Skip to content
Breachroad
Back to the blog
Fraud

SIM swapping: how criminals hijack your number

A SIM swap lets criminals take over your phone number — and with it your texts, codes and accounts. How it works, how to spot it and how to protect yourself.

KR
Karol Rapacz
19 June 2026 · 9 min read
SIM swapping: how criminals hijack your number

Imagine your phone suddenly losing signal in the middle of the day. “No service” — you assume it’s a network outage. Meanwhile, a few streets away, someone has just moved your number onto their own SIM card and is logging into your bank, email and social media, intercepting the codes arriving by SMS. That’s SIM swapping — one of the most damaging attacks on individuals, because it turns something you thought was a safeguard against you: your phone number.

How a SIM swap works

The attack isn’t a break-in to the mobile network — it’s deceiving the operator. The sequence is usually:

  1. Gathering data on the victim. The attacker collects information from leaks, social media and phishing: your name, number, ID number, address, sometimes the answers to “security questions”.
  2. Contacting the operator. They call the helpline or visit a store impersonating you and report a “lost SIM card” or a “switch to eSIM”, asking to move the number to a new card.
  3. Taking over the number. If staff verify identity using data the attacker already collected, the number moves to their card. Your phone loses signal.
  4. Hijacking accounts. With your number, the attacker triggers “password recovery” on service after service. Reset codes and SMS-based MFA codes land with them. Within minutes they can take over your bank, email and profiles.

The worst part is that SMS was treated for years as a “second factor” of login. A SIM swap turns that pillar into a weakness — because whoever controls the number controls the texts.

How to tell you’ve been hit

The signals are simple but easy to dismiss:

  • A sudden, unexplained loss of signal — the phone shows “no service” or “emergency calls only” even where reception is good.
  • A text or email from the operator about a new SIM/eSIM being activated that you didn’t request.
  • Login and password-reset notifications you didn’t initiate.
  • Friends get strange messages from you, while you can’t log into your own accounts.

If your phone suddenly loses network for no reason — don’t wait. Call the operator from another phone and ask whether your number has been transferred.

How to protect yourself — the key steps

Move away from SMS as your second factor. This is the most important change. Wherever possible, replace SMS codes with an authenticator app (Google/Microsoft Authenticator) or — best of all — a hardware key or passkey, which a SIM swap can’t touch. We covered this in our passkeys article.

Set up extra protection with your operator. Ask for a support PIN/password required for any SIM change or number transfer. Many operators offer such a “port-out lock” — a simple barrier that breaks the whole attack scenario.

Limit the data circulating about you. The less information the attacker gathers, the harder it is to impersonate you. Don’t publish your number and personal data publicly, watch out for phishing, and check whether your data has leaked.

Protect your email account the hardest. Email is the “key to everything” — it’s used to recover the rest. Protect it with a key/passkey, not SMS.

What to do while an attack is happening

Minutes count:

  1. Contact your operator immediately (from another phone) and demand the number be blocked and recovered.
  2. Secure your email and bank — change passwords from a trusted device, sign out all sessions, block access at the bank and ask them to hold operations.
  3. Report it to the police and your national CERT; for financial losses — to the bank and the financial-sector CSIRT.
  4. Review your accounts for changed settings: mail forwarding, added login methods, new devices.

Frequently asked questions (FAQ)

Is SIM swapping only for famous or wealthy people? No. Targets range from people with crypto or large balances to “ordinary” users — because a hijacked email or social account can be monetised (payment scams, defrauding friends). Anyone whose number protects access to money or accounts is a potential target.

Is eSIM safer than a physical card? The technology itself doesn’t change the attack — the problem is the operator’s verification process, not the card type. eSIM can even be more convenient for the attacker (remote activation). What matters is setting a port-out lock, regardless of SIM type.

I have MFA — am I safe? It depends which. SMS-based MFA is vulnerable to SIM swaps. App-based MFA is far better, and hardware keys / passkeys are immune to this attack by design. If your bank or email sends codes by SMS, treat it as a minimum, not the destination.

How do I check whether my operator offers a port-out lock? Call the helpline or check your account settings — look for options like “support PIN”, “helpline password” or “number port/migration lock”. Set it up in advance, not after an incident.

I run a company — can a SIM swap hit the organisation? Yes. If company accounts (bank, email, social media) are protected by SMS to an employee’s number, hijacking that number opens the door to the company. It’s an argument to use phishing-resistant MFA and rehearse a response procedure. We’re glad to help — get in touch.

Summary

SIM swapping is dangerous because it turns your phone number into a weapon against you — and the number served as a safeguard for years. But the defence is within reach: move away from SMS codes to an app or keys/passkeys, set a port-out lock with your operator, limit your public data and protect your email the hardest. And if your phone suddenly loses signal for no reason — don’t hesitate, call your operator.


Sources and further reading: CISA, FCC — SIM swap.

Share this article

Services Book a consultation