Stop SIM Swapping in 2026: Lock Your Number Before Someone Steals It
A SIM swap hands an attacker your phone number, and every SMS code tied to it. These carrier locks and account changes stop it cold.
A SIM swap is one of the cheapest, highest-impact attacks a criminal can run against you. The attacker convinces your mobile carrier to move your phone number onto a SIM they control, using social engineering, a leaked PIN, or a bribed store employee. The moment they succeed, every SMS verification code, password-reset link, and authentication call meant for you goes to them instead. Bank accounts, email, and crypto wallets have all been drained this way. The good news: a few carrier settings make a successful swap dramatically harder, and most take under ten minutes.
Quick answer
Lock your number at the carrier and get critical accounts off SMS codes. Enable your carrier's account lock and a dedicated port-out PIN: Verizon's Number Lock and SIM Protection, AT&T's Wireless Account Lock, or T-Mobile's Account Takeover Protection plus a separate port-out PIN. Then move your email, bank, and crypto logins from SMS two-factor to an authenticator app or a hardware security key, so a hijacked number no longer unlocks them. If your phone suddenly loses all signal with no outage, treat it as a swap in progress and call your carrier from another phone immediately.
Key takeaways
- A port-out PIN or account lock with your carrier is the single most effective defense, it blocks number transfers and SIM changes unless your secret is provided.
- All three major US carriers offer these controls: Verizon's Number Lock / SIM Protection, AT&T's Wireless Account Lock, and T-Mobile's Account Takeover Protection plus a port-out PIN.
- Move your accounts off SMS codes to an authenticator app or hardware security key, so a hijacked number no longer unlocks your logins.
- FCC rules in force in 2026 require carriers to authenticate you before SIM changes, offer an account lock, and notify you immediately of any port-out or SIM swap request.
- If your phone suddenly loses all signal for no reason, treat it as a possible swap in progress and call your carrier from another phone immediately.
How a SIM swap actually works
The attacker first gathers enough personal data, name, address, date of birth, the last four of a card, maybe a leaked account PIN, usually from prior breaches or phishing. Then they contact your carrier (or walk into a store) posing as you, claiming a lost or upgraded phone, and request that your number be activated on a new SIM or ported to another carrier. If the carrier's identity checks are weak or the rep is careless, the swap goes through. Your phone goes dark, and theirs starts receiving your calls and texts within minutes.
Because so many services still treat "controls the phone number" as proof of identity, that single transfer can cascade into full account takeover.
Each major US carrier names its protections differently. Here is what to turn on and where:
| Carrier | Feature to enable | What it blocks | Where to set it |
|---|---|---|---|
| Verizon | Number Lock + SIM Protection | Number ports and SIM changes | My Verizon app or account settings |
| AT&T | Wireless Account Lock | SIM changes, ports, key account changes | myAT&T app or account profile |
| T-Mobile | Account Takeover Protection + port-out PIN | Unauthorized ports and SIM swaps | T-Mobile app or account settings |
| Any carrier | Strong, unique account PIN | Casual social-engineering attempts | Account security settings |
Set the account PIN to something long and random, stored in your password manager, never a birthday or the last four of your SSN.
Lock your number at the carrier
This is the part attackers cannot easily talk their way around. Set a dedicated transfer PIN and enable the account lock for your carrier:
- Verizon, Enable Number Lock and SIM Protection in the My Verizon app or account settings. These block both ports and SIM changes until you turn them off.
- AT&T, Turn on Wireless Account Lock, which prevents SIM changes, ports, and certain account changes without your approval.
- T-Mobile, Enable Account Takeover Protection and set a separate port-out PIN, distinct from your voicemail or device PIN.
- Any carrier, Set a strong, unique account PIN or passcode (not a birthday or address), and store it in your password manager rather than your memory.
Tip
Make your carrier PIN long, random, and unrelated to anything in a data breach. Reusing the last four of your SSN or a birth year defeats the purpose, because that is exactly the data attackers already have.
Get SMS off your critical accounts
A locked number is your first wall; removing the number's power is the second. SMS-based two-factor authentication is the weakest common form precisely because it can be redirected by a swap. Replace it:
- Authenticator apps (the TOTP codes in apps like Aegis, Google Authenticator, or your password manager) generate codes on your device itself, so a hijacked number is worthless against them.
- Hardware security keys and passkeys are stronger still and resist phishing entirely. Our walkthroughs on setting up passkeys and phishing-resistant MFA with security keys cover the setup.
Prioritize the accounts an attacker would target first: email (because it controls password resets everywhere else), banking, and any crypto exchange or wallet. A swap is often just the opening move in a broader account takeover, so hardening these logins limits the damage even if the number is briefly stolen.
Spot a swap in progress
Carriers must now notify you when a SIM or port request is made, do not ignore those messages. The clearest sign of a live attack is sudden, total loss of cellular service when there is no outage and you are in a normal coverage area. If that happens:
- Use Wi-Fi or another phone to call your carrier's fraud line right away.
- Ask them to freeze any pending SIM or port request and verify your account lock is intact.
- Change passwords on your email and financial accounts from a trusted device.
- Watch for password-reset emails you did not request, which signal the attacker is already moving.
What the 2026 rules changed
The defenses are stronger now partly because regulators forced carriers to do more. FCC rules in force in 2026 require US carriers to authenticate you before processing a SIM change or port-out, to offer an account lock you can enable, and to notify you immediately whenever a SIM or port request is made on your account. That last requirement is the one most worth internalizing: a notification you did not expect is your earliest possible warning of an attack, often arriving before your phone even loses signal. Do not dismiss those texts or emails as routine account noise. If you get one and you did not initiate anything, contact your carrier's fraud line at once and confirm your account lock is still in place. The rules raised the floor, but they only help if you have actually turned on the lock and you act on the alerts.
What to do right now
Close the door in under ten minutes:
- Enable your carrier's named account lock: Verizon Number Lock and SIM Protection, AT&T Wireless Account Lock, or T-Mobile Account Takeover Protection.
- Set a dedicated port-out or transfer PIN that is separate from your voicemail and device PIN.
- Replace your account PIN with something long and random, stored in your password manager.
- Move email, banking, and crypto logins from SMS codes to an authenticator app or a hardware security key.
- Save your carrier's fraud-line number now, so you can reach it fast from another phone if your service suddenly drops.
Frequently asked questions
Is a port-out PIN the same as my voicemail PIN?
No, and that confusion is dangerous. A port-out / transfer PIN is a separate secret specifically for authorizing number transfers and SIM changes. Set it explicitly; do not assume your voicemail or device unlock PIN covers it.
I use an authenticator app already. Do I still need carrier locks?
Yes. Authenticator apps protect accounts that support them, but plenty of services still fall back to SMS, and your phone number itself can be used to reset some accounts. The carrier lock protects the number as an asset regardless.
Can a SIM swap defeat MFA entirely?
It defeats SMS-based MFA, because the codes follow the number to the attacker's SIM. App-based TOTP and hardware keys stay on your physical device and are not affected by a swap, which is exactly why you should move to them.
What if my carrier rep won't set up a lock?
The FCC requires carriers to offer an account lock and to authenticate you before SIM changes. If a rep is unhelpful, ask specifically for the fraud or account-security team and reference the carrier's named feature (Number Lock, Wireless Account Lock, Account Takeover Protection).
The bottom line
SIM swapping works because a phone number is treated as identity and because carrier defenses are off by default. Turn them on: set a dedicated port-out PIN, enable your carrier's account lock, and move your important accounts from SMS codes to an authenticator app or security key. Ten minutes today closes the door attackers walk through most often.
