How to spot and stop a SIM swap

What a SIM swap is

A SIM swap (also called SIM-jacking or SIM porting) is when an attacker convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, they receive your SMS-based 2FA codes, password reset emails (via SMS-recovery), and bank verification calls. Within minutes, they can take over your email, your banking, and your crypto exchange accounts.

Australian victims have lost over $10M annually to SIM-swap-enabled attacks. The targets are usually higher-net-worth individuals or anyone known to hold crypto.

How attackers pull it off

• Social engineering the carrier. Attacker calls Telstra/Optus/Vodafone pretending to be you, claims they lost their phone, and asks for a SIM transfer. They've already gathered enough info about you (date of birth, address, last bill amount) from data breaches and social media to pass the carrier's identity check.
• Insider help. Some attackers pay carrier-shop staff to do the swap directly. This has been a documented attack vector at multiple Australian carrier outlets.
• SS7 protocol attacks. The legacy mobile-network signalling protocol can be exploited to redirect SMS messages without a SIM swap at all. Rare but real.

The five warning signs

1. Your phone suddenly says 'No service' or 'SOS only'. If this happens for more than a few minutes and there's no carrier outage, contact your carrier immediately from another phone.
2. You get an SMS from your carrier saying 'your SIM is being changed' or 'a new SIM has been activated'. If you didn't request this, call the carrier from a different phone right now.
3. You can't log into your email or bank. Combined with no service, this is the active attack happening.
4. Bank or exchange notifications about transactions you didn't authorise. If you can still receive them, the attacker hasn't taken your number yet but is probing.
5. Unknown app installs or password-change confirmations. The attacker is using SMS recovery to reset everything.

How to defend before it happens

• Set a port-out PIN with your carrier. Telstra, Optus, and Vodafone all support a 'port-out PIN' or 'account PIN' that must be quoted before any SIM change. This is the single most effective defence. Set it today.
• Move 2FA off SMS. Use authenticator apps (Google Authenticator, Authy, 1Password) or hardware keys (YubiKey) for every account that supports them. Bank, email, exchange — all of them.
• Don't post your phone number online. Treat it like a password. Don't put it in your email signature, don't list it on LinkedIn, don't share it on social media.
• Use a separate, unlisted number for your most sensitive accounts. A pre-paid SIM with no carrier account attached is harder to socially engineer.

If you think it's happening right now

1. Get to a working phone (someone else's phone, your work phone, a landline).
2. Call your carrier's fraud line and report the active attack. Ask them to lock your account immediately.
3. Call your bank and freeze your accounts.
4. Call your crypto exchange and ask for a withdrawal lockdown.
5. Change all your passwords from a different device. Use a password manager.
6. Report to AVA and to ScamWatch.