Imagine waking up one morning to find your phone has no signal. No calls, no texts, no internet. A few hours later, you discover that someone has drained your bank account, taken over your social media profiles, and changed the passwords on every online service you use. This isn't a movie plot — it's the reality of SIM swapping, a cyberattack method that exploits your SIM card to steal your digital identity. In this guide, we take a deep dive into what it is, how it works, which high-profile cases have made headlines around the world, and — most importantly — how you can effectively protect yourself.
📖 Read more: Public WiFi Dangers: How to Stay Protected
📱 What Is SIM Swapping
SIM swapping — also known as SIM splitting, simjacking, SIM hijacking, or port-out scam — is a form of fraud in which attackers convince a mobile carrier to transfer the victim's phone number to a new SIM card under the attacker's control. This isn't some sophisticated technical hack in the traditional sense — it doesn't require software exploitation or breaching server vulnerabilities. The attack relies primarily on social engineering: the ability to deceive people, specifically the carrier's customer service representatives.
Once the transfer is complete, the victim immediately loses access to the mobile network — calls, texts, mobile data. At the same time, the attacker begins receiving all incoming messages and calls intended for the victim. This includes one-time passwords (OTPs) sent by banks, email providers, social media platforms, and other services as part of two-factor authentication (2FA). With these codes in hand, the attacker can change passwords, transfer funds, access cryptocurrency wallets, or take full control of accounts.
The problem is especially serious in an era where nearly every critical service — from banking to email — uses your mobile number as a means of identity verification. It's no exaggeration to say that in today's digital age, your SIM card represents one of the most critical links in your security chain.
🕵️ How a SIM Swap Attack Is Carried Out
A SIM swap attack doesn't happen spontaneously. It requires careful preparation by the attacker, which can take days or even weeks before the actual strike. The process typically follows a series of steps that resemble detective work more than the stereotypical image of a “hacker.”
Step 1: Gathering personal information. The attacker collects data about the victim — full name, national ID or passport number, date of birth, home address, the last four digits of a bank card, and even answers to “security questions” (mother's maiden name, favorite pet, etc.). Sources for this information vary widely: phishing emails that impersonate banks or companies, data from breaches sold on the dark web, publicly available information on social media, or even phone calls where the attacker poses as a bank employee.
📖 Read more: Post-Quantum Cryptography in Networks
Step 2: Contacting the carrier. The attacker contacts the victim's mobile carrier — by phone, in-store, or online. They pose as the legitimate account holder and request a SIM transfer, claiming their card was “lost” or “broken.” They use the personal details they've collected to pass the carrier's identity verification procedures.
Step 3: Activating the new SIM. If the representative is convinced, the transfer goes through. The victim's SIM is automatically deactivated, and the new SIM — in the attacker's possession — is activated with the victim's number. This switch happens within minutes.
Step 4: Exploitation. The moment the attacker starts receiving calls and texts meant for the victim, they move fast: initiating “forgot password” requests on bank accounts, email, and social media. They receive the OTP codes via SMS, change passwords, transfer money, and empty crypto wallets. Speed is critical here — attackers know they have a limited window before the victim realizes what's happening.
In some cases, the process doesn't even rely on deceiving employees. There have been well-documented cases — particularly in the United States — where telecom employees were bribed or coerced by criminal groups to perform unauthorized SIM transfers. T-Mobile, in particular, has repeatedly been at the center of such scandals, with employees accepting tens or hundreds of dollars per swap.
📊 The Scale of the Problem
SIM swapping is not an isolated phenomenon — it's one of the fastest-growing forms of cybercrime worldwide. The statistics reveal an alarming escalation in both the number of incidents and the financial losses involved.
According to the FBI, 1,611 SIM swap complaints were filed in the United States in 2021, with total losses reaching $68 million. Just one year later, in 2022, that number climbed to 2,026 complaints with losses exceeding $72 million. And these are only the reported cases — actual figures are estimated to be several times higher, as many victims never report the attacks. In the United Kingdom, SIM swap fraud reports surged by over 400% between 2015 and 2020, reflecting a trend that is accelerating across all of Europe.
📖 Read more: WiFi Security: How to Protect Your Network
What makes these numbers even more striking is that they primarily represent English-speaking countries with relatively well-developed reporting systems. Across the rest of Europe, including Greece, fraudulent SIM swaps do occur but rarely make headlines or appear in official statistics. The true scale of the problem is almost certainly larger than the data suggests. Another worrying detail: these attacks don't just target the wealthy or famous. Anyone with a bank account, an email address, and a phone number is a potential victim — especially if they rely on SMS as their sole method of 2FA.
💰 Notable SIM Swap Cases
Some of the most high-profile SIM swapping cases make it clear that no one is safe — not even top figures in the tech industry.
In August 2019, Jack Dorsey, then CEO of Twitter, fell victim to a SIM swap. The attackers managed to post offensive and racist messages on his personal Twitter account — the very account followed by millions of users. The irony was obvious: the CEO of the platform couldn't protect his own account from a relatively straightforward form of attack. The incident forced Twitter to overhaul its security policies and brought the dangers of relying on SMS-based authentication into the public spotlight.
The most costly case, however, involved Michael Terpin. The American cryptocurrency investor lost $23.8 million in cryptocurrency through a SIM swap in 2018. Terpin sued AT&T for $224 million, alleging that the company had shown “gross negligence” in protecting his account. The case exposed alarming weaknesses in the internal security procedures of major telecom carriers — and became a landmark reference point for dozens of similar lawsuits that followed.
