The Ultimate SIM Swap Emergency Response Playbook

It is 3:17 p.m. and your phone suddenly shows No Service. Within minutes you see emails about password changes and new logins you do not recognize. Texts that should reach you never arrive. This is what a live SIM swap looks like. 

A criminal convinced a carrier to move your number to their SIM so they can intercept codes, reset passwords, and drain bank and crypto accounts. 

The good news is you can contain the damage if you act fast and follow a checklist that prioritizes your phone number, your primary email, and your money.

The first 60 minutes matter. Attackers race to reset access before you notice. Your job is to cut off their control of your number and freeze places where they can steal funds or pivot deeper into your accounts.

1. Confirm the attack quickly

• Sudden and complete loss of cellular service that is not explained by location or outage
• Unexpected texts or emails from your carrier about a SIM change or number transfer
• New login alerts or password change notices for email, bank, crypto, or social accounts

These are canonical signs of SIM swapping and port out fraud. Treat them as an active incident.

2. Reclaim your number from a safe phone

Use a landline or a trusted friend’s phone. Tell the agent you cannot receive SMS codes because the attacker controls your number. Ask for alternate verification and immediate restoration.

• AT&T Global Fraud Management: 877-844-5584. Ask them to disable the fraudulent SIM, restore service to you, and turn on Wireless Account Lock in the myAT&T app.
• Verizon general line 1-800-922-0204 or dial *611 from a Verizon phone. For port out fraud, 888-844-7095 routes to the Porting team. Ask to disable the fraudulent SIM and enable Number Lock and SIM Protection on your line.
• T-Mobile support 1-800-937-8997 or 611 from T-Mobile. Ask them to block the fraudulent SIM, restore your line, and enable Port Out Protection and SIM Protection on your account.

3. Lock down your money and crypto

Call the fraud numbers on the back of your cards and on the official websites of your bank and exchanges. 

Ask for a full freeze or hold on transactions while you recover your identity. Keep a log of dates, reps, and case numbers.

Your main email is the master key to everything else. Once your number is back, secure email first.

• Change the password to a long, unique passphrase.
• Purge recovery paths you do not recognize and remove the attacker’s phone or email.
• Sign out of all sessions or devices to kick the intruder out.
• Upgrade 2FA away from SMS. Use an authenticator app or a hardware security key.

Important nuance for Google accounts. When you change recovery info, Google may still allow verification codes to go to your previous recovery channel for up to 7 days. 

After regaining access, immediately sign out of all sessions and switch to non SMS 2FA to prevent re entry during this grace period. Save your printable backup codes.

Locked out completely

• Gmail. Start with Account Recovery and follow prompts patiently. Expect time delays if Google flags risk.
• Microsoft. Use the Microsoft account recovery form and the Sign in Helper. When you regain access, review Recent activity and remove unrecognized sessions.‍
• Apple. Start at iforgot and, once back in, review trusted devices, set a Recovery Key or Recovery Contacts for future resilience.

Once your email is clean, move from temporary freezes to full remediation.

Banks and credit cards

• Replace compromised cards and change online banking passwords and PINs.
• Review transactions during the incident window and dispute anything unauthorized.
• For credit cards, federal law requires written disputes within 60 days of the statement date to maximize protections. Certified mail with return receipt is recommended.

Crypto exchanges

Time is ultra critical since blockchain transfers are irreversible.

• Coinbase. Use the Lock your account option, then call +1 888-908-7930 for 24x7 support and open a formal ticket. On recovery, rotate your password, revoke API keys, and move 2FA to an authenticator or security key.
• Binance.US. No phone support. Use in app or website Chat to reach a human and use Disable Account if needed. Reactivation requires verification.‍
• Kraken. Use live chat to lock the account and enable Global Settings Lock which blocks setting changes and withdrawals.

These accounts leak personal facts that help social engineers impersonate you. Remove the attacker’s foothold and prevent follow on scams against your contacts.

• Change passwords, remove unknown phone numbers or emails, revoke suspicious third party apps, and log out other sessions.
• Recovery starting points: Facebook login identify page, Instagram hacked flow, and X compromised account form.

Prevent new accounts from being opened in your name.

• Place a credit freeze at all three bureaus. It is free and stronger than a fraud alert.
  
  • Equifax online or at 888-298-0045
  • Experian online or 888-397-3742
  • TransUnion via their Service Center
    
    
• Pull your credit reports from the only authorized source, AnnualCreditReport.com, and review line by line for unfamiliar accounts, inquiries, or addresses.‍
• Dispute errors in writing and use certified mail with return receipt. Use clear, dated letters and include copies of your Identity Theft Report.

SMS codes are tied to a phone number that can be stolen. Move every critical account to stronger factors.

• Authenticator apps. Time based codes generated on your device are far better than SMS.
• Hardware security keys. FIDO and WebAuthn are phishing resistant and the current gold standard. Use them wherever possible, especially for email, exchanges, and password managers.

Prioritize hardware keys for accounts that protect money and identity.

Your carrier account is the front door to SIM swaps. Add friction.

• Set a strong account PIN or passcode with your carrier and do not reuse birthdates or the last four of your SSN.
  
  
• Enable port out and SIM change protections
  
  
  • Verizon Number Lock and SIM Protection block unauthorized transfers and device changes, configurable in My Verizon.
    
    
  • AT&T Wireless Account Lock disables key changes and number transfers until you toggle it on your device.
    
    
  • T-Mobile Port Out Protection and SIM Protection can be managed in your account or the app.
    
    ‍
• Add a SIM PIN on the device so the SIM cannot be used in another phone without a code. Apple and carriers document how to enable it and change the default PIN.

SIM swaps are not just an inconvenience. They are a sprint in which the attacker leverages your number to defeat SMS 2FA and reset the keys to your accounts. 

If you follow this playbook in order and move authentication away from SMS, you sharply reduce both the damage today and the probability of repeat incidents tomorrow. 

‍

FAQs

What is a SIM swap attack and how does it work?

A SIM swap attack happens when someone tricks your mobile carrier into transferring your phone number to a new SIM card they control. Once they have your number, they can intercept text messages and verification codes, reset your passwords, and gain access to your bank, crypto, and email accounts. It is a form of identity theft that targets your mobile number as the weakest link in your digital security.

What should I do immediately after a SIM swap?

If your phone suddenly loses service and you suspect a SIM swap, use another phone to contact your carrier right away. Tell them you are a victim of SIM swap fraud and request that they block the fraudulent SIM and restore your number. At the same time, freeze your bank and crypto accounts, secure your main email, and start documenting every action you take. Acting fast can limit financial damage.

Can I recover stolen cryptocurrency after a SIM swap?

In most cases, stolen cryptocurrency cannot be recovered because blockchain transactions are irreversible. However, you should immediately contact the exchange’s fraud or security team to freeze your account and stop further withdrawals. Reporting the theft to the FBI’s Internet Crime Complaint Center (IC3) and your local authorities can also help create an official record for insurance or investigative purposes.

How can I prevent SIM swap attacks in the future?

To prevent SIM swap attacks, lock your phone number with your carrier using features such as Number Lock or Port Out Protection. Set a strong account PIN that is not tied to your birthday or SSN, and switch all your important accounts from SMS-based two-factor authentication to authenticator apps or hardware security keys. Reducing personal information on public profiles also makes it harder for attackers to impersonate you.