A SIM swap attack is when a criminal convinces your mobile carrier to move your phone number to a SIM they control. Every SMS 2FA code you were relying on then goes to them. In 2025, SIM swap losses in the US alone were over $200 million (FBI IC3 data). Here is what you can do in 2026.

How the attack works

  1. Attacker gathers personal info about you (data breach, phishing, social engineering).
  2. Attacker calls your carrier claiming to be you with a "lost phone."
  3. Carrier moves your number to attacker's SIM.
  4. Attacker triggers password reset on your email → gets SMS OTP → owns your email.
  5. From email, attacker chain-resets banking, crypto, social accounts.

Where virtual numbers actually help

Not by replacing your main SIM — you still need one. Virtual numbers help in two specific ways:

  • Separate your identity number from your recovery number. Use your real SIM for personal calls, and register services under virtual numbers (or better, no phone at all). If attackers do not know a service is tied to your real number, they cannot swap into it.
  • Reduce the "phone number as identity" attack surface. Every service that lets you drop the phone number and use authenticator-app 2FA + email should be moved. Use SMSVerifyo rentals for the initial verification, then remove the number from the account.

What actually protects you

  1. Move all financial and email accounts to authenticator-app 2FA or passkeys. Never SMS.
  2. Add a carrier PIN/passcode to your account (every US carrier supports this). Ask your carrier.
  3. Use a separate email for banking that no one knows about.
  4. Keep your real SIM number off social media and public directories.

Frequently asked questions

Does a virtual number stop SIM swap?

Not directly — it stops attackers from swapping your real SIM by removing your real number from the attack graph.

Are e-SIMs safer?Marginally. Both real SIMs and eSIMs can be swapped by carriers.

Which accounts should I move off SMS 2FA first?

Primary email → banking → crypto exchanges → password manager → social. In that order.

Related reading

What is an OTP explains why TOTP beats SMS for high-value accounts.