and apps, which can be less secure than using a dedicated password manager. If your phone is lost or compromised by malware, saved autofill details can hand attackers access on a silver platter.

Real-world examples of SIM swap scams—and what’s really at stake

SIM swapping isn’t just a technical problem—it’s personal. For many victims, it starts with a small disruption and snowballs into stolen money, damaged reputations, and years of recovery.

Take the case of Jack Dorsey, former CEO of Twitter. In 2019, attackers used SIM swapping to take control of his phone number. Within minutes, they used a text-to-post service to publish offensive tweets from his account. The breach didn’t last long, but it made global headlines and exposed how vulnerable even tech leaders can be.

Or consider Michael Terpin, a crypto investor who lost more than $20 million after his phone number was hijacked. The attacker bypassed account protections, gained access to his digital wallet, and drained it. Terpin later sued his mobile carrier, arguing that weak internal controls opened the door to the theft.

These aren’t isolated cases. SIM swapping has been linked to widespread attacks on people ranging from high-profile celebrities to everyday users. Here’s what the attackers can do:

• Identity theft: Once someone has control of your number, they can impersonate you online, take over your email, log into your bank, and reset passwords. They can also use personal data from your accounts to apply for loans or lines of credit in your name.
• Financial loss: A stolen number can lead to drained bank accounts, unauthorized credit card purchases, and even cryptocurrency theft. If your financial accounts rely on SMS-based two-factor authentication, a SIM swap gives scammers exactly what they need to get in.
• Invasion of privacy: A successful SIM swap can expose your text messages, photos saved to cloud-linked messaging apps, and your contact list. The attacker might use your number to message friends, request access codes, or dig through personal conversations without your knowledge.
• Reputation damage: Someone using your number could post to your social media, impersonate you in messages, or scam your contacts. Depending on the situation, this can damage relationships or affect your career.

Final thoughts: Staying ahead of mobile scams

A stolen phone number isn’t just a nuisance—it’s a threat to your digital life. From banking to email and social media, your number can unlock almost everything. That’s why protecting yourself is vital.

Use authentication apps, set up account PINs, avoid using your number for logins, and keep an eye out for suspicious activity. Prevention takes a few minutes. Recovering from identity theft can take years.

While a VPN won’t prevent SIM swapping, it’s still a smart way to secure your online activity—especially on public Wi-Fi. ExpressVPN encrypts your traffic, adding a strong layer of privacy so your data stays safe while you stay connected.