Here is a scenario worth thinking about: your phone suddenly shows 'No Service.' Within minutes, your email is compromised, your exchange account is drained, and your authenticator codes are going to someone else's device. The attack took less than ten minutes. You did not click a phishing link. You did not download malware. Someone simply convinced your carrier to move your phone number to their SIM card.
SIM swapping is not new, but it is accelerating. The FBI's 2024 IC3 report documented 982 complaints tied to SIM swap attacks, totaling nearly $26 million in direct losses.1 That number dramatically understates the problem. A SIM swap is typically the first domino — the stolen number unlocks email resets, exchange access, and bank accounts. Those downstream losses get counted in other categories. The real financial exposure is orders of magnitude higher.
The global picture is worse. In the UK, Cifas reported that unauthorized SIM swap filings surged 1,055% in a single year — from 289 cases in 2023 to nearly 3,000 in 2024.2 Australia saw a 240% increase in SIM swap and phone porting assistance requests, with IDCARE reporting that 90% of incidents occurred without any victim interaction at all.3 The attack is going industrial.
How it works is disturbingly simple. Attackers gather personal information from data breaches, social media, or social engineering, then contact your carrier's support line and impersonate you. They request a number port to a new SIM — or increasingly, an eSIM QR code that can be activated remotely. Once approved, your phone goes dark and theirs lights up with your identity. Every SMS-based two-factor code now goes to them.
The T-Mobile case is the landmark. In March 2025, a California arbitrator ordered the carrier to pay $33 million after a SIM swap allowed thieves to drain roughly $38 million in cryptocurrency from a single customer — even though the victim had a 'NOPORT' flag on the account.4 Court filings revealed that attackers bypassed the flag by persuading a call center agent to issue a remote eSIM QR code. The law firm behind the case called it a decision that finally prices weak carrier controls.
Crypto holders face disproportionate risk. Blockchain transactions are irreversible and pseudonymous, making stolen funds nearly impossible to recover. Research indicates crypto holders face approximately six times higher SIM swap targeting than average users.5 The 61% of crypto exchanges that still use SMS as their default second factor are handing attackers the keys.
The fix is straightforward but requires action. First, remove SMS-based 2FA from every account that matters: exchange, email, banking. Replace it with a hardware security key like YubiKey or at minimum an authenticator app. Second, set a unique PIN or passphrase with your carrier that is required for any account changes. Third, contact your carrier and request a port freeze or SIM lock — T-Mobile, Verizon, and AT&T all offer these features, though they are not enabled by default. Fourth, monitor for warning signs: unexpected loss of cell service, password reset notifications you did not initiate, or carrier verification calls you did not expect.
The deeper lesson is architectural. Your phone number was never designed to be a security credential. It was designed to route calls. The entire SMS-based authentication model is built on the false assumption that controlling a phone number proves identity. Until that assumption is retired — and it is being retired slowly — your number remains the weakest link in your security chain.