Equally revealing was the T-Mobile case in the US, which showed that company employees were being bribed or pressured by criminal groups to carry out unauthorized SIM transfers. In some instances, employees accepted $100–$300 per swap — a trivial sum compared to the millions being stolen. This highlighted a fundamental problem: the security of the entire ecosystem depends on the integrity of people working in call centers with low wages and minimal oversight. Similar cases of employee bribery have been documented at other major carriers, revealing a systemic issue across the industry.
📖 Read more: Telecom Phishing: How to Spot and Avoid Scams
🛡️ How to Protect Yourself
The good news is that there are specific, effective measures you can take to drastically reduce your risk of falling victim to a SIM swap. No single measure offers 100% protection on its own, but combining them creates a strong security net.
SIM Swapping Protection Guide
- Use authenticator apps instead of SMS: Install Google Authenticator, Microsoft Authenticator, or Authy for 2FA. The codes are generated locally on your device — they never travel over SMS and can't be intercepted through a SIM swap.
- Set a PIN/passcode on your carrier account: Contact your carrier and request an additional PIN or security passcode that must be provided for any SIM change or number transfer.
- Enable SIM Lock/PIN on your device: The SIM PIN is the four-digit code required when your phone starts up. If someone inserts your SIM into a different device, they'll need this code to use it.
- Use hardware security keys: For your most critical accounts (email, banking, crypto), a YubiKey or similar hardware key provides the highest level of security — physically immune to SIM swap attacks.
- Watch for signal loss: If you suddenly lose mobile signal for no apparent reason, act immediately. Call your carrier from a different phone and check whether a SIM replacement was processed.
- Enable fraud alerts: Many carriers offer notifications (via email or SMS to a secondary number) whenever a SIM change or number transfer request is made.
- Limit your personal information online: Every piece of information you share publicly can be used against you. Date of birth, address, phone number, mother's maiden name — all of these are tools in a scammer's arsenal.
- Consider switching to eSIM: An eSIM is embedded in your device and cannot be physically removed. Transferring an eSIM profile requires stricter verification procedures, making the attacker's job significantly harder.
- Don't use your phone as your only recovery method: If an account only allows recovery via SMS, add an email address or alternative recovery options.
- Review your accounts regularly: Check recent activity on your bank accounts, email, and social media. Unexplained password changes or unfamiliar login sessions could be signs of an attack in progress.
If you suspect you've already been targeted by a SIM swap, speed is everything. Immediately call your carrier from a different phone, request your number be suspended, and notify your bank, email provider, and any critical accounts right away. Every second counts.
🇬🇷 SIM Swapping in Greece
In Greece, SIM swapping hasn't yet reached the levels seen in the US or the UK, but that doesn't mean we're safe. Greek carriers — Cosmote, Vodafone, and Wind — have implemented measures that make such attacks more difficult, though not impossible.
SIM replacements in Greece typically require an in-person visit to a store with a valid ID or passport — a significant advantage over countries where replacements can be done over the phone. However, this doesn't eliminate every scenario: forged documents, third-party authorizations, or even careless employees can still create security gaps.
The ADAE (Hellenic Authority for Communication Security and Privacy) oversees telecommunications privacy in Greece, while the EETT (Hellenic Telecommunications and Post Commission) regulates the industry. At the European level, the eIDAS regulation and the PSD2 directive encourage the use of stronger authentication methods, gradually reducing reliance on SMS for banking transactions. Greek banks are increasingly shifting to push notifications through banking apps instead of SMS OTPs — a positive development for security.
📖 Read more: 5G Smartphones 2026: Best Phones to Buy
On a practical level, if you're a customer of a Greek carrier, it's worth calling customer service and asking specifically: “What measures are in place to prevent unauthorized SIM replacements?” Explicitly request that an additional PIN or note be added to your account, specifying that no SIM replacement should be allowed without your physical presence. Cosmote, Vodafone, and Wind all offer apps (My Cosmote, My Vodafone, My Wind) where you can monitor your account and check for suspicious changes.
One more important point: in Greece, SIM cards can only be sold with identity verification — you can't purchase an anonymous SIM card like in some other countries. This makes life harder for attackers in theory, but it's not complete protection, since the attack targets the transfer of an existing number, not the creation of a new one.
🔮 The Future: eSIM & Biometrics
The best long-term answer to SIM swapping isn't just better policies — it's technological evolution that renders the entire attack method obsolete. Two technologies are at the forefront of this transformation: eSIM and biometric authentication.
eSIM (embedded SIM) eliminates the physical SIM card — it's a chip built into the device that can be programmed digitally but cannot be removed or cloned in the same way. Transferring an eSIM profile requires stricter digital verification, and the entire process leaves much clearer digital footprints. As eSIM adoption surges — virtually all modern smartphones already support it — the classic SIM swap method is becoming progressively more difficult to pull off.
At the same time, major telecom carriers worldwide are turning to biometric authentication for critical account actions: voice recognition, facial recognition, and even behavioral biometrics that detect whether a request is likely coming from the actual account holder. Multi-factor authentication is also being strengthened with multi-step verification — for example, a request at a store, confirmation through an app, and a cooling-off period before the new SIM is activated.
As of February 2026, we're in a transitional period. The technology exists to virtually eliminate SIM swapping, but full adoption requires time, investment, and a shift in habits from both carriers and consumers. Until then, awareness and personal vigilance remain the first line of defense. Simply knowing that the threat exists — and exactly how it works — is already half the battle.