Preventing SIM Swapping and Port-out Scams [Updated]

Steps To Prevent SIM Swap Fraud

A SIM swap happens when criminals trick your mobile provider into transferring your phone number to a SIM card that they control. The moment this happens, your phone service cuts off, and hackers gain control over any accounts linked to your number.

They can reset passwords, lock you out, and access financial accounts. With your number, they can also access sensitive information like your address, date of birth, Social Security number (SSN), and banking details — and use this data for identity theft or sell it on the Dark Web.

Worse, they can pose as you, sending phishing messages to your contacts in order to spread scams or steal more data. Here’s how you can avoid SIM jacking or SIM swap fraud:

• Add a SIM lock and other account passcodes. Every time your SIM card is removed, it locks and requests a PIN number. Most Apple and Android devices have setup instructions available. 
• Enable a “port freeze” or similar features. A port freeze stops your phone number from being transferred. Some mobile carriers, like Verizon, allow you to lock your SIM directly from your account.
• Use your carrier’s app. For example, AT&T’s myAT&T app can generate a Number Transfer PIN if you want to port your number to a different carrier.
• Set up alerts for account changes. In addition to turning on alerts for your online banking and social media accounts, also consider enabling notifications from your phone carrier. Most carriers send emails or texts when your bill is ready, a payment is processed, or your plan changes.
• Use strong, unique passwords across all accounts. Change the default PIN on your SIM, too. For example, if you use an AT&T SIM, the default PIN code on it is: “1111.”
• Limit sharing your phone number.Your phone number is the key to a SIM swap. The fewer people who have it, the harder it is for scammers to target you.
• Enable multi-factor authentication (MFA) whenever possible. Authenticator apps create one-time passcodes that are hard to intercept — even if a scammer has your phone number.
• Watch for phishing emails. Don’t click on any links in emails or texts from people you don’t know. Well-known companies will not ask for your personal data via email.
• Remove your cell phone as an account recovery option. Google, for instance, lets you add a phone number as a recovery method. Switch to email, backup codes, or an authenticator app.

Turn On Your Provider’s SIM Swap Protections

1. On AT&T

Set a strong passcode. If scammers attempt a SIM swap, they’ll need to know your passcode when they’re talking to an AT&T rep. Do not use your birth year, sequential numbers (such as “4567”), or other easy-to-guess numbers. Update your existing passcode in your AT&T profile under Sign-in info.

Create a SIM card lock code. This is a different PIN that prevents your phone number from being used on any other network. The default AT&T PIN is easily available, so you’ll need to change it.

• On an Apple device, go to Settings → Cellular → SIM PIN. 
• On an Android device, go to Settings → Security & Privacy → SIM card lock → Lock SIM card.

Enable a Wireless Account Lock. This feature disables specific transactions for all devices on your AT&T wireless account. That includes smartphones, smartwatches, laptops, hotspots, and tablets. It even applies to standalone tables and hotspots on data-only plans. When activated, a Wireless Account Lock prevents:

• Device changes, such as upgrades, SIM and eSIM swaps, and IMEI changes.
• Line changes, such as transfers.
• Billing changes, such as adding lines, adding authorized users, or changing credit card or bank account numbers.

It’s free for all AT&T wireless customers (including AT&T prepaid). But you can only turn it on or off by using the myAT&T app.

Set a Number Transfer PIN. As mentioned earlier, Number Transfer PINs let you transfer your number to a different provider. To prevent unauthorized transfers and port-outs:

• Keep your Wireless Account Lock on until you transfer your number.
• Request a Number Transfer PIN only when you sign up with a new provider. You can do this online with myAT&T, from the myAT&T app, or from your AT&T mobile device.

2. On Verizon

Enable SIM Protection. SIM Protection prevents unauthorized SIM or device changes, such as upgrades and SIM swaps. It’s available for postpaid, prepaid, and business customers.

Activate SIM Protection in your My Verizon Account Security Settings. You will receive a text message to confirm activation.

Turn on Number Lock. Number Lock must be turned off to port out to a different mobile carrier. When you have it turned on, no one can generate a Number Transfer PIN.

You can enable Number Lock in your My Verizon account Security Settings. You’ll need to be an Account Owner or have Manager access privileges.

Enable 2FA. When 2FA is enabled, you can authenticate by using app notifications, special links, or one-time verification codes. To turn on 2FA, head to your My Verizon account Security Settings and select Two-Factor Authentication. Then follow the prompts.

📚 Related: Does Two-Factor Authentication Prevent Hacking? →

3. On T-Mobile

Create an account PIN. Account PINs can block anyone trying to contact T-Mobile customer service who is posing as you. If a scammer can’t provide your PIN when talking to customer service, they can’t make changes to your account.

To create or update your PIN, go to the PIN/Passcode section of your T-Mobile account. You’ll get a text to verify your changes.

Add biometric verification. Face or fingerprint IDs can also protect you from SIM swappers. Customer service will ask callers to provide biometric authentication before making any adjustments to your account.

To set up biometric verification, you must:

• Have a T-Mobile ID.
• Have an iPhone running iOS 16 or later, or an Android running Android 11 or later.
• Download T-Mobile’s T-Life app (App Store, Google Play).
• Enable app notifications.

