How to stop the phone scam that leaves your most critical data exposed

SIM swapping takes advantage of a flaw in two-factor authentication via text messaging—but you can protect yourself.

How to stop the phone scam that leaves your most critical data exposed
[Photo: Ilya Plekhanov/Wikimedia Commons]

As the last few years have shown, it’s more important than ever to protect our data. If the big tech giants and data aggregation firms aren’t making us vulnerable by lax data protection policies, we’re being targeted on the other end by outright criminals who find the passwords to our accounts more valuable than the cash in our wallets.


A growing trend criminals are resorting to to access our data is known as SIM swapping. The SIM card that your mobile provider gives you connects your phone to its network and associates that device with your phone number. SIM swapping refers to transferring your mobile account (i.e., your phone number) from one SIM card to another. To be clear, there’s nothing inherently shady with doing such a swap: If you lose your phone or your SIM card is damaged, for instance, you might go to a mobile carrier store or even call up customer service to have your number transferred to a new SIM.

But bad actors are increasingly turning to SIM swapping as a way to access other people’s sensitive data, such as financial accounts. They can do this by working with someone on the inside at a mobile provider—perhaps a store employee or someone in the customer service department—to have a phone number transferred from one SIM to another. Or they can simply call a mobile provider and trick a customer service rep into thinking that they’re the person whose phone number they want to steal.

Once they get the wireless carrier to give them control of a phone number, not only can they use your data plan and receive phone calls sent to you, they’ll be able to access all your plain old text messages you receive. These text messages are the data goldmine the SIM swap scammers are going for.

Why? Because people are frequently (and wisely) choosing to enable two-factor authentication (2FA) for their online accounts, or finding that service providers have made it mandatory. 2FA provides an extra layer of security when logging into a bank account, for example. Instead of just requiring your login name and password, it makes you enter a code, which is most often sent via SMS text message.

When a scammer swaps SIMs, they’re doing so so they can access 2FA codes that are texted to you. These codes give them the key they need to access your financial accounts—and from there they can change the password to your account, transfer funds, or do anything you can do with the account. Any other account protected by a password and 2FA, such as your email and social-media presences, may also be at risk.


How to protect yourself against SIM swapping

It’s impossible to completely prevent someone from gaining access to your phone number through a SIM swap. That’s because the scam requires no misstep on your part (such as clicking on a bogus link). Bad guys need only convince your carrier to transfer your phone number to their SIM.

However, you can make it more difficult for a scammer working without a partner on the inside to swap your SIM. And you can reduce your reliance on 2FA text messages and therefore lessen the damage a successful SIM swap can do. Here are four steps you should take to stop SIM swappers in their tracks:

1. Use an authenticator app

Just because SIM swapping can allow a scammer to circumvent two-factor authentication doesn’t mean you should disable 2FA. But what you can do is opt to use an authenticator app rather than text messaging to get your 2FA codes.

2FA authenticator apps work by keeping six-digit codes for compatible accounts in sync on your phone and on the company’s servers. When you log into any one of these accounts with your login and password, you’ll be asked to enter the six-digit code from the authenticator app—no need for the company to text you the code. Google, Microsoft, Amazon, Facebook, Twitter, and other companies let you use an authenticator app to help secure your accounts.

Excellent 2FA authentication apps include Authy, Authenticator by Google (Android, iOS), Microsoft Authenticator, LastPass Authenticator, and 1Password. A single authenticator app can handle all your authentication codes no matter how many different accounts you use.


2. If you can’t use an authenticator app, use email

The problem with authenticator apps is that not all service providers let you use them to secure your account. This is especially true for many financial institutions. For these accounts, text messaging might be the only way to receive your 2FA codes, which makes the bad guys’ work that much easier.

However, check to see if the account supports 2FA via email rather than text message—and if it does, use this option. Receiving 2FA codes via email protects you from SIM swapping-scams because when crooks successfully swap a SIM, they only gain access to your phone number and the text messages it can receive. They don’t gain access to login credentials for accounts such as your email.

If you go this route, make sure that your email is protected via an authenticator app—or the prompt-based authentication offered by Apple and Google—so that a SIM swapper can’t break into your email and snag any 2FA codes being sent there.

3. Set up an account PIN with your mobile carrier

Another critical step you should take to protect yourself from SIM swapping scams is creating an account PIN with your mobile provider. Some providers make you do this when you open an account with them, while some leave it up to you to take the initiative to set a PIN.

Setting up an account PIN can help thwart a SIM swap scammer from successfully convincing an unsuspecting mobile provider phone rep to swap SIMs. That’s because an account PIN will be required to be confirmed by the SIM swapper before a SIM swap can take place. If the SIM swapper doesn’t know your account PIN the mobile provider customer rep isn’t going to let them swap SIMs (again, unless that customer rep is working with the SIM swap scammer).


You can set up an account PIN at any time, not just when you opened your mobile account. Here’s how to set up your account PIN for Verizon, T-Mobile, AT&T, and Sprint.

4. Set up a SIM PIN

The final thing you can do is protect your SIM locally in your device by giving it its own PIN. It’s important to note that mobile provider account PINs are different than SIM PINs. A SIM PIN is an access code you can apply directly to the SIM in your phone.

Giving your SIM a PIN means that any time the SIM is inserted into your phone or a new phone, or the phone it is in is restarted, a prompt will ask for the SIM’s PIN. Without this PIN, the phone the SIM is in won’t be able to access the account the SIM is linked to.

Giving your SIM card a PIN means that someone who steals your phone and has physical access to your SIM can’t access your mobile account and its text messages, even by removing it from your phone and sticking it in another phone. Here’s how to set a PIN on an iPhone or iPad or an Android device.

About the author

Michael Grothaus is a novelist, journalist, and former screenwriter. His debut novel EPIPHANY JONES is out now from Orenda Books. You can read more about him at