Most account-takeover advice assumes the attacker needs a password, a click, or access to a device. SIM swapping needs none of that. It targets the phone number itself, at the carrier level, which means an employee can do everything right — strong password, careful about links, phone locked in a drawer — and still lose control of the accounts tied to that number. For a small business owner who uses a personal cell for banking alerts, wire approvals, or account recovery, that single number can be worth more to an attacker than any password on file.
How a SIM swap actually happens
The attacker starts with research: a name, date of birth, the last four digits of an account, a previous address, or answers to security questions, often pulled from an old data breach, a data broker site, or a smishing or vishing attempt aimed at the target directly. Armed with enough of that, they call the mobile carrier, or use the carrier's own web self-service portal, and request that the phone number be ported to a new SIM — sometimes with a cooperating or careless support rep, sometimes by passing an identity check that was never that strong to begin with. Once the port completes, the victim's phone goes dead: no signal, no texts, no calls. Every SMS code and phone-based reset link now lands on the attacker's device instead.
Why this is a real risk for a small business
SIM swapping is usually framed as a consumer crypto-wallet problem, but the same mechanics work against ordinary business infrastructure:
- SMS is still the fallback MFA method on banking portals, payroll platforms, and even some business email tenants, and a hijacked number receives those codes exactly as intended.
- Phone-based account recovery is common. "Forgot password, text me a code" is a normal flow on services that never expected the phone number itself to be compromised.
- Owners and executives are the highest-value targets. A hijacked owner's number can approve a wire transfer, reset a banking login, or unlock a domain registrar account — the same targets a business email compromise attack goes after.
- The victim often can't self-diagnose it fast. A dead phone reads as a network glitch or dead battery for the first hour, which is exactly the window an attacker needs.
What actually stops it
SIM swapping has one dependency: the carrier has to be willing to move the number. Make that hard, and separately make the number worthless as an MFA channel, and the attack loses on both fronts.
- A port-out PIN or account lock with your carrier, set on every business and executive phone line, so a port request fails without it. This is the single highest-leverage fix and takes minutes per line.
- Authenticator apps or passkeys instead of SMS for MFA wherever the option exists, so a hijacked number no longer hands over a working second factor.
- Non-phone account recovery on banking, domain registrar, and email admin accounts — a recovery code stored securely, or a second verified email, instead of "text me a code."
- A response plan for sudden signal loss: call the carrier from a different phone immediately and check financial and email accounts for unauthorized password resets, rather than assuming a glitch.
- Limiting what a personal number can reset. Don't tie your domain registrar, banking login, and business email recovery all to the same single phone number if you can avoid it.
Where this fits
- The passkeys post, for removing SMS and even passwords from the accounts that support it.
- The MFA fatigue post, for a different way attackers bypass MFA once they have a foothold.
- The smishing post and vishing post, for how the personal details behind a SIM swap often get collected in the first place.
- The credential stuffing post, for the password-reuse risk that compounds once an attacker also controls a phone number.
- The cybersecurity page, for where identity and account-recovery hardening fits into a full security program.
FAQs about SIM swapping
What's the difference between SIM swapping and phishing?
Phishing tricks someone into handing over a credential; SIM swapping takes over the phone number itself, with no click required from the victim at all. The attacker convinces your mobile carrier — usually through social engineering or a bribed insider — to move your number onto a SIM they control. From that point on, every call and text meant for you goes to them instead, including the SMS codes and password-reset links that businesses still use to verify identity. It's often the second step after a phishing or data-broker lookup supplies the personal details (date of birth, last four of an account, a previous address) needed to pass the carrier's identity check.
Does switching off SMS-based MFA actually stop SIM swapping?
It removes the biggest reason to bother, yes. SIM swapping is valuable to an attacker mainly because it lets them intercept SMS one-time codes and phone-based password resets. If your accounts use an authenticator app or a passkey instead, a hijacked phone number no longer hands over a working second factor, so the attack loses most of its payoff. It doesn't stop the carrier account itself from being taken over, which is still disruptive and worth locking down separately, but it does close the door that makes SIM swapping worth attempting against your business in the first place.
How would I know if my business phone number has been SIM-swapped?
The clearest sign is sudden, total loss of cell service — no bars, no texts, no calls — with no outage on your carrier's end, because your number has just been reassigned to someone else's SIM. A close second is an unexpected "your SIM has been activated on a new device" text or email from your carrier, or password-reset confirmations for accounts you didn't touch. Anyone who owns or manages business accounts tied to a personal or company cell number should treat sudden signal loss as a possible takeover in progress and call the carrier from a different phone immediately, rather than assuming it's a network glitch.
Not sure how much of your MFA still depends on SMS?
30 minutes with a DoD-cleared engineer. We'll review which of your accounts still fall back to text-message codes, lock down carrier port-out settings, and build a passkey or authenticator rollout that removes the phone number as a single point of failure.
Book your free security assessment