A SIM swap is an attack where the attacker deceives a carrier's identity verification process to transfer the victim's phone number to a SIM card the attacker possesses. Once the transfer is complete, all calls and SMS intended for the victim are delivered to the attacker's device, and the victim's phone enters an "out of service" state.
The primary goal is intercepting two-factor authentication codes sent via SMS. Online banking, cryptocurrency exchanges, and email accounts that rely on SMS authentication are targeted. Attackers combine passwords obtained through phishing or data breaches with intercepted SMS codes to infiltrate accounts. In the US, the FBI reported SIM swap losses exceeding $68 million annually in 2021. In Japan, multiple cases of bribing carrier store employees to fraudulently transfer numbers have been prosecuted since 2022.
Attackers deceive carriers through two main methods. First, social engineering: collecting the victim's name, date of birth, and address in advance, then calling the carrier's call center claiming "I lost my SIM." Second, insider attacks that recruit carrier store staff as accomplices. The latter is harder to detect and tends to cause larger-scale damage.
The most effective defense is migrating from SMS authentication to authenticator apps (Google Authenticator, Authy, etc.) or hardware keys (YubiKey, etc.). Setting a PIN code or passphrase on your carrier account to require additional verification for in-store or phone procedures is also effective. If your phone suddenly shows no signal, suspect a SIM swap and immediately contact your carrier. Learn about SMS authentication vulnerabilities and alternatives in detail in two-factor authentication and phone number risks.