A SIM-swap scam can drain your bank account in minutes by hijacking your phone number — a free carrier “port-out PIN” shuts the door

One morning in early 2023, a cryptocurrency investor in the Washington, D.C., area watched their phone signal vanish. Within minutes, a criminal ring had convinced the victim’s wireless carrier to transfer the phone number to a fresh SIM card, intercepted two-factor authentication codes, and emptied a Bitcoin wallet. That theft was part of a broader spree detailed in a civil forfeiture complaint filed by the U.S. Attorney’s Office for the District of Columbia, which traced more than $5 million in stolen Bitcoin to SIM-swap attacks carried out between October 2022 and March 2023.

The scheme is not new, but it remains one of the fastest-moving fraud types targeting American consumers. The FBI’s Internet Crime Complaint Center logged 1,075 SIM-swap complaints in 2023 alone, with reported losses totaling $48.8 million, according to the bureau’s 2023 Internet Crime Report. As of June 2026, every major U.S. carrier offers a free tool that can stop most of these attacks cold: a port-out PIN. The problem is that most people have never heard of it.

How a SIM swap works

The attack begins with reconnaissance. The scammer gathers personal details about the target, often harvested from data breaches, social-media profiles, or dark-web marketplaces. A name, address, date of birth, and the last four digits of a Social Security number are usually enough to pass a carrier’s identity check over the phone or in a retail store.

Armed with that information, the attacker contacts the victim’s wireless provider and requests that the phone number be moved to a new SIM card. If the carrier representative is persuaded (or, in some cases, bribed), the victim’s phone loses service almost immediately. Every incoming call, text message, and SMS-based one-time passcode now routes to the attacker’s device. The Federal Trade Commission warns that attackers who gain this access can reset passwords on email, banking, and investment accounts in rapid succession, intercepting the verification codes financial institutions send via text.

The insider-threat angle is not hypothetical. A 2022 FBI IC3 public service announcement specifically warned that carrier employees had been recruited or bribed to process fraudulent swaps from inside stores, bypassing phone-based social engineering entirely. The DOJ’s forfeiture case shows how quickly the damage compounds: over roughly five months, the ring targeted multiple victims, hijacked numbers to bypass authentication on cryptocurrency platforms, and moved millions of dollars in Bitcoin before law enforcement intervened.

What carriers and regulators have done

For years, protection against SIM swaps was almost entirely opt-in. Consumers who knew about the risk could set a port-out PIN (sometimes called a number-transfer PIN or account PIN) to block unauthorized transfers. Most people never did.

That changed in November 2024, when updated Federal Communications Commission rules took effect under an order adopted in late 2023 (FCC 23-95, amending 47 CFR Part 64). The regulations require wireless carriers to authenticate a customer’s identity through secure methods before processing any SIM change or port-out request. Providers must also send customers a prompt notification whenever a SIM swap or port-out is initiated on their account, giving victims a narrow but critical window to intervene.

The free port-out PIN still exists on every major carrier, and setting one remains the single most effective step a consumer can take. The difference now is that carriers face regulatory obligations beyond simply offering the tool.

Still, gaps persist. No federal agency has published data on how many wireless subscribers have actually activated a port-out PIN. No independent audit has confirmed how consistently carriers enforce the new authentication requirements at the point of sale. And it remains unclear whether carriers that require a PIN at account creation see measurably fewer successful swaps than those that treat it as an optional add-on. The FCC rules set a floor; enforcement and compliance are still catching up.

How to lock down your number right now

Setting a port-out PIN takes less than five minutes on any of the three largest U.S. carriers. Here is what the process looks like on each:

• T-Mobile: Log into your account through the T-Mobile app or website, navigate to your profile settings, and look for “Account PIN.” You can create or change a six-digit PIN that the carrier will require before processing any port-out or SIM change. T-Mobile also lets you add a second layer called “Account Takeover Protection” in the same menu.
• AT&T: Sign in at att.com or through the myAT&T app, go to your profile, then “Sign-in info,” and set or update your passcode. AT&T offers an “extra security” toggle that forces the passcode for any account changes made in-store or by phone, not just port-outs.
• Verizon: Open the My Verizon app or log in online, go to “Account,” then “Account PIN,” and set a four-digit PIN. Verizon requires this PIN for device changes and number transfers. You can also enable “Number Lock” in the app, which freezes your number in place until you manually unlock it.

