My IP Help

SIM Swapping

Also known as: SIM swap, SIM hijacking, port-out scam

A social-engineering attack against a mobile carrier that transfers a victim's phone number to a SIM the attacker controls, intercepting SMS codes and password-reset links.

Last updated:

What is SIM swapping?

SIM swapping is an attack in which a fraudster convinces a mobile carrier's support team to transfer the victim's phone number to a new SIM the attacker controls — either by impersonating the victim in a support call, bribing a retail employee, or phishing carrier staff. Once the swap completes, the victim's phone loses service, and every SMS-based MFA code, password-reset link, and carrier billing notice goes to the attacker instead.

The attack chain

Attackers typically spend days to weeks on reconnaissance before the swap:

  • Harvest the victim's name, phone number, date of birth, and last four of SSN from data-breach dumps
  • Map which services the victim uses (bank, exchange, primary email) by searching breach data or doing targeted phishing
  • Execute the swap when the victim is least likely to notice (overnight, weekend, while travelling)
  • Rapidly trigger password resets on email and exchange accounts, drain balances, then pivot to any other account that uses the same recovery email

High-value cryptocurrency accounts are a frequent target because transactions are irreversible and the MFA is frequently still SMS-based.

Defenses

  • Port-out protection PIN — set with your carrier; required before any SIM change
  • Phishing-resistant MFA — TOTP apps, hardware keys, or passkeys instead of SMS for every high-value account
  • No SMS recovery on the primary email — if the email account can be reset via SMS, SIM swapping defeats everything else
  • Monitor for unexpected loss of mobile service — lost signal without reason is often the first SIM-swap signal

If an account suddenly shows logins you don't recognize, investigate the source IP with our IP lookup tool.

Frequently Asked Questions

The attacker first profiles the victim using leaked breach data (name, DOB, address, last four of SSN, account email). They then either call the carrier and impersonate the victim, walk into a retail store with a fake ID, bribe a carrier insider, or phish a carrier support agent. Once they pass the carrier's identity check, the number is ported to a SIM in their possession and the victim's phone loses service within seconds.
The first signal is sudden loss of cellular service for no obvious reason — calls fail, SMS stops arriving, "No SIM" or "SOS only" appears on the phone. This is often followed within minutes by password-reset emails for accounts you didn't request. Wi-Fi calling may still work, which is why many victims first notice through email rather than through the phone itself. Call the carrier from a different phone immediately to confirm.
Yes — the carrier can reverse the port back to your original SIM, but the speed depends on how quickly you reach them and which carrier it is. Major US carriers offer expedited fraud lines that can restore service in minutes. The damage from drained accounts and stolen funds during the window the attacker held the number is much harder to reverse, especially for cryptocurrency transfers that are irreversible by design.
Slightly, but not fundamentally. eSIMs are activated via a QR code or carrier app rather than a physical card swap, which removes the "walk into a store" attack vector. But the carrier's identity-check process is still the weakest link — if an attacker can convince support to issue a new eSIM activation, the swap still happens. Some carriers now require in-person identity verification for both SIM and eSIM changes on opted-in accounts.
It blocks the most common attack — a support call where the attacker cannot produce the PIN — but it is not a complete defense. Insider attacks, social-engineering of support staff to bypass the PIN, and compromised carrier portals have all been used to swap accounts that had a PIN set. Combine the PIN with phishing-resistant MFA (TOTP apps, hardware keys, passkeys) on every high-value account so SMS alone cannot be used for account recovery.
Back to glossary