ACCOUNT TAKEOVER

SIM swap fraud explained (2026): how attackers steal your phone number, drain accounts, and how to lock the door

A criminal does not need your password to empty your accounts. They just need your phone number on their SIM, and your bank's 2FA code does the rest. Here is the full 2026 attack chain and the lockdown that actually works.

SB

SafeBrowz Team Security ResearchJune 1, 202613 min read

How SIM swap actually works in 2026 (5-step attack chain)

SIM swap fraud, sometimes called SIM jacking or port-out fraud, is one of the most damaging social engineering attacks in circulation because it bypasses your password entirely. The attacker does not need to break into your bank. They just need to be the device that receives your bank's 2FA code.

Here is how it actually unfolds:

1. Reconnaissance. Attackers harvest your full name, date of birth, address, and the last four digits of your SSN or national ID. They pull this from data breaches sold on Telegram, public LinkedIn pages, voter rolls, or phishing pages that mimic your bank or carrier. This is the step where browser-layer protection matters; we will come back to it.
2. Social engineering the carrier rep. The attacker calls or walks into a retail store and impersonates you. They claim "I broke my phone," "I am traveling and lost my SIM," or "I need to port my number to a new carrier." With your real personal details in hand, they pass the carrier's verification questions and request a new SIM, an eSIM transfer, or a port-out.
3. Port-out approved. Within minutes the carrier deactivates the SIM in your physical phone and activates a new one on the attacker's device. Your phone shows "No Service" and the attacker now owns your number.
4. 2FA codes flow to the attacker. The attacker triggers password resets on your email, then your bank, then your crypto exchange. Each service texts a one-time code to "your" number. The attacker enters it, takes over the account, and changes the recovery options.
5. Drain. Bank wires, crypto withdrawals, gift card purchases, and Zelle transfers all go out before you finish rebooting your phone trying to figure out why service is down. The 2025 Scattered Spider sentencing showed federal prosecutors linking one operator to over $13M in restitution and access to 130+ companies via this exact chain.

The entire sequence can complete in under 30 minutes from the moment the carrier rep clicks "approve" to the moment your crypto wallet hits zero.

Why SIM swap surged after FIDO2 and passkey adoption

This sounds counterintuitive. As more services rolled out passkeys, hardware keys, and phishing-resistant FIDO2 authentication, criminals did not give up. They concentrated their effort on the one factor that almost every consumer service still falls back to: a one-time code sent over SMS.

Most banks, almost every US credit card company, and a huge number of crypto exchanges still let you reset 2FA via "we will text you a code." That fallback is the soft spot. Once an attacker owns your number, the strongest passkey on the planet becomes irrelevant because the recovery flow accepts SMS.

CISA spelled this out plainly in its December 2024 Mobile Communications Best Practice Guidance: "Do not use SMS as a second factor for authentication. SMS messages are not encrypted and are vulnerable to SIM-swapping attacks, SS7 protocol exploits, and social engineering." The FBI gave matching guidance the same month after the Salt Typhoon telecom breach (see our Salt Typhoon TOTP vs SMS 2FA explainer).

The result in 2026 is that SIM swap is no longer the script kiddie technique it once was. It is the deliberate weapon of choice for crypto theft crews and identity-fraud rings precisely because passkeys closed every other door.

The 3 most-targeted accounts (in order of attacker priority)

Not every account on your phone has the same value to a SIM swap crew. They go after specific targets in a specific order because each one unlocks the next.

1. Crypto exchanges and self-custody wallets. First priority. Funds move on a blockchain within minutes and cannot be clawed back. Coinbase, Kraken, Binance, Crypto.com, and any exchange that still allows SMS as a recovery factor get hit immediately. Self-custody wallets are not directly drained by a phone number but the recovery email is, which is why the next target matters.
2. Email. Gmail, Outlook, iCloud Mail. Email is the master key. Whoever owns your email can reset the password on almost every other account through "forgot password." If the attacker can get into your email, they often do not even need the SIM anymore. Lock email down with a hardware key, not SMS.
3. Bank apps and brokerage. Chase, Bank of America, Wells Fargo, Schwab, Robinhood. Wire transfers, Zelle payments, and ACH out are the typical drain vectors. Brokerages add a wrinkle because attackers can sell positions before withdrawing, leaving you with realized tax events on top of the loss.

