Your phone number is the master key to most of your accounts. Forget your password? SMS reset. Suspicious login? SMS confirmation. New device? SMS code. Platforms have centralized their account recovery around one identifier — and attackers know it. The FBI’s Internet Crime Complaint Center recorded over 1,600 SIM swap complaints in 2023 alone, with losses exceeding $48 million that year (FBI IC3, 2023). SIM swapping targeting crypto and financial accounts drives losses exceeding $150 million annually (CoinLaw, 2026).
The attack works precisely because platforms trust the carrier relationship. And that trust can be forged.
TL;DR: SIM swap attacks redirect your phone number to an attacker’s SIM, giving them access to every account tied to SMS verification. Annual losses exceed $150M (CoinLaw, 2026). Using a virtual number for account verification means your personal SIM has no tie to your accounts — so swapping it does nothing.
What Is a SIM Swap Attack?
SIM swapping is identity fraud where an attacker convinces your mobile carrier to transfer your phone number to a SIM they control — no hacking required. The FBI recorded over 1,600 SIM swap complaints in 2023, with losses exceeding $48 million that year alone (FBI IC3, 2023). It takes one phone call and a handful of personal details scraped from a data breach.
Once the transfer completes, your real SIM goes dark — no calls, no texts. The attacker receives everything your number was meant to receive, including every OTP and account recovery code. Social engineering is the core technique. An attacker calls your carrier’s customer support, claims to be you, provides enough personal information to pass identity checks, and requests the swap. Carrier agents — under pressure to resolve calls quickly — approve more of these requests than they should.
Once the attacker holds your number, the sequence moves fast. Password resets sent to your “phone” go to them. SMS-based 2FA codes go to them. Account recovery links go to them. A determined attacker can compromise a Gmail account, drain a crypto exchange, and lock you out of linked financial services in under an hour.
The counterintuitive implication: the more accounts you protect with SMS-based 2FA, the more valuable your phone number becomes as an attack target. Adding SMS 2FA to more accounts doesn’t uniformly reduce risk — it concentrates it on a single point of failure at the carrier level.
How Common Is SIM Swapping — and Who Gets Targeted?
SIM swap attacks used to target celebrities and high-net-worth individuals. That’s changed. According to the FBI IC3, complaints about SIM swapping grew from 320 cases in 2018 to over 1,600 in 2023 — a 400% increase in five years (FBI IC3, 2023). The monetary losses per incident have also climbed, driven by crypto account takeovers.
Crypto holders are the primary target because the payoff is immediate and irreversible. SIM-swap attacks targeting crypto exchange accounts account for 19% of major exchange compromises, with losses exceeding $150M annually (CoinLaw, 2026). A successful swap against a Binance or Coinbase account can drain holdings in minutes. Unlike credit card fraud, there’s no chargeback mechanism.
But high-value crypto isn’t the only target. Regular email accounts, social media profiles, and online banking are all on the list. The T-Mobile data breach in 2021 exposed data on 76 million US customers — information that directly fueled SIM swap attempts in the months that followed (Wired, 2021). Personal details from breaches — name, date of birth, account PIN — are exactly what carrier agents ask for during a SIM transfer request.
Who is most at risk?
Anyone whose phone number is publicly associated with high-value accounts faces elevated risk. This includes people who:
- Publicly discuss crypto holdings on social media
- Use the same phone number for banking, email, and social accounts
- Have their phone number exposed in data breach databases
- Have previously been targeted by phishing or account takeover attempts
The common factor is visibility. Attackers research targets before calling carriers. A public LinkedIn profile with a phone number, a crypto forum account tied to the same email as your exchange account, or a password reuse pattern surfaced through a breach dump all create attack surface.
Why SMS-Based 2FA Doesn’t Fully Protect You
Two-factor authentication makes accounts significantly harder to compromise — but SMS-based 2FA has one structural flaw that SIM swapping exploits directly. NIST deprecated SMS OTP as a high-assurance second factor in 2017, noting that the delivery channel itself is vulnerable to interception and redirection (NIST SP 800-63B, 2017). The second factor isn’t controlled by you. It’s controlled by your carrier.
