Can Your Phone Number Be Stolen? What a SIM-Swap Attack Taught Me About Digital Security
- Apr 17
- 7 min read
Updated: 3 days ago
Phillip Shoemaker is a digital identity and cybersecurity expert, former Director of App Store Review at Apple, and founder of identity.com & PersonaShield. He is the author of Unbreakable, soon to be published by John Wiley & Sons.
One phone call to a carrier store. That is all it takes to hand a stranger the keys to your bank accounts, your email, and your entire digital identity. Here is what happened when it happened to me, and the five steps that could have stopped it.
I was eating breakfast at a juice bar in the Dominican Republic when my digital life began to collapse. My iPhone lost its signal. Not low bars. Not a dead zone. Just gone. I assumed it was a network glitch. We were in Cabarete, a small town on the north coast, where the infrastructure is unpredictable. I set the phone down and went back to eating.
That was a mistake. When I got back to our rental house and connected to WiFi, the phone came alive in my hand. Thirty messages arrived at once. Then more. Password reset codes from Chase. Verification numbers from Coinbase. Login alerts from Gmail. Apple ID warnings. A cascade of notifications from every account that mattered to me, all arriving simultaneously, all saying the same thing in different words: someone was trying to take everything.
Someone had stolen my phone number and while I was eating breakfast, they were using it to take the rest. Your phone number was never designed to be a security credential. It was built for rotary phones. We turned it into the skeleton key to modern identity.
What is a SIM-swap attack?
A SIM-swap is not a sophisticated cyberattack in the Hollywood sense. There is no zero-day exploit, no sophisticated malware, no hoodie-wearing genius cracking encryption in a dark room. What happened to me is far simpler and far more terrifying.
Someone walked into an AT&T store in Birmingham, Alabama. They claimed to be me. They said they had lost their phone and needed a new SIM card. The employee complied. Within minutes, my phone number had been transferred to a device the attacker controlled. That was it. That was the entire attack.
From that moment, every text message sent to my number went to them. Every two-factor authentication code. Every password reset link. Every account recovery message. The security layer that dozens of my accounts depended on had flipped. The system designed to verify my identity was now verifying theirs.
Why does a SIM-swap work so easily?
The reason this attack works so reliably is that we built the modern internet on top of a technology that was never designed for what we asked it to do. Phone numbers were created in the era of landlines and operators. They were identifiers, not authenticators. They had no security architecture, no verification layer, and no assumption that someone might steal one to impersonate you.
Then came the apps, the platforms, the banks. All of them needed an easy way to verify users. Phone numbers were universal. Everyone had one. Sending a text code was cheap and simple. So, across a decade of product decisions made in the name of convenience, the phone number quietly became the backbone of digital identity. Not because it was secure. Because it was easy.
The attackers noticed. Corporate convenience created the attack surface. They simply stepped into it. According to the FBI's Internet Crime Report, cybercrime losses reached $16.6 billion in 2024, up from $12.5 billion the year before. SIM-swapping is among the fastest-growing methods because it requires no technical skill and costs the attacker almost nothing.
What happens to your accounts after a SIM-swap?
Here is what most people do not underst and about SIM-swaps until it happens to them: you are not attacked account by account. You are attacked as a system.
The attacker does not need to guess your passwords. They do not need to phish you, trick you, or even know much about you. Once they control your phone number, they simply follow the cascade: reset the email, use the email to reset the bank, use the bank access to drain the funds, use the social accounts to spread phishing to everyone who trusts you. The whole sequence can run in under an hour.
This is the architecture of modern digital identity, and it has a single point of failure. Not a technical flaw. Not a software vulnerability. A human one. The customer service representative at the carrier who, for one reason or another, handed my number to a stranger in Birmingham who claimed to be me.
The infrastructure of trust that we rely on every day without thinking about it runs through human beings who are susceptible to social pressure, persuasion, and sometimes a modest financial incentive. That is the weakest link and it is hiding in plain sight.
