SIM swapping is a social engineering attack where the attacker convinces a mobile carrier to transfer a victim's phone number to a SIM card controlled by the attacker. Once the transfer is complete, the attacker receives all calls and text messages intended for the victim, including SMS-based two-factor authentication codes. This enables account takeover across any service that relies on phone-based verification.
The attacker gathers personal information about the victim through data breaches, social media, or phishing. Armed with details like the victim's name, address, date of birth, and account PIN, the attacker contacts the victim's mobile carrier and impersonates them. They claim their phone was lost or damaged and request the number be ported to a new SIM card. Alternatively, the attacker may bribe or socially engineer carrier employees directly. Once the port is complete, the victim's phone loses service, and the attacker begins receiving their calls and messages. The attacker then initiates password resets on targeted accounts, intercepting the SMS verification codes. High-value targets include cryptocurrency exchanges, banking applications, email accounts, and social media profiles.
SIM swapping has caused millions of dollars in cryptocurrency theft and has been used to compromise high-profile individuals including executives, journalists, and government officials. The attack exposes a fundamental weakness in SMS-based two-factor authentication. Organizations and individuals should migrate to app-based or hardware-based MFA, set carrier PINs and port-freeze protections, avoid using phone numbers as account recovery options, and treat SMS 2FA as a last resort rather than a security measure.