When a platform sends a verification code to your phone number, it’s trusting that the number reaches you. The carrier is the intermediary that determines whether the delivery goes to your SIM or someone else’s. That carrier relationship can be manipulated through a phone call. An authenticator app or hardware key cannot be redirected this way — your carrier has no visibility into those systems at all.
NIST’s guidance has been adopted as a benchmark by enterprise security teams, though consumer platforms still default to SMS because it’s universally accessible. The security gap between the two approaches is real and documented.
SMS 2FA isn’t useless. Against opportunistic attackers, it’s a meaningful barrier. Against a targeted SIM swap campaign, it’s the vulnerability being exploited. The distinction matters if you hold significant assets tied to accounts protected only by SMS 2FA.
How Do Virtual Numbers Reduce SIM Swap Risk?
A virtual number breaks the link between your personal SIM and your accounts — and 19% of major crypto exchange compromises trace directly to SIM swapping (CoinLaw, 2026). The mechanism is simpler than most people expect: the platform’s database stores the virtual number, not your personal one, so swapping your SIM reaches nothing.
We’ve observed across SMSCode order data that the most common security-motivated use case — beyond privacy — is separating financial account verification from personal phone numbers. Users registering Binance, Coinbase, and Wise accounts consistently cite SIM swap risk as a primary reason for using a virtual number rather than privacy alone.
When you verify an account with a virtual number, the phone number stored in that platform’s database belongs to the virtual number infrastructure, not your personal SIM. An attacker who researches you, identifies your real mobile number, and successfully swaps your SIM gains control of your carrier-issued number — but that number isn’t tied to your accounts. There’s nothing to recover via SMS on your personal phone because your personal phone was never used.
The virtual number itself exists in software infrastructure. There’s no carrier agent to social-engineer. No retail store that can issue a replacement SIM on request. The number isn’t tied to your personal identity in the way a carrier-issued number is. It’s a verification endpoint, not an identity anchor.
This doesn’t eliminate all risk from a SIM swap attack — your real phone number is still an attack surface for accounts that genuinely need it. But for accounts where you had a choice about which number to use, using a virtual number means the SIM swap accomplishes nothing for those accounts.
What’s the Best Security Setup? Authenticator + Virtual Number
The most robust account security approach combines two independent layers: a virtual number for initial verification and an authenticator app for ongoing 2FA. NIST’s Digital Identity Guidelines have recommended phishing-resistant authenticators over SMS OTP since 2017 (NIST SP 800-63B, 2017), and the combination eliminates both the data-collection risk and the SIM swap attack surface simultaneously.
Why the combination works
A virtual number handles the SMS verification step that most platforms require at account creation. This keeps your personal SIM out of the platform’s database entirely. Once the account exists and initial verification is complete, you switch 2FA to an authenticator app — Google Authenticator, Authy, or a hardware key like a YubiKey.
The authenticator app generates codes on-device using a cryptographic secret. It has no carrier dependency. No SIM swap, no carrier agent call, and no ported number can intercept those codes. The private key never leaves your device.
NIST’s 2023 guidance update continues to recommend phishing-resistant authenticators (FIDO2 passkeys and hardware tokens) over SMS OTP for high-security accounts (NIST SP 800-63B, 2023). Passkeys — now supported across Apple, Google, and Microsoft ecosystems — go further by eliminating shared secrets entirely.
Platform-by-platform approach
Crypto exchanges. Use a virtual number for the mandatory phone verification step during KYC. Immediately switch to an authenticator app for 2FA before making any deposits or trades. Most exchanges — Binance, Coinbase, Kraken — actively encourage authenticator migration over SMS 2FA precisely because they’re aware of SIM swap risk. See the Binance verification guide for the exact steps.
