SIM swap: 4 hours to become you

The attacker called AT&T on a Tuesday afternoon. Name, date of birth, billing address — all pulled from public sources in under an hour. Said they’d lost their phone at the airport. The rep ported the number to a new SIM in twenty minutes. By evening, the bank account was empty.

The common trap

“SIM swap only happens to celebrities and crypto people.” That’s the most common misconception, and it’s wrong on two levels.

First, on victim profiles: yes, the publicized cases involve celebrities or people with large crypto holdings — because the gains are spectacular and cases end up in court. But the reality in the files I see: company executives, CFOs, M&A lawyers, wealth managers. Anyone with SMS MFA on a bank account or primary email is a potential target.

Second, on the sophistication required: SIM swap is not a technical attack. It’s social engineering. You need a phone, three pieces of public information about the target, and the ability to lie convincingly. The bar is low.

The mechanics, hour by hour

What the attacker needs

Full name, date of birth, billing address. In 90% of cases, these three data points are public or easily accessible — LinkedIn for name and employer, voter registration records for address, social media for birthdays. One hour of OSINT is usually sufficient.

For carriers that require an additional identifier, the attacker may need the last four digits of your Social Security Number (cheaply available on dark web marketplaces since any of dozens of healthcare and financial data breaches), your account number, or answers to security questions (mother’s maiden name, first pet — information commonly found in social media posts and family trees).

The typical scenario

T+0: The call. The attacker calls your carrier’s customer service. Classic pretext: lost or stolen phone, emergency travel, technical issue requiring a new SIM. The tone is urgent but polite. The script is rehearsed.

T+20 min: The port. If the rep is convinced, they initiate a number port or internal SIM reassignment. Your phone loses signal. The attacker’s new SIM starts receiving your calls and SMS.

T+35 min: Email takeover. The attacker clicks “forgot password” on your primary email service. The reset SMS arrives on their SIM. New password, immediate access.

T+50 min: The cascade. From your email, they trigger resets on every important account. Bank, password manager, professional platforms. Some banks send SMS confirmation codes for transactions — the attacker intercepts all of them.

T+2h–4h: Extraction. Bank transfers, access to investment accounts, exfiltration of sensitive data from email and cloud storage. Some attackers resell access to other parties if the target is valuable but out of their direct scope.

Carrier entry points

US carriers — historically the worst

The Princeton University study published in 2020 tested AT&T, T-Mobile, Verizon, Tracfone, and US Mobile with simple social engineering scripts. All five failed — some 100% of the time with certain attack methods. The study used no special knowledge or insider access, just the kind of information easily findable via public records and social media.

AT&T, T-Mobile, and Verizon have all been named in federal lawsuits related to SIM swap attacks. T-Mobile has suffered multiple data breaches exposing customer records including information useful for SIM swap attempts — in 2021, 2022, and 2023. The FBI issued a formal public service announcement in 2022 warning of a dramatic increase in SIM swap complaints.

Carrier store locations add another vector: an attacker can walk into a retail store with a convincing fake ID and request a SIM replacement in person. Verification procedures at physical stores have historically been weaker than phone-based ones.

UK and European carriers

EE, Vodafone, O2, and Three in the UK have their own documented SIM swap incidents. The UK’s telecom regulator Ofcom has pushed for improvements but procedures vary significantly by carrier and by channel (phone support vs. store vs. online portal).

In continental Europe, the attack surface is similar — social engineering scripts are adapted to local carrier procedures, but the fundamental vulnerability (a human agent who can reassign your number) is constant.

The insider threat

Approximately 15% of documented SIM swap attacks involve a corrupted or coerced carrier employee. This is especially true for high-value targets: a motivated attacker may pay an insider to perform the swap directly from internal systems, bypassing all customer-facing verification entirely. Insiders have the system access and the permissions — they don’t need to convince anyone.

The required data is public

This is the point most people miss: the attacker often doesn’t need to buy your data from dark web markets. It’s frequently available for free.

LinkedIn: full name, birthday often visible in profile, current and previous employers, work anniversary dates that can help narrow down birth years, professional connections that reveal your social circle.

Voter registration records: in most US states, voter rolls are public records accessible on request or via aggregation services. They contain name, address, party registration, and date of birth in many states.

Data broker sites: Spokeo, Whitepages, BeenVerified, and dozens of similar services aggregate name + address + phone + relatives into searchable profiles. Many show enough for a SIM swap attempt for free; full reports are a few dollars.

