Security & Privacy

SIM swapping is an attack through which identity thieves or scammers take over your mobile phone number. When your SIM card is swapped, a scammer can make and receive calls on your phone number, and they can also send and receive text messages. Since many services send two-factor authentication codes via SMS texts, SIM swapping can potentially enable criminals to access your bank account, email, and other online accounts.

It’s important safeguard against identity theft by protecting yourself from SIM swapping attacks. Here’s how to do so.

What is SIM swapping?

SIM swapping is a form of identity theft that involves a scammer taking control of your phone number by transferring it to a SIM card they own. To make this swap, a scammer typically contacts your mobile carrier, claiming to be you—the legitimate owner of the phone number. Using social engineering tactics and personal information gathered about you, they may be able to convince the carrier to port the number to a new SIM card. In some cases, scammers may simply bribe employees of phone companies to take over victims’ cell phone numbers.

When this is done, your phone loses service, and the scammer begins receiving all calls and text messages intended for you. This allows the scammer to receive two-factor authentication (2FA) codes sent by SMS, or 2FA phone calls. If the attacker knows your password (for example, due to a past data breach), they may then be access many of your online accounts—including highly sensitive ones such as bank accounts, email, cryptocurrency wallets, and social media.

Consider that most password-reset requests are handled by sending a link to your email address. If an attacker can use a leaked password (perhaps in combination with a SIM-swap attack) to get into your email, they may be able to get access to nearly every other important account.

SIM swapping can be even simpler to accomplish if the attacker can get physical access to your phone. In that case, they can simply open the SIM tray and remove the SIM card, and insert it into their own phone. But most SIM swapping attacks are done virtually; the scammer may not even be in the same country as the victim.

Physical SIM or eSIM

Scammers often claim that they’ve lost or damaged their SIM card, in order to get the number ported to another card. If you use an eSIM with your phone, this is not possible, because there is no removable SIM card.

However, using an eSIM is not enough to prevent SIM swapping, and you may have reasons why you prefer not to use an eSIM. If you travel abroad often, you may regularly switch SIM cards in your phone, and an eSIM might make this more difficult if you buy pay-as-you-go SIM cards. Apple’s iPhone XS, iPhone XS Max, iPhone XR, or later support up to eight eSIMs, so you could travel and use different eSIMs in different countries, or you could use one eSIM for work and another for personal communications. You can use up to two eSIMs simultaneously on an iPhone.

It’s worth noting that iPhone 14 models and later sold in the U.S. only support eSIM; they don’t have a SIM tray. So you have no choice if you have one of these models. If you are in other countries, iPhones still have SIM trays, but Apple is looking to phase these out in the future.

How to protect your phone number from SIM swapping

The first thing you should do is to protect your phone carrier account with a strong, secure password. Don’t reuse a password that you’ve used elsewhere. Be sure to create a unique, long password; you can even generate a pseudorandom password via your password manager.

Along with secure passwords, you should also use strong two-factor authentication for as many accounts as possible. Instead of getting a second-factor code via SMS, which is insecure, and which can be intercepted if your SIM is swapped, you should use an authenticator app to get one-time codes instead. The same feature is also available in most password managers, including Apple’s iCloud Keychain. Not all online accounts support one-time PIN codes, but you should turn on two-factor authentication via authenticator app for every account that supports it. Other safe alternatives include a physical security key or a passkey.

Next, set a PIN for your SIM card. This prevents anyone with physical access from using your SIM card in another phone. You’ll have to enter the PIN each time you restart the phone, but that’s a small price to pay for the security. On an iPhone, you can do this in Settings > Cellular > SIM PIN.

You should then enable port-out protection with your phone carrier. This system adds a special PIN to your account, preventing anyone who does not have that PIN from transferring the number to another carrier. Even if a scammer has gleaned enough personal information to convince a phone company that they are you, no transfer can be made without this PIN. With some carriers this is enabled by default; with others, you have to turn this option on.

Here’s where to find information about port-out protection at the major carriers in the U.S.:

• AT&T: Get a PIN to transfer your wireless number; this feature is on by default, and you need to get a PIN to be able to port your number.
• Verizon: They also turn this on by default and call the feature Number Lock.
• T-Mobile: Account Takeover Protection is their name for this feature, and it’s not on by default. Learn how to enable Account Takeover Protection here.

How keeping your personal information safe can help prevent SIM swapping

Often, SIM swapping occurs through social engineering: a scammer calls the phone company and pretends to be you, with enough information to get through security checks. Depending on the company, this security check may be more or less strict. To ensure that no one can impersonate you—this is good not only to prevent SIM swapping, but all forms of identity theft—you should make sure of the following.

• Don’t share your phone number, address, birth date, mother’s maiden name, or other personal details online, especially on social media. Ideally, you should only provide this information when it is unavoidable to create an account with an important service.
• Be very careful with emails that ask you to log into a service to update an account, payment methods, or settings. Check the links you click or tap to make sure they are not fraudulent. One advantage of using a password manager is that your credentials (your username and password) will not be auto-filled if you get tricked and go to a bogus website. If you click a link, but your credentials don’t auto-fill like you expect, then it’s probably a fake site.
• Be alert if you receive notifications of any of your accounts being accessed. If you are a victim of SIM swapping, you may not notice it as long as you are on Wi-Fi. If you have a banking app on your phone, and someone accesses your bank account, you should get notifications of transactions. If you see something like this, check to see if your phone number is working immediately. If not, contact your bank as soon as possible; in most cases, you can lock your account from your banking app.

SIM swapping can have devastating effects. Scammers can access many of your accounts, potentially changing passwords, and it can be difficult to get them back. Use every means at your disposal to prevent this.

How can I learn more?

We discussed SIM swapping attacks on episode 340 of the Intego Mac Podcast.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:       

About Kirk McElhearn