SIM swap attacks are one of the fastest-growing forms of identity theft. A criminal convinces your mobile carrier to transfer your phone number to a SIM card they control, intercepts your calls and texts, and uses that access to break into your bank, email, and cryptocurrency accounts. Here's how to protect yourself in 2026, including how to take advantage of the FCC rules that now require carriers to take SIM security seriously.
What Is a SIM Swap Attack?
A SIM swap (also called SIM jacking or port-out fraud) happens when an attacker tricks a wireless carrier into transferring your phone number to a SIM card they control. Once the transfer is complete, any call or text sent to your number goes to the attacker's phone instead of yours.
Why is that a problem? Because phone numbers are the most common second factor for authentication. An attacker with control of your number can:
- Receive password reset texts from your bank, email, and social media
- Bypass SMS-based two-factor authentication
- Take over cryptocurrency exchange accounts (a favorite target, because funds can be moved and laundered quickly)
- Impersonate you to family members and coworkers
Once the SIM swap is done, you lose service on your own phone. Many victims don't even realize what's happening until they notice they can't make calls — by which time the attacker has already drained accounts.
How Attackers Pull Off SIM Swaps
SIM swap attacks usually involve social engineering, insider access, or both. An attacker typically:
- Gathers personal information about you from data brokers, social media, and past breaches
- Calls your wireless carrier pretending to be you
- Uses your personal information to answer security questions — name, address, date of birth, last four of your SSN
- Claims their phone was lost or damaged and requests a new SIM
- Has the carrier activate a SIM they control, transferring your number
In some cases, the attacker works with a corrupt employee at a carrier store or call center who bypasses security procedures in exchange for payment. This insider threat is one of the reasons the FCC has ramped up enforcement.
The FCC Now Requires Carriers to Protect You
Under FCC rules that took effect in 2024 and remain in force in 2026, wireless providers must use secure authentication methods before transferring a phone number, must offer customers an account lock to block SIM changes, and must notify customers immediately when a SIM change or port-out request is made. If your carrier fails to follow these rules and you're victimized, you have a stronger legal case for reimbursement.
How to Protect Yourself
1. Lock Your Carrier Account
Every major U.S. carrier now offers an account lock or port-out block. This is the single most important step you can take. Call your carrier or log into their app and request:
- Port freeze / number lock — prevents your number from being ported to another carrier without additional verification
- SIM lock — prevents a new SIM from being activated on your account without your explicit approval
- A unique account PIN or passcode — required for any account changes, both online and in store
2. Stop Using SMS for Two-Factor Authentication
SMS-based two-factor authentication is better than nothing, but it's the weakest form of 2FA precisely because of SIM swap attacks. Switch to authenticator apps (Google Authenticator, Authy, 1Password's built-in 2FA, or Microsoft Authenticator) or, even better, hardware security keys like YubiKey. An attacker who controls your phone number can't bypass these.
Prioritize switching away from SMS 2FA on:
- Banking and brokerage accounts
- Cryptocurrency exchanges
- Email (especially your "recovery" email)
- Password manager accounts
- Social media accounts used for recovery
3. Remove Your Personal Information From Data Brokers
SIM swap attackers rely on the personal information they gather about you to answer carrier security questions. Your full name, date of birth, home address, phone number, and relatives are all available on people-search sites for free. The more of that information an attacker can find, the easier it is to convince a carrier rep they're you. Removing your data from brokers makes social engineering substantially harder.
4. Set a Strong PIN on Your Carrier Account
Don't use your date of birth, the last four of your Social Security number, or anything else easily guessable. Use a random 6-8 digit PIN and store it in your password manager. This PIN should be required for any account changes, including in-person visits.
5. Watch for Warning Signs
SIM swap attacks often start with strange activity. Watch for:
- Losing service unexpectedly or seeing "Emergency calls only"
- Receiving notifications about account changes you didn't make
- Unauthorized password reset emails
- Notifications about new device logins
- Carrier emails or texts about changes to your service
Act Fast If You're Targeted
If you suspect a SIM swap is underway, call your carrier immediately — from another phone if necessary — and request they freeze all activity on your account. Then change the passwords for your most sensitive accounts starting with email, banking, and password manager. Every minute matters.
What to Do If You've Been SIM Swapped
- Contact your wireless carrier and demand that your number be restored to your control. Ask them to document everything that happened for use in a dispute.
- Change passwords on email, banking, cryptocurrency, and any other critical accounts. Start with email, since most account recovery flows go through email.
- Revoke sessions on every account that allows it. Most services have a "sign me out everywhere" option.
- Enable stronger 2FA everywhere you can. This is the moment to switch to authenticator apps or hardware keys.
- Contact your bank and credit card companies to place fraud alerts and review recent activity.
- File a report with the FBI's Internet Crime Complaint Center (IC3.gov) and a local police report.
- Place a fraud alert or credit freeze with Equifax, Experian, and TransUnion.
- Document everything. You may have a claim against your carrier if they failed to follow FCC rules.
Why Data Broker Removal Is Part of SIM Swap Protection
Every successful SIM swap starts with reconnaissance. Attackers use data brokers to build profiles of their targets — home address, phone number, date of birth, close relatives, and sometimes even the last four digits of a Social Security number. The less information available publicly, the harder it is for someone to impersonate you to a carrier rep.
PrivacyOn automates opt-outs across more than 100 data brokers and keeps monitoring them so your information doesn't quietly reappear. Combined with a locked carrier account and strong 2FA, it's the complete defense against SIM swap fraud in 2026.
The Bottom Line
SIM swap attacks are devastating but preventable. Lock your carrier account, switch to stronger 2FA, reduce the personal information available about you online, and know the warning signs. The FCC has forced carriers to take this threat more seriously, but the biggest security gains come from the steps you take yourself. Spend an hour on these protections today and you'll dramatically lower your risk for years.