If you are reading this guide and you only have time to harden three things, those are the three. Email first because it controls everything else, then your bank, then any crypto holdings.

The FCC 2024 rule and what it actually requires from carriers

On November 15, 2023, the FCC adopted a Report and Order amending the Customer Proprietary Network Information (CPNI) and Local Number Portability (LNP) rules to fight SIM swap and port-out fraud. The compliance date was July 8, 2024.

According to the Federal Register notice and the FCC compliance announcement, every US wireless carrier must now:

• Use a secure authentication method before honoring any SIM swap or number port-out request. The rule explicitly says authentication cannot rely on "readily available biographical information, account information, recent payment information, or call detail information." In other words, knowing your address, date of birth, or last bill amount is not enough.
• Immediately notify the customer when any SIM change or port-out request is initiated. Notifications must go via a channel separate from the account being changed (so a text-only notification to the number being stolen is non-compliant).
• Offer an account-lock feature that lets customers block SIM swaps and port-outs entirely until they personally unlock it.
• Implement a process for failed authentication attempts so a denied SIM swap cannot be retried in five minutes by the same caller.
• Provide employee training and keep records of SIM change and port-out requests for inspection.

This is the strongest US protection ever enacted, and the IC3 numbers reflect it. SIM swap losses fell from $72.65M in 2022 to $48.80M in 2023 to $25.98M in 2024 per the FBI IC3 annual reports. The 2025 IC3 report noted SIM swapping still accounted for 10 percent of the top-five cyber threats, so the threat has shrunk but not vanished. Determined attackers still bribe insider reps or impersonate identity-verification call centers offshore.

The 6-step lockdown every phone user should do this week

The FCC rule helps. Your own settings help more. Here is the 30-minute hardening pass that closes most SIM swap vectors before they start.

1. Set a carrier port-out PIN. Every US carrier now offers this. On T-Mobile it is called "Account Takeover Protection" in the My T-Mobile portal. On Verizon it is "Number Lock" in the My Verizon app. On AT&T it is "Wireless Account Lock." Set a PIN that is at least 8 digits, not your birthday, and not the last four of your SSN. Write it down in your password manager, not on your phone.
2. Move bank and crypto 2FA off SMS. Switch to a TOTP authenticator app (Aegis on Android, Google Authenticator, 2FAS, Raivo on iOS) or, much better, a hardware security key. YubiKey 5 NFC, Google Titan, and Feitian ePass all work. Hardware keys are the only consumer-grade 2FA that is fully immune to SIM swap.
3. Remove SMS 2FA from email entirely. Gmail and Outlook both let you delete SMS as a recovery and 2FA method once you have an authenticator app or passkey enrolled. Do it. Your email is the master key; SMS on email is the single biggest hole most people leave open.
4. Enable the carrier "do not port" lock. On top of the port-out PIN, the FCC's 2024 rule requires every carrier to offer a full account lock that blocks all SIM changes and port-outs. Turn it on. You can lift it in the app whenever you actually need to upgrade or switch carriers.
5. Set a SIM PIN on the physical SIM card. This is separate from the carrier port-out PIN. iOS: Settings, Cellular, SIM PIN. Android: Settings, Security, SIM card lock. It stops a stolen phone from being slotted into another device, and also stops eSIM transfer attacks in some implementations.
6. Watch for sudden "no service" status. If your phone loses signal on a normal day in a normal location, do not just reboot it. Call your carrier from another phone immediately. The faster you catch a swap, the less drain happens.