Financial platforms. Wise and similar regulated fintech apps require ongoing SMS access — they send verification codes on every new device login. For these, use a virtual number that you can maintain persistent access to, and enable any available authenticator option as a primary layer. See the Wise virtual number guide for how ongoing SMS requirements work in practice.
Social media and apps. Twitter/X, Instagram, LinkedIn, and similar platforms accept authenticator apps for 2FA. Verify with a virtual number at signup to keep your personal number off their systems, then immediately switch to an authenticator. If you lose access to the virtual number later, it doesn’t matter — SMS is no longer your 2FA method.
Email accounts. Gmail, Outlook, and Yahoo all support authenticator-based 2FA. These are high-value targets because email is the recovery path for most other accounts. Verify with a virtual number, switch to an authenticator, and remove SMS recovery if the platform allows it.
Are Carriers Solving the SIM Swap Problem?
Carriers have faced significant regulatory pressure to reduce SIM swap fraud. The FCC issued new SIM swap rules in late 2023, requiring carriers to notify customers before authorizing a number transfer and to implement additional authentication steps (FCC, 2023). The response has been uneven, but the direction is positive. Rules took effect for major US carriers in mid-2024, with similar requirements rolling out in the UK under Ofcom guidelines.
AT&T, T-Mobile, and Verizon have each implemented additional verification layers for SIM swap requests, including requiring a PIN or passcode set specifically for account changes. Some carriers now require in-store verification with government ID for any SIM transfer — removing the phone call vector entirely for that request type.
These improvements help. They don’t eliminate the problem. Social engineering techniques adapt to new friction. Insider threats — carrier employees who can bypass standard procedures — remain a documented attack vector. The FTC reported in 2024 that despite improved carrier controls, SIM swap complaints continued at elevated levels compared to pre-2020 rates (FTC Consumer Sentinel, 2024). Regulatory action reduces the attack surface; it doesn’t close it.
The practical implication: don’t rely on carrier security improvements as a substitute for structural separation between your personal SIM and your account verification. The rules help — they’re not a guarantee.
SIM Swap Protection: Platform-Specific Advice
Different platforms carry different SIM swap risk levels and offer different mitigation options. Crypto and email accounts are the highest-value targets — SIM-swap attacks account for 19% of major exchange compromises (CoinLaw, 2026) — while social media accounts carry lower financial risk but real reputational consequences.
Crypto exchanges
This is where SIM swap risk is highest and where the protection layer matters most. The financial stakes are immediate and irreversible once a withdrawal clears. Always use a virtual number for the phone verification step and switch to an authenticator app before funding the account. Hardware security keys (FIDO2) offer the strongest protection available on platforms that support them — Coinbase and Binance both support hardware keys as a 2FA method.
Email accounts
Email is the highest-value target after crypto. Recovery access to your email account often means recovery access to everything else. If your email sends a password reset link via SMS and someone has your number via a swap, they own your digital life. Secure email with an authenticator app and remove SMS as a fallback recovery method wherever the provider allows.
Banking and fintech
Banks have additional fraud protections compared to crypto — FDIC insurance, chargeback processes, and fraud teams that can reverse unauthorized transactions. But SIM swap attacks against bank accounts are still common and disruptive. Where your bank supports it, use an authenticator or in-app push authentication rather than SMS codes. If a bank account requires a phone number for creation, using a virtual number keeps your personal SIM off their database.
Social media
Direct financial risk is lower for social accounts, but account takeover via SIM swap has real consequences — extortion, impersonation, loss of follower relationships, and reputational damage. High-profile social accounts are sometimes targeted specifically because they have visible value. Binance verification and Wise verification cover the financial platforms in depth; the same virtual number approach applies to social platforms at signup.
Common Misconceptions About SIM Swap Protection
Several widely held beliefs about SIM swap risk are wrong in ways that lead people to underinvest in protection. The FTC reported in 2024 that SIM swap complaints remained at elevated levels even after carrier PIN requirements were introduced (FTC Consumer Sentinel, 2024) — which tells you something about how well the intuitive defenses actually work.
