SIM Swap Attack: How Your Accounts Get Drained When Your SIM Is Hijacked, and How to Protect Yourself
In a SIM swap attack a fraudster tricks your carrier into moving your number to their own card, intercepts the SMS verification codes and drains your bank and online accounts. We explain how the attack works, why SMS based 2FA is weak, and step by step protection, with sources.
SIM Swap Attack: How Your Accounts Get Drained When Your SIM Is Hijacked, and How to Protect Yourself
Quick answer: A SIM swap is when a fraudster social engineers your carrier into moving your phone number to their own SIM card. Once they hold the number, the SMS verification codes for your accounts arrive on the attacker's phone, and they use password resets and one time codes to drain your bank, email and social media accounts. The first sign is your phone suddenly losing signal. The strongest defense is to use a passkey or app based multi factor authentication instead of SMS, and to enable a port freeze with your carrier.
Your phone number has become the key to your digital identity: banks, email and social media send verification codes by SMS. A SIM swap attack breaks exactly this chain. In the US, the FBI Internet Crime Complaint Center reported 68 million dollars in losses from SIM swapping in 2021 alone, far above the total of the previous three years. The attack is not a technical hack, it is usually a phone call that tricks a carrier employee.
How a SIM swap works
- Information gathering. The attacker collects your name, number and identity details from phishing or data breaches.
- Tricking the carrier. They convince the carrier or a dealer through social engineering, saying "I lost my phone, move my line to a new card."
- Moving the number. The number transfers to the attacker's SIM; your card drops off the network and your phone suddenly loses signal.
- Account takeover. The attacker clicks "forgot password" on your bank or email, the reset code now arrives on their phone by SMS, they take over the account and transfer money.
Why SMS based 2FA is weak
A one time code by SMS is the weakest form of multi factor authentication. CISA states that SMS and voice based verification is vulnerable to phishing, SS7 protocol flaws and SIM swap attacks, and urges organizations to move to phishing resistant methods. The US standards institute NIST, in its 2025 guidance, also marks a code delivered over the phone network as a restricted authenticator and asks verifiers to consider risk indicators such as a SIM change or number porting before sending the code. An SMS code is exposed to anyone who hijacks your number or makes you enter it on a fake page. The new generation of defense is passkeys and hardware keys that share no secret; see our password, 2FA and passkey guide.
Protection, point by point
- Use a strong method instead of SMS 2FA. On every account that allows it, use a passkey, a hardware security key or an authenticator app. Keep SMS only when there is no other option.
- Port freeze with your carrier. Ask your carrier for an extra PIN or lock for number porting and SIM changes; some carriers offer this.
- e-Devlet SIM protection. The e-Devlet two step login offers a security measure that triggers on a SIM change plus a backup code option; enable it.
- React to sudden loss of signal. If your phone unexpectedly stays without service for a long time, call the carrier from another line immediately, it may be a SIM swap.
- Bank and email alerts. Turn on instant notifications for account activity and act at once on a suspicious transaction.
- Reduce data exposure. Do not give your number and identity details everywhere; stay alert to phishing.
What to do if you are attacked
First call the carrier from another phone to recover your line and stop the SIM change. Then change your bank and email passwords, sign out of all sessions, and move multi factor authentication to a non SMS method. If money was transferred, contact your bank to dispute it and report the incident to USOM and the Public Prosecutor. If your account was taken over, our guide account takeover recovery and digital evidence walks you through it.
Frequently Asked Questions
How do I know I was SIM swapped? The clearest sign is your phone suddenly and persistently losing service, followed by being unable to log into your accounts.
Can I get my number back? Yes, you can recover the line through your carrier, but your accounts may have been taken over meanwhile; secure passwords and 2FA in parallel.
Should I never use SMS codes? SMS is better than nothing, but move to a passkey or app based authentication wherever possible.
Sources
- FBI IC3, SIM Swapping public service announcement (February 2022, 68 million dollars in losses in 2021): https://www.ic3.gov/Media/Y2022/PSA220208
- FCC, Cell Phone Fraud and SIM swap protection rules: https://www.fcc.gov/consumers/guides/cell-phone-fraud
- NIST SP 800-63B-4, restricted authenticator (PSTN/SMS, SIM change risk indicator): https://pages.nist.gov/800-63-4/sp800-63b/authenticators/
- CISA, implementing phishing resistant MFA: https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
- e-Devlet two step login (including SIM protection): https://www.turkiye.gov.tr/2fa-tanitim
- USOM report: https://www.usom.gov.tr/ihbar
To strengthen your corporate authentication and account security, contact DSET.
Kimliğinizi doğrulayın
Yetkilendirilmiş erişim alanı. Tüm giriş denemeleri kayıt altına alınır.