Once you’ve met these requirements, have the account holder contact T-Mobile. A representative will send a notification to your device that walks you through the setup process.

Enable SIM Protection. Postpaid accounts have access to SIM Protection — a free feature that prevents attackers from moving your phone number to their devices.

To enable SIM Protection from the T-Life app:

• Click on the Manage tab, and then the gear icon.
• Select Security → SIM Protection.
• Enable SIM Protection for your account.
• Click on Save Changes → Continue.

From T-Mobile.com:

• Log in to your T-Mobile account. (You’ll need to provide your T-Mobile ID.)
• Select your name → Profile → Privacy and Notification.
• Select SIM Protection, and then enable SIM Protection for your account.
• Click on Save Changes → Continue.

Enable Port Out Protection. Port Out Protection blocks someone from transferring your phone number to another phone carrier. It’s free for all postpaid, prepaid, business, and Metro by T-Mobile customers. Add Port Out Protection in the add-ons section of the T-Life app or via your T-Mobile.com account.

Note: You have to add Port Out Protection to each line individually.

Add other authentication options. By default, T-Mobile authenticates your phone number and Device/SIM. But if a cybercriminal already has your phone or SIM, that won’t keep your number safe. For better security, choose Google Authenticator, fingerprint, or FaceID authentication methods instead.

Signs You’ve Been SIM Swapped

SIM swapping will cause your phone to act up. Here are some signs that your phone number has been hacked:

• You suddenly lose service or are only allowed 911 calls. Once your SIM is activated on another device, your phone number becomes unusable.
• You get unusual notifications from your carrier. The Federal Communications Commission (FCC) requires service providers to send alerts when a password, authentication method, online account, or address is created or changed.
  
  • Verizon, for example, will send you a message when a new SIM card or a new device is being activated on your line.
  • AT&T will text you when your SIM card is being changed, or your cell number is being transferred.
• Your phone bill shows a device you don’t recognize. Fraudsters may have transferred your number to a new device and added it to your plan. Or they may have used your information to open a cell phone in your name. 
• 2FA codes stop arriving. A scammer could be intercepting them on an alternate device. Account login activity from unfamiliar locations or devices is another warning sign of a SIM swap.
• Apps like iMessage and WhatsApp stop working. These apps rely on SMS functionality. If a scammer has taken control of your phone number, your device won’t be able to send or receive iMessage or WhatsApp messages.
• You see email alerts from new services. Someone might have committed port-out fraud, transferring your number to a new carrier.

Inside a SIM Swap Attack

SIM swap scams start by obtaining access to your carrier account. Scammers try to bypass your carrier’s identity checks, use information they obtained in a data breach, or use social engineering techniques to get the information they need to impersonate you.

• Last year, criminals approached T-Mobile, Verizon, and Charter employees via text — sometimes using employee directory data — and offered up to $300 for insider help with SIM swaps.
• The FCC reported that attackers have even filed emergency disclosure requests to get people’s personal details. 
• Researchers at Princeton found that some wireless providers are using less secure methods of authentication, like security questions, payment history, and device information.

If a bad actor successfully cons your carrier, the customer service rep will map your phone number to the scammer’s SIM card — identified by its unique ICCID and IMSI codes

Your old SIM gets deactivated. And the new SIM, now associated with your number, registers on the carrier’s network. The attacker’s device begins receiving all text messages and phone calls that were meant for you.

Note: If you ever get a new SIM card, be sure to destroy the old one. Scammers can use your SIM card to steal photos, videos, and contacts. They can even track your location.

📚 Related: How Can Someone Track My Location? (How To Stop Them) →

What To Do If This Happens

First, start a SIM swap or number transfer claim with your carrier:

Write down the service representative’s ID number, name, and case ID number for your records. Next:

Let your bank and other financial institutions know. Call their official customer service lines and let them know you’ve been the victim of fraud. Ask them to shut off any text-based authentication. If that’s not possible, request authentication via email or authenticator app.

File a report with local law enforcement. A police report can help you dispute any related charges on your credit card. At the station (or online), explain how you think the SIM swap happened and to what accounts the scammer may have access. To help catch the criminal, you can also submit your case to:

• The FBI: ic3.gov.
• The Federal Trade Commission: Reportfraud.ftc.gov. 
• Your state Attorney General’s office. Find them here: USA.gov/state-attorney-general.

Place a fraud alert or credit freeze. A fraud alert puts a warning on your credit file so that lenders take extra steps to verify your identity.

Contact Equifax, Experian, or TransUnion to request a fraud alert. A credit freeze goes a step further, preventing lenders from extending new credit. You’ll need to contact each of the three bureaus individually to initiate a freeze.

File a FACTA request. If you suspect that a stolen phone number has led to identity theft, you can request activity information from your carrier. This data will support your disputes with retailers and lenders. Note that each carrier has different requirements.

Track your credit and identity. For security measures that you can’t manage on your own, there’s always Aura. Aura’s credit monitoring and identity theft protection plans double down on alerts and recovery. Plus, they come with $1 million in identity theft insurance coverage and 24/7 U.S.-based support from experienced fraud resolution specialists.