SIM Swap Fraud: How Attackers Hijack Your Phone Number to Drain Your Bank Account

You're going about your day when your phone suddenly loses signal. No calls, no texts, nothing. Minutes later, your bank sends an email: a wire transfer you never authorized just cleared. Welcome to SIM swap fraud — one of the fastest-growing cybercrime tactics in the US and worldwide.

How SIM Swap Attacks Work

A SIM swap attack is when a criminal convinces your mobile carrier to transfer your phone number to a new SIM card they control.

The typical attack chain:

1. Gather personal info — The attacker collects your name, date of birth, SSN (last 4 digits), or driver's license number from data breaches, social media, or phishing
2. Contact the carrier — They call T-Mobile, AT&T, or Verizon (or visit a store) claiming to be you, reporting a "lost" or "damaged" SIM
3. Social-engineer the rep — Using your personal info to pass security questions
4. Activate new SIM — Your SIM goes dead; their SIM receives all your calls and texts
5. Drain accounts — They intercept bank OTPs, reset passwords, and transfer money

Step	Time Required	Your Awareness
Info gathering	Days to weeks	None
Carrier impersonation	15–30 minutes	Sudden signal loss
Account takeover	5–10 minutes	Bank alerts (if still enabled)

Why SIM Swaps Are So Dangerous

SMS-based 2FA is the weak link

Most US banks, crypto exchanges, and financial apps still rely on SMS-based one-time passwords for transaction verification. Once an attacker has your number:

• Intercepts all SMS OTPs for banking and financial services
• Resets passwords on email (Gmail, Outlook), social media, and cloud storage
• Accesses crypto wallets on Coinbase, Binance, and other exchanges
• Logs into any service that uses phone-based authentication

The damage extends beyond money

Victims of SIM swap fraud also face:

• Identity theft and fraudulent loan applications in their name
• Social media accounts hijacked to scam friends and family
• Loss of irreplaceable data and digital assets

The FBI reported over $68 million in losses from SIM swap complaints in a single recent year.

Warning Signs Your SIM Was Swapped

Early detection can save your accounts:

• Sudden signal loss — Your phone shows "No Service" or "Emergency Calls Only" in an area with normal coverage
• Missing calls and texts — People say they called you but nothing came through
• Carrier notification — You receive an email about a SIM change you didn't request
• Account lockouts — You can't log into your bank app, email, or social media
• Password reset emails — You receive notifications for password changes you didn't initiate

If you notice any of these signs, act IMMEDIATELY.

How to Prevent SIM Swap Fraud

1. Set a carrier PIN or passcode

Contact your carrier and add a PIN that must be provided for any SIM changes:

• T-Mobile: Set up Account PIN in the T-Mobile app or call 611
• AT&T: Add an "Extra Security" passcode via myAT&T or call 611
• Verizon: Set up Account PIN in My Verizon app or call *611

2. Switch to non-SMS two-factor authentication

Method	Security Level	Examples
SMS OTP	Low	Text message codes
Authenticator app	High	Google Authenticator, Authy, Microsoft Authenticator
Push notification	High	Bank apps, Duo Mobile
Hardware key	Very High	YubiKey, Google Titan

3. Limit personal information exposure

• Don't post your birthday, phone number, or address on social media
• Be wary of phishing emails asking you to "verify" account details
• Use unique email addresses for financial accounts
• Freeze your credit with Equifax, Experian, and TransUnion

4. Enable account alerts

Sign up for push notifications from your bank (not just SMS) — app-based alerts still work even if your SIM is swapped.

5. Consider a Google Voice number for 2FA

Using a Google Voice number for sensitive accounts adds a layer of protection since it can't be SIM-swapped at a carrier store.

Emergency Response If Your SIM Is Swapped

Time is critical. Follow this order:

1. Call your carrier immediately (from another phone) — request the new SIM be deactivated and your number restored
2. Call your bank — freeze all accounts and cards
3. Change passwords on all critical accounts (email, banking, crypto)
4. File a report with the FCC at consumercomplaints.fcc.gov
5. Report to the FBI's IC3 at ic3.gov
6. Place a fraud alert on your credit reports

Contact	Phone/Website
T-Mobile	611 or 1-800-937-8997
AT&T	611 or 1-800-331-0500
Verizon	*611 or 1-800-922-0204
FCC Complaints	consumercomplaints.fcc.gov
FBI IC3	ic3.gov

Securely Store Your Backup Codes with LOCK.PUB

When you switch to app-based authenticators (Google Authenticator, Authy), you'll receive recovery codes — your only backup if you lose your phone.

The problem: Saving them in your phone's notes means they're lost with your device. Screenshots can be compromised. Texting them via iMessage or Messenger leaves them exposed.

The solution: Use LOCK.PUB to create a password-protected memo — paste your recovery codes, set a strong password, and share the link with yourself or a trusted person. The content is encrypted and only accessible with the password.

You can also set an expiration on LOCK.PUB memos, ensuring sensitive codes don't remain online indefinitely.

Conclusion

SIM swap fraud is a serious and growing threat, especially as long as financial services rely on SMS-based authentication. By setting a carrier PIN, switching to app-based 2FA, and securely storing backup codes with LOCK.PUB, you can significantly reduce your risk.

Don't wait until you lose signal to take action. Protect your phone number and accounts today.

➡️ Create a secure memo on LOCK.PUB to safely store your 2FA recovery codes.