To protect your mobile number from theft, you need to lock down the three main attack vectors: your carrier account, your SIM card, and the personal information that makes social engineering possible. Start by setting up a PIN or passcode on your wireless carrier account, enabling SIM lock on your phone, and removing your phone number from public data broker listings. These steps alone block the majority of mobile number theft attempts, which almost always rely on a criminal convincing your carrier to transfer your number to a device they control. In January 2024, the SEC’s official X account was hijacked after an attacker performed a SIM swap on the phone number linked to the account, posting a fraudulent announcement about Bitcoin ETF approvals that briefly moved markets.
That breach happened because the account lacked two-factor authentication protections beyond SMS, and the linked phone number had no carrier-level PIN. Mobile number theft goes by several names — SIM swapping, port-out fraud, SIM hijacking — but the mechanics are broadly similar. An attacker gathers enough personal information about you to impersonate you with your carrier, then requests your number be moved to their SIM card or eSIM. Once they control your number, they intercept SMS-based verification codes, reset passwords to your email and financial accounts, and can cause cascading damage within minutes. This article covers how SIM swaps actually work, the specific protections each major carrier offers, how to move away from SMS-based two-factor authentication, what to do if your number is already compromised, and the emerging threats that could change the landscape in the years ahead.
Table of Contents
- Why Is Your Mobile Number a Target for Theft?
- How Carriers Let You Lock Down Your Account — and Where Those Protections Fall Short
- Moving Beyond SMS — Stronger Two-Factor Authentication Methods
- Reducing Your Digital Footprint to Make Social Engineering Harder
- What to Do If Your Number Has Already Been Stolen
- The Growing Threat of eSIM-Based Attacks
- Where Mobile Number Security Is Headed
- Conclusion
- Frequently Asked Questions
Why Is Your Mobile Number a Target for Theft?
Your phone number has become a skeleton key to your digital life, and most people do not realize how much power it holds. When you use SMS-based two-factor authentication — still the default for most banks, email providers, and social media platforms — your phone number is the single point of failure. An attacker who controls your number can trigger password resets on accounts tied to it, receive the verification codes, and lock you out of your own accounts in a matter of minutes. The FBI’s Internet Crime Complaint Center reported that sim swapping complaints tripled between 2021 and 2023, with losses exceeding $48 million in a single year. The reason SIM swaps work so reliably is that wireless carriers were never designed to be identity verification gatekeepers. The process for transferring a phone number to a new SIM card exists for a legitimate reason — people upgrade phones, switch carriers, and replace lost devices.
Criminals exploit the customer service process by providing enough personal details (your name, address, last four digits of your Social Security number, account PIN) to pass identity checks that were designed for convenience, not security. In many documented cases, attackers have also bribed or coerced carrier employees directly. A 2023 federal indictment revealed a ring that paid T-Mobile and AT&T employees between $300 and $500 per swap to bypass verification procedures entirely. What makes this particularly dangerous compared to other forms of identity theft is the speed. A stolen credit card number might take days or weeks to cause problems and is relatively easy to reverse. A SIM swap can drain a cryptocurrency wallet in under ten minutes, and those transactions are irreversible. The asymmetry between the ease of the attack and the severity of the consequences is what makes protecting your mobile number a genuine priority, not just another item on a cybersecurity checklist.
How Carriers Let You Lock Down Your Account — and Where Those Protections Fall Short
Every major U.S. carrier now offers some form of account protection specifically designed to prevent unauthorized SIM swaps and port-outs, though the quality and enforcement vary significantly. AT&T offers “Extra Security,” which requires a passcode for any account changes made in store or by phone. T-Mobile provides “Account Takeover Protection,” which adds a verification step before number transfers. Verizon has “Number Lock,” which prevents your number from being ported to another carrier. These features are free, but none of them are enabled by default — you have to activate them yourself through your account settings or by calling customer service. However, these protections are only as strong as the humans enforcing them.
Internal carrier controls can be bypassed by a sufficiently motivated attacker, particularly one who targets retail store employees rather than call center representatives. In-store employees at authorized dealer locations — which are often independently operated franchises — have historically had weaker training and oversight. If an attacker walks into a third-party authorized retailer with a fake ID and a convincing story, the carrier-level PIN may not stop them. This is not a theoretical concern: court documents from multiple SIM swap prosecutions describe exactly this method. The FCC finalized new rules in late 2023 requiring carriers to use secure authentication methods before processing SIM changes and to notify customers immediately when a SIM swap or port-out occurs on their account, but enforcement and compliance remain works in progress. The practical takeaway is that carrier-level protections are necessary but not sufficient. Set up every lock and PIN your carrier offers, but do not treat them as an impenetrable wall. Think of them as one layer in a defense that should include reducing your reliance on SMS verification, monitoring your accounts for unauthorized changes, and minimizing the personal data available to attackers.
