Leak Check Me
Sign inRun Leak Check
All privacy guides
how to prevent sim swapMay 28, 2026Leak Check Me

SIM-Swap Attacks Are Surging — Lock Down Your Phone Number in 30 Minutes

SIM-swap losses hit $25.9M in 2024 and UK cases rose 1,055%. Here's how the attack works and how to lock your number at AT&T, Verizon, and T-Mobile.

In April 2025, Noah Michael Urban — a 21-year-old from Palm Coast, Florida — was sentenced to 120 months in federal prison and ordered to pay $13 million in restitution for SIM-swapping his way into at least five victims' accounts. He was a member of Scattered Spider, the loose Telegram-and-Discord-based group also known to security firms as 0ktapus. The case is one of the largest individual SIM-swap prosecutions to date. It is not the last.

SIM-swap is the attack where someone convinces (or pays) a carrier rep to port your phone number onto a SIM card they control. Once they have your number, every account tied to SMS-based two-factor authentication is theirs: email, bank, brokerage, crypto wallet. The good news is that locking down your number takes about 30 minutes, costs nothing, and dramatically reduces your exposure. This post is the walkthrough.

One-sentence answer: To prevent SIM-swap attacks, set a port-out PIN and enable account lock at your carrier, move SMS-based 2FA to an authenticator app, and reduce how easily your phone number can be found through data broker removals.

TL;DR

  • SIM-swap attacks caused $25.9 million in reported U.S. losses in 2024 per the FBI IC3, and UK unauthorized SIM swaps surged 1,055% year-over-year per Cifas.
  • Attackers research targets using your phone number from a data broker plus identifying info from social media — then socially engineer a carrier rep.
  • All three major U.S. carriers (AT&T, Verizon, T-Mobile) offer free port-out locks; most customers have not enabled them.
  • Authenticator apps (Aegis, Raivo, Authy) replace SMS 2FA for almost every meaningful account.
  • A separate "burner" number for high-value accounts (Google Voice, MySudo) decouples banking from your real cell number.

How a SIM-swap actually unfolds

Recon. Your phone number is for sale on dozens of people-search sites for $1–$5. Pair that with your birth year (Facebook, LinkedIn) and mother's maiden name (your aunt's old Christmas card scan) and the attacker has enough to pass most carrier identity checks.

The call. The attacker calls the carrier's support line claiming to be you, says they're upgrading to a new phone, and asks the rep to activate a new SIM. If the rep follows the script, they ask security questions. The attacker, having done the recon, passes them.

The port. Within minutes, your phone loses signal. The new SIM in the attacker's device receives your calls and SMS. Many carriers don't proactively contact you about the change.

The cleanup. The attacker starts password reset flows on Gmail, your bank, your brokerage, your crypto exchange. Each sends a 6-digit code by SMS. By the time you realize your phone is dead, funds are moving.

Krebs on Security has documented organized SIM-swap crews recruiting teens from Roblox and Minecraft for the carrier-rep calls while more experienced members handle the financial drain. This is a coordinated criminal economy.

How big the problem is

  • United States, 2024. The FBI IC3 report recorded 982 SIM-swap complaints causing $25,983,946 in reported losses. True losses are higher — most victims never file.
  • United Kingdom, 2024. Cifas recorded a 1,055% year-over-year increase in unauthorized SIM swaps, from 289 cases to nearly 3,000.
  • 2025 trend. SIM-swapping made up roughly 10% of top cyber-threat complaints to IC3 in 2025, behind data breaches and ransomware but ahead of malware.

Step 1: Set a port-out PIN and account lock

This is the single highest-leverage move. All three major U.S. carriers now offer some form of port-out protection. None of them are enabled by default for most customers.

AT&T

AT&T launched Wireless Account Lock in July 2025, available in the myAT&T app. It blocks port-outs and many sensitive account changes at the account level.

To enable: open the myAT&T app → Account → Profile → Wireless Account Lock → toggle on. You'll also want to set a unique passcode separate from your account password.

Verizon

Verizon splits the controls. Number Lock blocks port-outs per-line. Number Transfer PIN is a one-time code required to authorize any port.

To enable: open the My Verizon app → Me (or Account) → Profile and settings → Security settings → toggle Number Lock On for each line. Set a Number Transfer PIN in the same menu.

T-Mobile

T-Mobile treats port protection and SIM protection as separate add-ons that you enable per line.

