The Bait: Gathering Your Personal Data
Every SIM swap starts not with a technical exploit, but with homework. The attacker needs to know enough about you to convincingly impersonate you. This intelligence-gathering phase is surprisingly low-tech. Scammers scour social media for details like
your pet’s name, your mother’s maiden name, or your high school—common answers to security questions. They might buy your information on the dark web, where data from countless corporate breaches is sold for pennies. Or they could target you directly with a phishing email, tricking you into revealing your phone number, account details, or even a password. The goal is to build a victim profile, collecting just enough personal information to fool a customer service representative at your mobile carrier.
The Con: Social Engineering the Carrier
This is the critical step. Armed with your personal details, the scammer calls or walks into a retail store for your mobile provider—AT&T, Verizon, T-Mobile. They don't need to hack a server; they just need to hack a human. The conversation might go something like this: “Hi, I just bought a new phone and I need to activate it. My old one is broken.” They present your name, address, and maybe the last four digits of your Social Security number. When the employee asks for a security PIN, the scammer might claim they’ve forgotten it but can verify their identity with other information they’ve collected. With enough persuasion, social engineering, or by finding a poorly trained or rushed employee, they convince the representative to transfer—or “port”—your phone number from your SIM card to a new one in their possession.
The Swap: A Digital Coup
The moment the transfer is approved, your phone is instantly disconnected from the network. You’ll see “No Service” or “SOS only” in the corner of your screen. You might assume it's a temporary outage. It’s not. At that exact moment, the scammer’s phone comes to life with your identity. Every call and text message intended for you now goes to them. Most importantly, they now control the destination for any two-factor authentication (2FA) codes sent via SMS. This is the master key they were after. In 2019, this is exactly what happened to then-Twitter CEO Jack Dorsey. Attackers convinced AT&T to port his number, giving them the ability to post tweets from his account simply by sending text messages. The embarrassing public spectacle demonstrated just how vulnerable even the most tech-savvy individuals could be.
The Heist: Draining the Accounts
With control of your phone number, the race is on. The attacker’s primary goal is almost always financial. They immediately go to your email account and click “Forgot Password.” The reset link or code is sent to your phone number—which they now control. Once they’re in your email, they can see where you bank and what services you use. They repeat the process: password resets for your bank, your brokerage account, and especially your cryptocurrency exchanges. Investor Michael Terpin famously lost what was then worth $24 million in cryptocurrency after a SIM swap attack. Attackers ported his number and, within hours, systematically drained his crypto wallets. By the time Terpin realized what was happening, the irreversible blockchain transactions were complete and his digital fortune was gone.
The Aftermath and Prevention
For the victim, the aftermath is a nightmare of reclaiming a stolen digital identity. It involves frantic calls to banks, filing police reports, and trying to prove you are who you say you are, all without the primary tool of modern identity: your phone. While the process seems terrifyingly easy for criminals, prevention is straightforward. First, contact your mobile carrier and set up a port-out PIN or password on your account. This is a special, high-security code required to make any changes to your service. Second, wherever possible, stop using SMS for two-factor authentication. Instead, use an authenticator app like Google Authenticator or Authy, which generates codes on your physical device and isn't tied to your phone number. These two simple steps can turn your phone from a single point of failure into a hardened security asset.