Moving Beyond SMS — Stronger Two-Factor Authentication Methods
The single most impactful step you can take to limit the damage from a potential SIM swap is to stop using SMS as your second authentication factor wherever possible. Hardware security keys like YubiKey or Google Titan provide phishing-resistant authentication that cannot be intercepted through a SIM swap because the verification happens through a physical device in your possession, not through your phone number. Authenticator apps like Google Authenticator, Authy, or Microsoft Authenticator generate time-based codes on your device, meaning an attacker would need access to your actual phone (or a backup of the app’s data), not just your phone number. The challenge is that not every service supports these alternatives. Most banks, for instance, still rely exclusively on SMS for two-factor authentication, and some government services offer no alternative. For accounts where SMS is the only option, you should still enable it — weak two-factor authentication is significantly better than none — but prioritize moving your most sensitive accounts to stronger methods first. Start with your primary email account, because that is the account an attacker will use to reset passwords on everything else.
Google, Microsoft, and Apple all support hardware security keys and authenticator apps. Next, secure your financial accounts and any cryptocurrency exchanges. Then work through social media and other services. One specific pitfall to watch for: some services technically support authenticator apps but keep SMS as a fallback recovery method. This means an attacker who SIM swaps your number can still use SMS recovery to bypass the authenticator app entirely. Check your account settings carefully and, where possible, disable SMS as a backup method after setting up a stronger alternative. Not all services allow this, which is a legitimate frustration, but the ones that do — including Google and GitHub — should be configured with SMS fallback removed.
Reducing Your Digital Footprint to Make Social Engineering Harder
SIM swaps almost always begin with reconnaissance. Before an attacker contacts your carrier, they need your full name, phone number, address, and ideally your carrier account PIN or the last four digits of your Social Security number. Much of this information is available through commercial data brokers, people-search websites, social media profiles, and data from previous breaches. Removing your information from these sources does not make you immune, but it significantly raises the cost and effort required to target you, which often redirects attackers toward easier victims. Start with the major data brokers and people-search sites: Spokeo, WhitePages, BeenVerified, Intelius, and similar services. Each has an opt-out process, though they are deliberately tedious. You can do this manually by visiting each site’s opt-out page, or use a removal service like DeleteMe or Privacy Duck to handle the process on your behalf.
The tradeoff is cost versus time: manual removal is free but takes hours and requires periodic re-checking because brokers frequently re-acquire your data. Paid services typically cost $100 to $200 per year and handle the ongoing monitoring for you. Neither approach is perfect, because new data brokers appear regularly and your information can resurface after removal. On social media, audit what is publicly visible on your profiles. Your phone number, birthday, email address, and hometown are all useful to a social engineer. Facebook in particular has historically made phone numbers searchable by default. Review your privacy settings on every platform and remove or restrict any personal details that are not strictly necessary for your use of the service.
What to Do If Your Number Has Already Been Stolen
If you suddenly lose cell service for no apparent reason — no signal, calls going straight to voicemail, or a notification that your SIM has been updated — assume a SIM swap is in progress and act immediately. The first minutes matter enormously. Contact your carrier from a different phone (a family member’s phone, a landline, or a VoIP service) and tell them you believe your number has been fraudulently transferred. Request an immediate freeze on your account and reversal of any recent SIM changes. Carrier fraud departments can typically restore your number, but it can take anywhere from a few hours to several days depending on the carrier and whether the number has been ported to a different provider entirely. While you are working with your carrier, change the passwords on your most critical accounts starting with your primary email. Use a computer rather than a device tied to the compromised number.
If you have a password manager, use it to generate new unique passwords for each account. Check your email for any password reset notifications or account change confirmations that you did not initiate — these will tell you which accounts the attacker has already targeted. If financial accounts are involved, contact those institutions directly to flag potential fraud and freeze transactions. One important limitation: if an attacker has already used your number to access your email and changed the recovery options, regaining access becomes significantly more complicated. This is why having a hardware security key as a recovery method on your email account is so valuable — it provides a recovery path that does not depend on your phone number or any other method the attacker might have compromised. If you are locked out of your email entirely, you may need to go through the provider’s formal account recovery process, which can take days or weeks with Google and even longer with some other providers. File a report with the FBI’s IC3 and your local police department, as these reports can help with account recovery processes and may contribute to ongoing investigations.