If you hold crypto in serious amounts, also remove the phone number from your exchange profile entirely once you have authenticator-app 2FA enabled. Many exchanges keep "phone" as a recovery option silently even after you add an app, and you have to dig into account settings to delete it.

What to do in the first 10 minutes if you suspect SIM swap

Speed matters more than precision. If you see "No Service" with no good reason, here is the order:

1. Borrow a phone (spouse, friend, work line) and call your carrier's fraud line directly. T-Mobile: 1-800-937-8997. Verizon: 1-800-922-0204. AT&T: 1-800-331-0500. Ask them to freeze your number, reverse any pending SIM change, and confirm the last 24 hours of account activity.
2. Log into email from a trusted device (laptop, tablet) and check recent sign-in activity. Revoke all active sessions. Change the password. If 2FA is still on SMS, switch to your authenticator app or hardware key right now.
3. Log into your bank and brokerage the same way. Revoke sessions, change passwords, freeze wires and Zelle if the bank app offers that toggle.
4. Log into every crypto exchange. Same drill. Disable any pending withdrawal, change the password, and remove the phone number from the profile.
5. File reports. US victims should file at ic3.gov (FBI IC3) and IdentityTheft.gov (FTC). UK victims report to Action Fraud at 0300 123 2040, or Report Fraud Police. Indian victims report to the National Cyber Crime Reporting Portal at cybercrime.gov.in. These reports are critical because they preserve the timeline for criminal prosecution and any future civil claim against the carrier.

If your funds are already gone (recovery steps)

If the drain happened before you caught it, you still have options. The window is short but the steps are well-trodden.

Bank funds: Wire transfers and Zelle are tough but not impossible to reverse in the first few hours. Call the bank's wire department directly (not the general customer line) and request a recall. ACH transfers can sometimes be reversed within five business days. Document the SIM swap timeline in writing; the bank's fraud team needs it to dispute the transfer.

Crypto funds: Coins on a blockchain cannot be reversed, but they can be traced. File a chain-analysis request with the exchange the funds left from, and report to IC3 the same day. A growing number of stolen crypto cases recover partial funds when stolen tokens move to a centralized exchange with KYC. Blockchain analysis firms (Chainalysis, CipherTrace, TRM Labs) work with law enforcement on follow-up. Also see our guide on what to do if your crypto seed phrase is stolen for parallel recovery steps.

Carrier liability: A US arbitrator ordered T-Mobile to pay $33M in a 2025 SIM swap case where the carrier was found to have failed reasonable security controls. See the Greenberg Glusker March 2025 announcement of the Jones v. T-Mobile arbitration award for the legal blueprint. If your loss is in the six or seven figures, talk to a lawyer who specializes in telecom liability. The FCC's July 2024 rule strengthens the carrier-negligence theory significantly.

How browser-layer protection helps (it is not just SIM)

SIM swap is the back half of a longer chain. The front half is where attackers harvest the personal data they need to fool the carrier rep. Your full name, date of birth, address, last four of SSN, mother's maiden name. That data comes from phishing pages, not directly from leaked databases (those still happen but they are stale and patchy). The fresh, accurate data set comes from convincing you to type it into a fake bank login, fake delivery tracking page, fake IRS refund form, or fake carrier "verify your account" page.

That is the step where browser-layer protection breaks the chain. If the phishing page never loads, the attacker never gets the data they need to impersonate you to the carrier.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including major carriers, banks, and crypto exchanges that get impersonated as the "data harvest" step before a SIM swap) + community whitelist/blacklist, all running directly in the extension before the page renders. Catches fake T-Mobile login pages, fake Verizon "verify your account" forms, fake Coinbase support pages, and the carrier-impersonation pattern family instantly.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs for known malicious domains used in telecom-impersonation campaigns.
• Layer 3 - AI deep scan (Premium): 100+ language content analysis catches novel carrier and bank impersonation variants in seconds, including the Spanish, Arabic, and Mandarin variants now circulating in 2026 SIM swap operations.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.