SIM Swap Prevention: How to Protect Your Phone Number
A SIM swap attack lets a criminal take over your phone number in 15–30 minutes using only publicly available information. Here's exactly how to stop it.
Why SIM swap is uniquely dangerous
Your phone number is used for SMS 2FA on nearly every account. When criminals take it over, they immediately receive your SMS codes — and can reset passwords, access banking, drain crypto wallets, and take over email. The attack happens remotely, without physical access to your phone.
How a SIM Swap Attack Works
Prevention Steps — Do These Now
Set a carrier SIM transfer PIN
Log into your carrier's account online and set a unique PIN or "verbal password" that must be provided before any SIM transfer. This is different from your account login password.
US carriers:
• AT&T: myAT&T → Account security → Add extra security
• Verizon: My Verizon → Security → Account PIN
• T-Mobile: Account profile → Advanced security → SIM Protection
Switch from SMS 2FA to an authenticator app
Go to every important account and change your 2FA method from SMS to an authenticator app. Start with: email (Gmail/Outlook), banking, and any crypto exchange.
Best authenticator apps (all free):
• Aegis (Android, open source, local storage)
• Google Authenticator (cross-platform, most compatible)
• Authy (cross-platform, cloud backup option)
Authenticator apps generate codes locally on your device. Even with your number hijacked, these codes cannot be intercepted.
Enable port-out protection (separate from Step 1)
Port-out protection blocks your number from being transferred to a different carrier without physical verification. This is a completely separate threat from in-carrier SIM swaps — and requires a separate protection.
Call your carrier and ask: "Can you enable port-out protection or number lock on my account?" Many carriers offer this but don't advertise it prominently.
Remove your phone number from public profiles
Criminals build SIM swap profiles from publicly available data. Check and remove your phone number from:
• Social media bios and profiles (Facebook, LinkedIn, Twitter)
• Data broker sites (BeenVerified, Spokeo, PeopleFinder)
• Business listings if not required
Use hardware security keys for critical accounts
For your primary email, main crypto exchange, and any account where compromise would be catastrophic: add a hardware key as a second factor.
Hardware keys (YubiKey, Google Titan Key) require physical presence to authenticate. No remote attacker can bypass them regardless of what phone number they control.
Hardware keys start at $25 and work with Google, Microsoft, GitHub, and most major crypto exchanges.
Know the warning signs — act within minutes
If these happen simultaneously: your phone loses signal + you receive emails about account changes you didn't make:
→ Call your carrier immediately from another phone or landline
→ Change your email password from a computer
→ Move crypto to a hardware wallet or new wallet address immediately
→ Call your bank's fraud line
2FA Methods: What's Vulnerable vs. What's Safe
❌ Vulnerable to SIM swap
✓ Safe from SIM swap
SIM swap is one part of a larger threat
If your phone is physically stolen, SIM swap protection isn't enough. FINDERR displays your contact info on the lockscreen — helping good samaritans return your phone before a thief can act.
Learn About FINDERRFrequently Asked Questions
What is a SIM swap attack?
A SIM swap (also called SIM hijacking or SIM jacking) is when a criminal convinces your carrier to transfer your phone number to a SIM they control. They then receive all your SMS codes, letting them take over accounts via password resets. The attack is entirely remote — they never touch your phone.
How do criminals get my information to run a SIM swap?
From social media (public profiles), data broker databases, phishing attacks, and sometimes bribed carrier employees. They need your name, phone number, and answers to common security questions. This information is often already public.
How do I know if I've been SIM swapped?
Your phone suddenly shows "No service" or "SIM not valid" when you haven't changed anything. You stop receiving calls and texts. You receive unexpected emails about account changes. Call your carrier from another device immediately if this happens.
Is SMS 2FA ever acceptable to use?
SMS 2FA is better than no 2FA. Use it only for accounts where compromise would be low-impact. For email, banking, and crypto: switch to an authenticator app or hardware key. These cannot be intercepted via SIM swap because they don't route through your phone number.
What's the connection between SIM swap and phone theft?
They're related but different attacks. Physical phone theft gives the thief device access. SIM swap gives them network access (your number). A sophisticated criminal might do both: steal your phone for device access, then SIM swap your number to bypass phone-based 2FA. Setting a carrier PIN and switching from SMS 2FA addresses the SIM swap component.