To enable: sign in at t-mobile.com or open the T-Life app → Profile → Privacy & Notifications → Account Takeover Protection → enable. Then enable SIM Protection in the same area. T-Mobile also requires a 6–15 digit account PIN for every customer, which is set during account creation but worth verifying you remember.

What if you're on a regional carrier or MVNO?

Most MVNOs (Mint, Visible, Cricket, Boost) inherit port-out policies from their underlying network. Check their support page for "port-out PIN," "transfer PIN," or "port freeze." If the carrier can't tell you they support a port-out lock, that itself is a signal — consider switching to one that does.

Step 2: Move SMS-based 2FA off your phone number

SMS as a second factor is broken specifically because SIM-swap exists. Anywhere a SIM-swap attacker can get your texts, they can defeat SMS 2FA. The fix is moving to a TOTP authenticator app — the rotating 6-digit codes that don't depend on your phone number at all.

The good options, in order of trust:

  • Aegis (Android) — free, open-source, encrypted backups, no account required. Best Android default.
  • Raivo OTP (iOS) — free, open-source, iCloud backup. Best iOS default.
  • Authy / Twilio Authenticator — convenient cross-device sync, but Authy itself was breached in 2024 and phone numbers were leaked. Acceptable but no longer our top pick.
  • Google Authenticator — fine if you enable cloud sync, but ties your codes to your Google account.
  • Hardware keys (YubiKey, Token2) — the gold standard for your most critical accounts (email, password manager, financial). Cost $25–$70 each. Buy two and register both.

Migrate, in priority order: your primary email, your password manager, your bank, brokerage, crypto exchange, and any account with payment info. Anywhere a service offers TOTP or hardware-key 2FA, use it instead of SMS. Anywhere a service only offers SMS, consider it a weak point.

Step 3: Use a separate number for high-value accounts

Make your real phone number recover almost nothing. Get a secondary number — Google Voice is free — and use it as the recovery method for your bank, primary email, and password manager. Keep your real cell number for friends, family, and accounts where the recovery doesn't matter.

Why this helps: SIM-swap targets your real cell number because it's publicly tied to your name. A Google Voice number isn't ported by a carrier — Google manages it directly — so the carrier social-engineering vector doesn't apply.

Step 4: Reduce how easily your phone number can be found

Attackers find phone numbers in people-search sites and breached datasets. For people-search, file opt-outs at Spokeo, Whitepages, BeenVerified, Radaris, MyLife, and Intelius (exact process here). For breach data, your number is probably already out there — you can't un-leak it, but you can make the joining less productive by shrinking your public profile, the skeleton-key argument applied to phone numbers.

What you can do today

  1. Set port-out protection on your carrier today. AT&T Wireless Account Lock, Verizon Number Lock + Transfer PIN, or T-Mobile Account Takeover Protection. 10 minutes total.
  2. Move SMS 2FA off your email, bank, and password manager to an authenticator app (Aegis or Raivo). Another 20 minutes.
  3. Set up a Google Voice number and migrate your bank's recovery number to it. 10 minutes plus bank login.
  4. File the top six people-search opt-outs to make your phone number harder to find. One Saturday afternoon.
  5. Buy two YubiKeys for your primary email and password manager if you can afford it. The most cost-effective security upgrade you'll make this year — see related identity-theft economics.

The pitch

We built Leak Check Me to handle the data broker portion of this fight — helping execute eligible opt-out actions at sites that surface your phone number and patrolling for relistings. We can't lock your carrier account; you have to do that. But we can help make sure your number isn't sitting on a $4 broker profile that any aspiring SIM-swapper finds in 30 seconds. Start a scrub mission at leakcheckme.com.

Find the leak. Scrub the link.

Sources

Keep going

Related privacy guides

data leak protection

Leaks Happen. The Real Risk Is the Link Between Them. (Our Manifesto)

Leaked passwords are recoverable. Joined profiles are not. Why data leak protection has to break the link, not just chase the breach.

Read guide
why is my email address dangerous

Your Email Address Is the Skeleton Key to Your Whole Identity

Your email is the join key for nearly every breach database and data broker profile. Here's why that's risky, and how aliasing breaks the link.

Read guide
identity theft statistics 2026

Identity Theft Cost Americans Over $20 Billion in 2025 — Here's Where the Money Actually Goes

Fresh 2025/2026 stats on identity theft losses by attack type, victim age, and cash-out path — plus the connective tissue all of them share: broker data.

Read guide
Leak Link Check

See what is exposed before it gets joined.

Run a verified check for known breach exposure and public identity links, then authorize eligible scrub actions from the dashboard.

Run Leak Check