SIM Swap Protection: Securing the Number That Unlocks Everything
The most dangerous credential a principal owns is not a password. It is a ten-digit phone number — and a stranger in a call centre can hand it to someone else in minutes.
In its most recent annual accounting, the FBI's Internet Crime Complaint Center logged 982 SIM swap complaints producing nearly $26 million in reported losses — on top of the $68 million and $72 million reported in the two peak years before. Those figures describe only the victims who filed. In the United Kingdom, the fraud bureau Cifas recorded a 1,055% surge in unauthorised SIM swaps in a single year, from 289 cases to more than 2,900. The technique is not fading; it is industrialising.
The stakes at the top of the wealth curve are of a different order entirely. In March 2025, an arbitrator ordered T-Mobile to pay $33 million over a single SIM swap that enabled the theft of a technology entrepreneur's cryptocurrency. Michael Terpin's long-running suit against AT&T — over a swap that cost him roughly $24 million in digital assets — survived the carrier's motion for summary judgment in July 2025, with a federal judge affirming that carriers can be held to FCC privacy obligations. The courts are catching up. The attackers, regrettably, are not waiting.
Anatomy of a Number Theft
A SIM swap requires no malware and no intrusion into your devices. The attacker convinces — or pays — your mobile carrier to move your number onto a SIM they control. Sometimes it is pure social engineering against a retail employee armed with your date of birth and address, harvested from breach data. Sometimes it is an insider accepting a few hundred dollars per port. Increasingly it is an eSIM transfer executed entirely online.
The first symptom is silence: your phone drops to “No Service.” From that moment, every SMS one-time code — for email, banking, brokerage, exchange accounts — flows to the attacker. With control of your number and your primary inbox, password resets cascade. Practised crews empty exchange wallets in under thirty minutes, which is why crypto holders remain the prize target: the transfers are irreversible, and there is no fraud department to call.
Why Principals Sit at the Top of the Target List
SIM swap crews do not select victims at random. They buy curated lists — executives, founders, known digital-asset holders — assembled from breach dumps, data brokers and public registries, then verify carrier and number before striking. A principal's number is also a gateway to the enterprise: an attacker holding the chairman's line can authorise wires by text, reset corporate credentials, or lend terrifying credibility to the voice-cloning schemes we examine in our briefing on deepfake protection for executives. For families holding digital assets, the number is frequently the last factor standing between an attacker and self-custodied or exchange-held funds — a structural weakness we address directly in crypto custody protection.
Closing the Carrier Door
The first line of defence sits with the carrier, and most clients have never touched it. Every major North American operator now offers a port-out and SIM-change lock — Verizon calls it Number Lock, AT&T offers Wireless Account Lock, T-Mobile provides SIM Protection — which blocks any transfer until the lock is deliberately removed through authenticated channels. Enable it on every line in the household, set a unique carrier PIN that appears nowhere else in your life, and instruct the carrier in writing that in-store changes require photo identification. For principals, we go further: the number the world knows should not be the number that receives security codes. A private line on a separate, hardened account — held in the name of an entity rather than the individual — gives attackers nothing to look up.
A fortune defended by a text message is a vault whose key hangs on the front gate.
Retire SMS as a Key
Carrier locks raise the cost of attack; removing SMS from the chain removes the prize. Every account of consequence — email first, then banking, brokerage, exchanges, cloud storage — should authenticate with hardware security keys or, at minimum, an authenticator application, with SMS deleted as both a second factor and a recovery method. The recovery path matters more than the login: an account that signs in with a passkey but recovers by text is still a text-protected account. This is painstaking, unglamorous work across dozens of accounts and every family member, which is precisely why it is rarely finished — and why we treat it as a standing engagement rather than a weekend project, as part of the broader programme described in AI-era cybersecurity for family offices.
The First Hour of an Attack
If your phone goes dark without explanation, assume hostility and move quickly. From another device, call your carrier's fraud line and demand the port be reversed and the account frozen. Sign in to your primary email from a trusted machine, change the password, and revoke all active sessions before the attacker pivots. Contact exchanges and banks to freeze withdrawals — minutes matter most where transfers are irreversible. Document everything with timestamps, and file with the IC3; as the 2025 carrier judgments show, the record you build in that first hour carries real weight later. Families we monitor do not perform this triage alone: an anomalous port attempt on a watched line generates a call from a named contact, not an email found the next morning.
The honest conclusion is that SIM swap defence is not a product but a posture: carrier locks verified quarterly, authentication rebuilt without SMS, exposed personal data pruned at the source, and someone accountable watching for the attempt itself. That is the standing architecture we build and operate for principals and their families — remotely, worldwide, under NDA — within our private cybersecurity practice. The number that unlocks everything deserves more than a four-digit PIN and hope.
Lock the Number Before Someone Else Uses It
A Private Strategy Session ($4,999, credited toward membership) includes a full review of your carrier exposure, authentication architecture and digital footprint — conducted remotely, under NDA, with one named contact accountable to you.
Request Your InvitationFrequently asked
How do criminals perform a SIM swap attack?
Attackers persuade or bribe a mobile carrier employee to transfer your phone number to a SIM card they control, using personal details harvested from data breaches and broker files to pass identity checks. Once the number moves, all calls and SMS codes route to them, letting them reset passwords on email, banking and exchange accounts within minutes.
Why are executives and crypto holders prime SIM swap targets?
Because the payoff justifies the effort. Crypto transfers are irreversible, so a single swap against a known digital-asset holder can yield millions with no recourse. Executives offer a different prize: control of a trusted number enables wire fraud, corporate credential resets and convincing impersonation. Crews buy curated target lists rather than choosing victims at random.
Does a carrier port freeze or Number Lock actually prevent SIM swapping?
It substantially raises the barrier. Features such as Verizon Number Lock, AT&T Wireless Account Lock and T-Mobile SIM Protection block ports and SIM changes until the lock is removed through authenticated channels. It is not absolute — insider abuse remains possible — so it should be combined with removing SMS from account recovery entirely.
What should I do in the first hour of a SIM swap attack?
From another device, call your carrier's fraud line to reverse the port and freeze the account. Then secure your primary email: change the password and revoke every active session. Contact banks and exchanges immediately to freeze withdrawals, document all timestamps, and file a report with the FBI's IC3. Speed in the first hour determines most outcomes.