“A strong password prevents SIM swaps.” Passwords aren’t involved in SIM swap attacks at all. The attack targets the carrier relationship, not your account credentials. A 30-character random password doesn’t protect your account if the 2FA SMS goes to an attacker’s SIM.
“My carrier’s PIN protects me.” Carrier PINs add friction. They don’t prevent social engineering against poorly trained agents, and they don’t protect against insider threats. The PIN is one verification step that attackers have adapted to overcome.
“I’d notice immediately if my SIM was swapped.” You might — your phone goes dark when the number ports. But attackers time their calls for late nights and weekends when you’re less likely to respond quickly. By the time you notice and contact your carrier, hours may have passed.
“VoIP numbers on free sites protect against SIM swapping.” Free public SMS services aren’t a security tool. They’re shared numbers visible to thousands of simultaneous users. Your OTP is public. This is the opposite of protection — see the non-VoIP vs VoIP guide for why provider choice matters.
FAQ
What is a SIM swap attack?
A SIM swap attack occurs when an attacker convinces your mobile carrier to transfer your phone number to a SIM card they control. This gives them access to all SMS messages sent to your number, including 2FA codes and account recovery links. The FBI recorded 1,600+ SIM swap complaints in 2023 with losses exceeding $48M (FBI IC3, 2023). Attacks primarily target crypto and financial accounts where payoffs are immediate.
Does using a virtual number prevent SIM swapping?
A virtual number prevents SIM swapping from affecting accounts where that virtual number was used for verification. An attacker who swaps your personal SIM gains control of your carrier-issued number — but if your accounts were verified with a virtual number, there’s nothing to intercept. Your personal SIM swap gives them access to nothing tied to those accounts. It doesn’t protect accounts where your real SIM number was already registered. For those, switch to an authenticator app and remove SMS recovery where possible.
Which is safer — SMS 2FA or an authenticator app?
Authenticator apps are significantly safer than SMS 2FA for ongoing account protection. SMS codes can be intercepted via SIM swap, SS7 protocol vulnerabilities, or SIM cloning. Authenticator codes are generated on-device using a cryptographic secret that never travels over a network. NIST guidelines have classified SMS OTP as a lower-assurance authentication method since 2017 and recommend phishing-resistant authenticators — including FIDO2 passkeys — as the stronger alternative (NIST SP 800-63B, 2023). Use SMS for initial verification; use authenticators for ongoing 2FA.
Can attackers SIM swap a virtual number?
No — not through the conventional social engineering method. A virtual number sits in software infrastructure with no carrier retail presence. There’s no carrier agent to call, no store to visit, and no account transfer process that maps to the SIM swap model. The attack vector that works on carrier-issued numbers doesn’t apply to properly managed virtual number infrastructure. This is one of the reasons a virtual number used purely for verification doesn’t create SIM swap exposure the way a personal SIM does.
What should I do if I think my SIM has been swapped?
Contact your carrier immediately — call from a different phone or visit a store in person if your SIM has gone dark. Ask them to reverse the unauthorized transfer and place a port freeze on your account. Then prioritize regaining access to email (the recovery path for most other accounts) and notify your bank and crypto exchange of potential unauthorized access. Change passwords for critical accounts from a device that was not connected to the compromised number. Enable authenticator-based 2FA on every account where it’s available, and remove SMS as a fallback recovery method.
SIM swapping is a structural problem with SMS-based verification, not a flaw you can fix by choosing a better password. The most reliable protection combines two steps: use a virtual number for account verification so your personal SIM isn’t stored in platform databases, and replace SMS 2FA with an authenticator app for ongoing login protection. Neither step requires technical expertise — they’re configuration choices that take minutes and eliminate the carrier-dependency that SIM swap attacks rely on.
Browse the virtual number catalog to find numbers by platform and country, check current pricing, or create an account — no subscription required. For deeper reading, the non-VoIP vs VoIP guide explains how number types differ, and the complete guide to virtual numbers covers how the infrastructure actually works.