If you use a smaller carrier or mobile virtual network operator (MVNO) such as Mint Mobile, Cricket, Boost Mobile, or Google Fi, check your account settings or call customer service directly. Most MVNOs that operate on T-Mobile’s or Verizon’s networks support port-out PINs, but the setup process varies.

Beyond the PIN, security experts and the FTC recommend several additional layers of protection:

• Switch to app-based authentication. Authenticator apps like Google Authenticator, Microsoft Authenticator, or Authy generate codes locally on your device. Unlike SMS codes, they cannot be intercepted through a SIM swap. Wherever a service offers the option, replace SMS-based two-factor authentication with an app-based alternative.
• Consider hardware security keys. Physical keys such as YubiKey provide the strongest widely available form of two-factor authentication and are immune to remote interception. They are especially worth the investment for high-value accounts like email, banking, and cryptocurrency platforms.
• Watch for sudden signal loss. An unexplained drop to “No Service” or “SOS only” when you have not changed your device or plan is the most common early warning sign of a SIM swap. If it happens, contact your carrier immediately from another phone.
• Freeze your credit. A credit freeze at Equifax, Experian, and TransUnion prevents attackers from opening new accounts in your name, even if they have harvested your personal data. Freezes are free and can be lifted temporarily when you need to apply for credit.

One question that comes up frequently: does switching to an eSIM-only phone eliminate the risk? Not entirely. While eSIMs remove the physical card that a thief could insert into another handset, the port-out vulnerability still exists at the carrier level. An attacker who convinces a carrier to transfer your number can redirect it regardless of whether your phone uses a physical SIM or an eSIM. The port-out PIN protects against both scenarios.

What to do if you have already been hit

Speed is everything. If you suspect a SIM swap has occurred, act in this order:

1. Call your carrier’s fraud department from a different phone or landline. Ask them to reverse the SIM change and lock your account against further modifications.
2. Change passwords on your email, banking, and financial accounts immediately. Start with the email address tied to your password resets, because that is the account an attacker will use to cascade into everything else.
3. Contact your bank and brokerage. Alert them to potential unauthorized access so they can flag or freeze transactions before funds move out.
4. File a complaint with the FTC at reportfraud.ftc.gov and with the FBI’s IC3 at ic3.gov. These reports feed federal databases that help investigators connect individual cases to larger rings.
5. Place a fraud alert or credit freeze with all three major credit bureaus (Equifax, Experian, TransUnion). A fraud alert requires creditors to verify your identity before opening new accounts; a freeze blocks new credit inquiries entirely.

The FTC also maintains a Spanish-language consumer portal at consumidor.ftc.gov with step-by-step identity-theft recovery guidance.

Why a five-minute fix still is not reaching enough people

The FCC’s 2024 rules and free carrier PINs represent genuine progress, but the gap between what is available and what consumers actually use remains wide. The people most vulnerable to SIM-swap fraud are overwhelmingly those who have never encountered the term “port-out PIN” before reading an article like this one.

Several pieces of the puzzle are still missing from the public record. No carrier has disclosed how quickly a fraudulent SIM swap typically leads to the first unauthorized transaction on a victim’s account. Academic researchers at Princeton University documented in a 2020 study that attackers could move within minutes of a successful swap, but carrier-side data that could confirm current response times has not been released. It is also unknown whether carriers are flagging coordinated bursts of swap requests, the kind a criminal ring would generate, in real time, or whether investigators typically reconstruct the trail only after victims report losses.

What the public record does confirm is straightforward: SIM-swap fraud has already enabled multimillion-dollar heists, the tools to block it are free and available today, and setting a port-out PIN takes less time than it took you to read this section. If you have not done it yet, close this article and open your carrier’s app. Your phone number protects more than your calls.