Mosaic VPN LogoMosaic VPN
DashboardGet Started
Back to blog
securitysim swaptwo-factor authenticationfraud

SIM Swap Attacks: How Scammers Hijack Your Phone Number

Mosaic TeamPublished: April 12, 2026
Smartphone showing a SIM card being removed

Available languages

ARENESIDRUZH

Imagine waking up to find your phone has no signal. Then the notifications start rolling in on your email — password reset confirmations you never requested, bank transfer alerts for money you never sent. By the time you realize what's happening, the damage is done.

This is a SIM swap attack, and it's one of the fastest-growing forms of identity fraud. Here's how it works and what you can do to stop it.

How a SIM Swap Attack Works

A SIM swap doesn't require any advanced hacking. The attacker's main tool is social engineering — convincing your mobile carrier to transfer your phone number to a SIM card they control.

The process typically looks like this:

  1. Gather personal information — from data breaches, social media, phishing, or the dark web
  2. Contact your carrier — impersonating you with enough details to pass identity verification
  3. Request a SIM transfer — claiming a lost phone, new device, or damaged SIM
  4. Receive your calls and texts — including every SMS-based two-factor authentication code

Once they have your number, they can reset passwords, access bank accounts, and take over email — often within minutes.

Real-World Examples

This isn't theoretical. High-profile SIM swap victims include:

  • The SEC's official X account was hijacked in January 2024 via SIM swap, used to post a fake Bitcoin ETF announcement
  • Jack Dorsey, founder of Twitter, had his own account compromised through SIM swap fraud in 2019

Why SMS Two-Factor Authentication Is Vulnerable

Many services rely on SMS codes as a second factor for login. The problem is clear: if an attacker controls your phone number, they receive those codes.

This breaks the entire security model. Your password plus your SMS code equals full access — and the attacker has both.

SMS-based 2FA is better than no 2FA at all, but it's the weakest form of two-factor authentication available.

Better Alternatives

  • Authenticator apps (Google Authenticator, Authy) — codes are generated on your device, not sent via SMS
  • Hardware security keys (YubiKey, Google Titan) — physical devices that can't be remotely intercepted
  • Passkeys — the newest option, combining biometrics with cryptographic keys stored on your device

How to Protect Yourself

Carrier-Level Protection

Major carriers now offer SIM lock features following FCC rules that took effect in July 2024:

  • Verizon — Number Lock
  • T-Mobile — SIM Protection
  • AT&T — Wireless Account Lock

Call your carrier and enable these features immediately. Also set a strong, unique PIN on your account — not your birthday or last four digits of your SSN.

Account-Level Protection

  • Switch critical accounts to authenticator apps — email, banking, and cryptocurrency accounts especially
  • Use unique passwords everywhere — a password manager makes this easy
  • Reduce your digital footprint — limit personal information shared on social media
  • Be suspicious of unsolicited contact — carriers won't ask you to verify your identity via text or email

What to Do If It Happens

If you suddenly lose cell service for no apparent reason:

  1. Call your carrier immediately from another phone — report the unauthorized SIM change
  2. Secure your email first — email is the master key to resetting other accounts
  3. Lock your banking and financial accounts — contact your bank directly
  4. Change passwords on all critical accounts from a secure device
  5. File a report with your carrier and local authorities

How a VPN Fits Into the Picture

A VPN can't prevent your carrier from making a mistake, but it reduces the information available to attackers in the first place:

  • Encrypts your traffic — prevents data interception on public networks where personal details could be harvested
  • Hides your IP address — makes it harder to correlate your online activity with your identity
  • Blocks malicious sites — reduces exposure to phishing attempts that harvest personal data for SIM swap attacks

The Bottom Line

SIM swap attacks exploit the weakest link in your security chain — your phone number. The fix is straightforward: lock your SIM at the carrier level, switch to authenticator apps for two-factor authentication, and minimize the personal information you share online.

Don't wait for it to happen. These protections take minutes to set up and can save you from a devastating breach.

Tagged in

securitysim swaptwo-factor authenticationfraud