SIM-swap attack

An attack where the attacker convinces a mobile carrier to transfer your phone number to their SIM, defeating SMS-based 2FA.

Written by Shilder Recovery TeamReviewed by Shilder Editorial ReviewLast reviewed 2026-05-15

A SIM-swap attack (also called SIM-jacking or port-out fraud) is when an attacker convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, they receive your SMS messages — including SMS-based 2FA codes for Instagram, Facebook, banks, and anywhere else you use SMS verification.

Why it matters

SIM-swap is how most “sophisticated” account takeovers actually work. The attacker doesn’t need your password — they just need a momentary SMS code intercept during a password reset.

Defense

  • Use authenticator-app 2FA, not SMS. App-based codes can’t be intercepted via SIM-swap.
  • Set a port-out PIN with your carrier. This adds a verification step before number transfers.
  • Watch for sudden loss of cell service. A failed call or SMS where there shouldn’t be a problem is often the first sign of a SIM-swap in progress.

If you suspect a SIM-swap, contact your carrier immediately and reset 2FA on all critical accounts. See post-recovery security checklist.

← All glossary terms

Ready to get your account back?

Submit your case in under three minutes. Expert review starts the same day.

Start a case Read the FAQ