SIM Swap Fraud Explained: What It Is and How to Stop It
SIM swap fraud lets criminals take over your phone number — and with it your bank's 2FA. Learn how it happens and three ways to stop it.
Last Updated: February 2026
Key Takeaways:
- SIM swap fraud transfers your phone number to a criminal's SIM, letting them receive your SMS-based 2FA codes
- The signs are sudden loss of mobile service and inability to log into your banking and email accounts
- Setting a carrier PIN is the single most effective individual prevention step
- Switching from SMS-based 2FA to an authenticator app removes SIM swap as a relevant threat vector
- If swapped, act within minutes — accounts can be drained rapidly
What Is SIM Swap Fraud?
Your mobile phone number has become a security credential. Banks, email providers, and countless other services use it to send one-time passwords, verify your identity during password resets, and confirm account changes.
SIM swap fraud exploits this. A criminal convinces your mobile carrier to transfer your number to a SIM card they control. Once your number is live on their device, every SMS sent to you — including your bank's OTP codes — goes to them.
With your phone number and your already-compromised password (obtained through phishing, data breaches, or social engineering), they can bypass your bank's SMS-based two-factor authentication entirely.
How SIM Swap Happens: High-Level Overview
Step 1: Gathering your information Before approaching your carrier, the criminal collects enough of your personal information to impersonate you. This typically includes your full name, address, date of birth, carrier account number, and potentially the last four digits of your payment card on file.
This information comes from data breaches, phishing, social media, or previous social engineering attacks.
Step 2: Contacting your carrier The criminal contacts your mobile carrier — by phone, online chat, or in-store — and requests a SIM transfer or account number port. They claim to have a new phone, a lost SIM, or some other legitimate reason for the transfer.
They answer security questions using the information they have gathered.
Step 3: The swap If the carrier's verification is satisfied, the number is transferred. Your SIM becomes inactive immediately — your phone loses signal.
Step 4: Account access With your number active on their device, the criminal:
- Requests "forgot password" resets on your email and banking accounts
- Receives the SMS OTP codes needed to complete the reset
- Changes your account credentials (locking you out)
- Transfers funds, applies for credit, or extracts data
The entire sequence from successful swap to account access can take minutes.
Warning Signs Your SIM Has Been Swapped
- Your phone suddenly shows "No service," "SOS only," or "Emergency calls only" — in an area where you normally have coverage
- You cannot make or receive calls or texts on a phone you have not changed or damaged
- You receive a message from your carrier about a SIM change you did not initiate
- You cannot log into email or banking accounts — because someone has used your number to reset the credentials
- You receive OTP codes you did not request on a device that still has signal (suggesting the swap was attempted but not yet completed, or a different account is being targeted)
How to Protect Yourself: 3 Key Steps
Step 1: Set a Carrier Account PIN or Password
Contact your mobile carrier and ask to set a PIN, password, or "port-out protection" on your account. This adds a mandatory verification step — your PIN must be provided before any SIM transfer is processed.
The terminology varies by carrier:
- In the UK: Ask for an "account PIN" or "port authorisation code protection"
- In the US: Ask for a "port freeze," "account PIN," or "number lock" depending on your carrier
Identity Theft & SIM Swap: Prevention and Recovery Guide provides a carrier-specific step-by-step guide.
Step 2: Switch from SMS 2FA to an Authenticator App
This is the most complete solution: if your banking and email 2FA does not rely on SMS, SIM swap becomes irrelevant for those accounts.
Authenticator apps (such as Google Authenticator, Authy, or Microsoft Authenticator) generate time-based codes locally on your device. They do not depend on your phone number — a criminal with your SIM cannot receive authenticator codes.
Online Banking Security: How to Protect Your Accounts
Step 3: Protect Your Personal Information
SIM swap requires personal information to succeed with your carrier. Reduce the information available:
- Use minimal information on social media (date of birth, current address, hometown)
- Be cautious about phishing attempts seeking your personal details Bank Phishing Emails: How to Spot a Fake and What to Do
- Respond to data breach notifications — change passwords and monitor accounts when your data is known to have been exposed
If You Think You've Been SIM Swapped: Act Now
Time is critical. Minutes matter.