Social media: birthday posts, photos geotagged at home (revealing your address), mentions of phone numbers in buy/sell posts, family members tagging you in posts that reveal relationships and locations.

Marketplace listings: a Craigslist or Facebook Marketplace listing with your first name, phone number, and city, cross-referenced with LinkedIn, often yields a complete profile.

eSIM as partial mitigation

eSIM is sometimes presented as a solution to SIM swap. It’s an overstatement.

eSIM eliminates the possibility of physically cloning a SIM card, and adds a small amount of friction to transferring to a new device. But the primary attack vector — social engineering a carrier support agent into porting your number — works exactly the same way on an eSIM line as on a physical SIM.

What eSIM provides: a slight additional friction for the attacker, and certainty that your SIM cannot be physically duplicated. What it doesn’t provide: protection against a convinced rep performing the port.

Carrier PINs: useful but not sufficient

Most major carriers allow you to set a PIN or verbal password on your account. This code is supposed to be required for any sensitive account changes, including SIM swaps.

Why you should still do it: it’s an additional layer of friction. An ordinary attacker who doesn’t know your account PIN will need to either guess it (difficult if you choose something non-guessable) or work around the procedure, requiring more sophistication or an insider.

Why it’s not sufficient:

• Carrier PINs are often bypassable through alternate channels (physical store with fake ID, “forgotten PIN” recovery procedures that fall back to SMS or email — the same channels you’re trying to protect, online account portals)
• A forgotten PIN typically triggers a recovery process via… SMS or email
• Insiders don’t need your PIN

The real protection

The real protection against SIM swap is not securing your carrier — it’s making sure that compromising your phone number is useless.

If your primary email, bank, and password manager do not use SMS for authentication or account recovery, a successful SIM swap gives the attacker your phone number. Useful for impersonation, not for immediate account access.

Priority migration: primary email → FIDO2 hardware or local TOTP. Bank → local TOTP or FIDO2 if available. Password manager → FIDO2 hardware.

Dedicated non-public number for critical accounts. A technique used by high-risk profiles: maintain a secondary phone number (secondary eSIM, or a separate carrier line) known only to your critical services and no one else. Not on LinkedIn, not in email signatures, not used for regular calls. SIM swap targets your known number — if your critical accounts are linked to an unknown number, the attack surface shrinks dramatically.

Most affected sectors

Crypto and digital assets: most publicized cases. Gains are immediate and transactions are irreversible. Attracts highly motivated attackers.

M&A and corporate advisory: largely unreported, but real. Access to information about in-progress transactions is worth far more than the contents of a personal bank account.

Family disputes and divorce: underestimated. SIM swap as a surveillance or control tool in domestic violence situations or contentious asset disputes.

High-net-worth individuals: any combination of a public profile, significant financial accounts, and SMS MFA makes a person a viable target.

What to do if you’re attacked

Your phone has no signal. Here’s the action order:

1. Call your carrier from another phone (landline, someone else’s phone, work device) and request an immediate account lock.
2. From a different device, change passwords on critical accounts starting with your primary email.
3. Check recent activity on your bank accounts and email — document actions taken during the compromise window.
4. Notify your bank explicitly about the compromise of the number linked to your account. Ask them to flag any recent transactions for review.
5. File a police report — necessary for insurance claims and bank dispute processes.
6. Do not reuse the compromised number for critical MFA until you’ve completed migration to TOTP or FIDO2.

Mistakes we see all the time

SMS MFA on the primary email account. The fatal combination with a SIM swap.

Believing a carrier PIN is sufficient. It complicates the attack. It doesn’t prevent it.

No documented response plan. When you lose signal at 2am, you don’t want to be Googling carrier support numbers and deciding the order of actions under stress. Write this plan. Keep it accessible from a device other than your phone.

Phone number too visible. On LinkedIn, in email signatures, on marketplace listings — every place your number appears is a potential pivot point for an attacker building a profile.

• N1 Identify all critical accounts using SMS for MFA or account recovery
• N1 Remove SMS MFA from primary email and banking accounts
• N2 Set a carrier account PIN (choose something non-guessable)
• N2 Migrate critical accounts to local TOTP (Aegis, Ente Auth)
• N2 Remove your phone number from public profiles (LinkedIn, email signature)
• N2 Document a SIM swap response plan (who to call, in what order)
• N3 Deploy FIDO2 on primary email and password manager
• N3 Set up a dedicated non-public number for critical accounts
• N3 Store the response plan on a device accessible without your primary phone