The Growing Threat of eSIM-Based Attacks
As physical SIM cards give way to eSIMs, the attack surface for mobile number theft is shifting. eSIM transfers can be initiated entirely online or through a carrier app, which removes the need for an attacker to visit a store with a fake ID or convince a phone representative to mail a new SIM card. In late 2023, researchers at security firm ESET documented a campaign in which attackers used stolen carrier account credentials to activate eSIM profiles on their own devices, effectively performing SIM swaps without any human interaction on the carrier’s side.
The speed and scalability of this approach makes it particularly concerning. The defense against eSIM-based attacks is largely the same as for traditional SIM swaps — strong carrier account PINs, number locks, and reduced reliance on SMS — but with added emphasis on securing your carrier’s online portal. Use a strong, unique password for your carrier account, enable any available multi-factor authentication on the account itself, and monitor for unexpected emails or notifications about eSIM changes. Some carriers now allow you to disable eSIM changes entirely through account settings, which is worth enabling if you are not planning to switch devices.
Where Mobile Number Security Is Headed
The regulatory and technical landscape around mobile number protection is slowly improving. The FCC’s 2023 rules requiring carriers to authenticate SIM swap and port-out requests more rigorously are a meaningful step, as are industry initiatives like the STIR/SHAKEN framework for call authentication. Some carriers are beginning to explore biometric verification for high-risk account changes, though this raises its own privacy concerns. The broader trend is toward making phone numbers less important as identity anchors — passkeys, for example, replace both passwords and SMS-based verification with cryptographic credentials tied to your device, and adoption is accelerating across major platforms.
In the meantime, the practical reality is that your phone number will remain a high-value target for years to come. Too many systems depend on it for verification, and the transition away from SMS-based authentication will be gradual. The best posture is to assume that carrier-level protections can be bypassed and to build your security layers accordingly: minimize what an attacker can do even if they succeed in stealing your number. That means authenticator apps and hardware keys on critical accounts, unique passwords managed by a password manager, and a habit of monitoring your accounts for signs of unauthorized access.
Conclusion
Protecting your mobile number from theft requires action on multiple fronts. Lock down your carrier account with a PIN and number transfer protections. Shift your most important accounts away from SMS-based two-factor authentication toward hardware keys or authenticator apps. Scrub your personal information from data broker sites to make social engineering harder.
And have a plan for responding quickly if a SIM swap does happen, because the window for damage control is narrow. No single measure is bulletproof, and the threat landscape continues to evolve as carriers adopt eSIMs and attackers refine their methods. But the combination of carrier-level locks, strong non-SMS authentication, reduced public exposure of your personal data, and active monitoring creates a defense that will stop the vast majority of attacks. The SEC incident and countless individual cases demonstrate that this threat is real and the consequences are severe. The time to set up these protections is before you need them.
Frequently Asked Questions
Can I prevent my phone number from being ported to another carrier?
Yes. Most carriers offer a port freeze or number lock feature that blocks transfer requests. On Verizon it is called Number Lock, T-Mobile offers Port Block, and AT&T bundles it into their Extra Security feature. You need to enable these manually through your account settings or by contacting customer service.
Is a carrier PIN the same as my phone’s unlock code?
No. Your carrier PIN or passcode is a separate code tied to your wireless account, used when making changes to your service or calling customer support. It is not related to the PIN, passcode, or biometric lock on your physical device. Set both, but understand they protect different things.
Will a SIM lock on my phone prevent SIM swapping?
A SIM lock (or SIM PIN) prevents someone from using your physical SIM card in another phone if it is stolen. It does not prevent a carrier-level SIM swap, where the attacker convinces your carrier to transfer your number to a completely different SIM. Both protections are worth enabling, but they address different threats.
If I use an authenticator app, does it matter if my number gets swapped?
It significantly reduces the impact, but it may not eliminate it entirely. Some services keep SMS as a fallback recovery method even when an authenticator app is configured. Check each account to see whether SMS recovery can be disabled. For accounts where it cannot, a SIM swap could still be used to bypass your authenticator.
How do I know if I have been SIM swapped?
The most common sign is a sudden loss of cellular service — no bars, calls going to voicemail, and text messages not arriving. You may also receive unexpected emails about account changes or password resets you did not request. Some carriers now send notifications when a SIM change occurs, per FCC rules finalized in 2023.
Should I use a Google Voice number instead of my real number for two-factor authentication?
Using a Google Voice number adds a layer of separation because it is tied to your Google account rather than your carrier account, making it immune to traditional SIM swaps. However, it shifts the risk to your Google account security, and some services do not accept VoIP numbers for verification. It is a reasonable strategy for some accounts but not a universal solution.