Step 1: Call your mobile carrier immediately from another phone — a landline, a family member's phone, or a work phone. Tell them: "I believe my SIM has been fraudulently swapped. I need to reverse it immediately and lock my account."
Step 2: Call your bank while your carrier is reversing the swap. Tell them: "I am a SIM swap victim. Please freeze all outgoing transfers on my account." Your bank should have an emergency fraud protocol.
Step 3: Once your number is restored, change passwords on your banking, email, and any account linked to that phone number — from a clean, trusted device.
Step 4: Review all accounts that used your number for 2FA. Check for: new payees added, credential changes, unfamiliar sign-ins.
Step 5: File a report with your national fraud authority. Payment Fraud Incident Response: A Step-by-Step Guide
Step 6: Consider switching all your important accounts from SMS 2FA to authenticator app 2FA before the next attack attempt.
The Bigger Picture: Why Banks Use SMS and Why It's Risky
SMS one-time passwords became widespread because they are convenient and available to virtually everyone with a mobile phone. They are significantly more secure than a password alone.
However, the telephone network's architecture was not designed with modern fraud in mind. SMS interception and SIM swapping are real risks precisely because telephone numbers are relatively easy to redirect compared to, say, a hardware security token.
Many banks are moving toward app-based push notification 2FA or FIDO2 hardware keys for higher-security accounts. If your bank offers alternatives to SMS 2FA, they are worth considering.
SIM Swap and Investment/Crypto Fraud
SIM swap attacks are particularly prevalent in cryptocurrency and online investment contexts, where account takeovers can yield large, irreversible transfers. However, traditional bank accounts — particularly those with digital-only access — are equally at risk.
If you hold digital assets or significant savings in easily-accessible online accounts, SIM swap prevention should be a priority.
Frequently Asked Questions
Q: My phone suddenly lost signal in an area I usually have coverage. Is this always SIM swap? A: Not necessarily — signal loss can have innocent explanations (carrier outage, network issue, damaged SIM). The key distinguishing sign is receiving a carrier notification about a SIM change, or being unable to log into accounts that require your phone number. If in doubt, call your carrier.
Q: Can SIM swap happen without any social engineering? A: In some documented cases, carrier employees have been bribed or coerced to perform SIM swaps without standard verification. This is less common than impersonation-based attacks, but it highlights that even a strong carrier PIN is not a 100% guarantee.
Q: I use SMS 2FA for banking. Should I be worried? A: SMS 2FA is significantly more secure than a password alone — most people using it are well-protected. If you want stronger protection, adding a carrier PIN and considering an authenticator app are worthwhile steps.
Q: Will I be compensated if SIM swap leads to bank fraud? A: In many jurisdictions, yes — if you reported promptly, did not share passwords, and the fraud occurred without your negligence. However, the investigation process can be complex. Document everything and escalate to the financial ombudsman if your bank disputes the claim.
Internal Links
- Identity Theft & SIM Swap: Prevention and Recovery Guide — Identity Theft & SIM Swap Guide
- Identity Theft & SIM Swap: Prevention and Recovery Guide — Set a Carrier PIN
- Online Banking Security: How to Protect Your Accounts — Two-Factor Authentication
- How to Place a Credit Freeze: A Step-by-Step Guide — Place a Credit Freeze
- Social Engineering & Banking Scams: How to Spot and Stop Them — Social Engineering Guide
- Payment Fraud Incident Response: A Step-by-Step Guide — Incident Response
Last Updated: February 2026 | If you suspect a SIM swap is in progress, call your carrier and bank immediately. Educational purposes only.
Need Professional ATM Security Support?
ATM Fortify provides anti-skimming hardware, security assessments, and fraud prevention consulting for ATM operators and financial institutions across 30+ countries.