Research Brief

SIM swapping (also known as SIM hijacking, SIM jacking, port-out scam, or simjacking) is a type of account takeover fraud where attackers deceive or bribe mobile carriers into transferring a victim's phone number to a SIM card they control. Criminals gather personal information from social media, the dark web, previously compromised accounts, and phishing, then use this information to impersonate victims and convince carriers to transfer mobile numbers to a different SIM card or eSIM under their control. Once the swap is complete, calls and texts to the victim's phone number route to the attacker's phone, allowing criminals to receive one-time security codes or calls that banks and other companies use to safeguard customer accounts.

The FBI's 2024 Internet Crime Report documented 982 SIM swap complaints with $25,983,946 in reported losses in the U.S., though this likely understates the true impact since many SIM swaps are categorized under broader fraud types. The UK saw a dramatic 1,055% surge in unauthorized SIM swaps in 2024, rising from 289 cases in 2023 to nearly 3,000 in 2024 according to Cifas. Australia's IDCARE reported a 240% increase in people seeking help for phone porting and SIM swap fraud in 2024 versus 2023, with 90% of incidents occurring without any victim interaction. In March 2025, a California arbitrator ordered T-Mobile to pay $33 million after the carrier's weak authentication enabled the theft of cryptocurrency in a SIM swap case, setting a record payout.

SIM lock (also called SIM PIN) is a device-level security feature that requires a PIN code every time the phone restarts or the SIM is inserted into another device. On iPhone, users can enable SIM PIN by opening Settings, tapping Cellular, then tapping SIM PIN and turning it on. When prompted, users must enter their carrier's default SIM PIN (typically 1111, 1234, or 0000). On Android (Samsung), users navigate to Settings > Security and privacy > More security settings > SIM card security, then turn on the Lock SIM card toggle. After enabling, users should change the default PIN to something memorable but not obvious, and note that entering the wrong PIN three times will require a PUK code from the carrier. This SIM lock is distinct from carrier-level SIM Protection features. Verizon's SIM Protection feature locks lines on an account so they cannot process a SIM change until the protection is turned off, ensuring the number is protected from SIM swapping.

Beyond SIM lock, security experts recommend multiple protection layers: Use app-based authentication like Google Authenticator or Authy, or hardware keys such as YubiKey, as these methods aren't tied to phone numbers and are far less vulnerable to SIM swap attacks. Attackers often rely on publicly available details to impersonate victims, so limiting personal information shared online—such as phone number, birthday, or address—makes it harder for them to build a convincing profile. The Federal Trade Commission (FTC) advises users to set a PIN or password on the SIM card to prevent changes from being made without the consent of the phone number holder.