I will be honest about something that makes my story unusual: I got lucky. Not in spite of my background, but because of it. My wife still had her phone, so she could call AT&T immediately to report the hijacking. Because I had spent years running the App Store at Apple, I had the personal phone numbers of the CEOs and security leads at Coinbase, Gemini, and BitGo. I could text them directly, from my device on WiFi, and warn them in real time that someone was trying to access my accounts.
None of that is normal. Most people cannot text the CEO of their crypto exchange from a rental house in the Caribbean. Most people would spend hours on hold with customer service while the clock ran out.
Even with all of that, I still had to board a plane the next morning and fly from the Dominican Republic to Miami, the closest city with my mobile carrier store, just to physically reclaim my own phone number. Even then, the hardest account to recover was not my bank, not my crypto, not even Apple. It was Gmail.
Gmail is the nervous system of modern digital identity. Once someone starts the account recovery process, it takes weeks to unwind, even with contacts inside the company. The only reason I got it back at all is that a friend saw what was happening on Facebook and personally connected me to a security lead at Google, someone who could vouch that I was who I claimed to be. If it was this hard for me, with every advantage a person could have, what happens to everyone else?
How can you protect your phone number right now?
These attacks are preventable. Most people do not know the specific steps that stop them. Here are five you can take today.
1. Call your carrier and request a port freeze and SIM lock
This means your number cannot be transferred without you physically appearing in a store with ID or entering a separate PIN. AT&T, Verizon, and T-Mobile all offer this. Most people do not know it exists. It takes five minutes and stops the most common attack method cold.
2. Stop using SMS for two-factor authentication
Text-message codes are the most widely used and least secure form of two-factor authentication. Replace them with an authenticator app like Google Authenticator or Authy for any account that matters. For your most critical accounts, a hardware security key is even stronger.
3. Set a separate PIN for your carrier account
This is different from your account password. A carrier PIN is required to make changes to your number or account in-store. If yours does not have one, set it today.
4. Treat your real phone number as confidential
Use services like Google Voice or MySudo to create secondary numbers for app signups, online shopping, and anything public-facing. Give your actual carrier number to as few people and services as possible. The less it circulates, the smaller the target.
5. Audit what depends on your phone number
Log in to your most important accounts and check what method they use to recover access. For every account that sends codes or reset links to your phone number, you are one successful SIM-swap away from losing it. Change those to authenticator apps or email, and make sure the email itself is protected by something other than a phone number.
Start protecting your digital identity today
The SIM-swap was not the real attack. It was a symptom. The real vulnerability is structural: we built an entire layer of digital security on top of a system designed for something else, optimized it for convenience rather than protection, and then handed the keys to every carrier representative who might, on a bad day, believe the wrong person.
Most people will not experience a SIM-swap. But most people have not taken the five steps above, either. The gap between "this won't happen to me" and "I just lost everything" is smaller than most of us want to believe, and it is measured in a single phone call to a carrier store.
Your phone number is not just a way to reach you. It is a key to your entire digital life. Start treating it like one.
For a complete guide to protecting your digital identity, including step-by-step instructions on securing every layer of your online life, pick up a copy of Unbreakable: How to Protect Yourself in a World Built to Breach You, forthcoming from Wiley.
Read more from Phillip B. Shoemaker
Phillip B. Shoemaker, CEO & Security Consultant
Phillip Shoemaker spent years as Apple's original Director of App Store Review before co-founding identity.com, a decentralized identity company, and founding PersonaShield.com, a likeness authentication and monitoring service. He has been a victim of SIM-swap attacks, impersonation, and stalking and lived to write about it. His book Unbreakable: The Definitive Guide to Securing Your Digital Life in the Age of Deepfakes, Hacks and AI Fraud, soon to be published by John Wiley & Sons, teaches everyday people, executives, and families how to protect themselves in a world where AI-powered fraud is accelerating. His mission: make you a harder target.
