A SIM-swap attack feels like a mugging you don’t see coming. Your phone goes to “No Service,” then your email, bank, or crypto apps start sending login alerts you didn’t request.
In 2026, the fastest way to stop sim swap risk isn’t buying another security app. It’s tightening a few carrier settings that block number transfers, slow down SIM and eSIM changes, and alert you the moment someone tries.
SIM swap vs. port-out fraud (and why carriers are the choke point)
A SIM swap happens when a criminal convinces your carrier to move your number to a SIM or eSIM they control. A port-out attack is similar, but the number gets transferred to a different carrier. Either way, the goal is the same: intercept calls and texts long enough to reset passwords and break into accounts that still rely on SMS.
Carriers have improved defenses, but support agents can still be pressured, rushed, or tricked. Your job is to set rules on the account that a rep can’t casually override.
For background on how these scams work and why they’re still common, Verizon’s plain-language overview is worth a skim: what a SIM swapping scam is.
The three carrier controls that matter in 2026
Most “carrier security” advice is vague. These are the controls that consistently reduce real-world SIM-swap and port-out risk.
1) A real account passcode, not “last 4 of SSN”
Carriers still use passcodes as a gate for support actions. If yours is weak, it becomes a shared secret that can be guessed, found in breaches, or socially engineered.
Use a unique 6 to 12-digit passcode (or a strong passphrase if your carrier allows it). Don’t reuse banking PINs.
2) A Number Transfer PIN (port-out PIN) that you generate only when needed
In 2026, the safest default is: never keep a transfer PIN sitting around. Generate it only when you are actually switching carriers.
This matters because many carriers require a fresh “Number Transfer PIN” (or similar) to move your number out. Without it, a criminal can have your account info and still fail to port your number.
3) Number locks and SIM/eSIM change protections
These features vary by carrier, but they all aim to block high-risk changes unless you approve them.
Think of it like putting a deadbolt on your phone number. Your usual door lock is your password. The deadbolt is the carrier lock.
T-Mobile’s guidance on account takeovers and fraud features is updated often and useful if you’re on that network: protect your T-Mobile account from fraud.
2026 carrier comparison: port-out PINs and locks (US examples)
Feature names and menus change, but these are the current, commonly used paths and terms.
| Carrier | Port-out PIN name | Where to get the PIN (app, web, or dial) | Lock / protection feature | Where to enable | Notes and limits |
|---|---|---|---|---|---|
| AT&T | Number Transfer PIN (6 digits) | Dial *PORT (*7678) from your AT&T line, or myAT&T: Profile > People & Permissions > Wireless > Transfer phone number > Request a new PIN | Extra security (passcode required for changes) | myAT&T: Account settings > Manage profile > Security > Extra security | Transfer PIN expires in about 4 days (longer for some business accounts) |
| Verizon | Number Transfer PIN (6 digits) | My Verizon app or website: Number Transfer PIN page > Generate PIN, or dial #PORT (#7678) | Number Lock | My Verizon: Number Transfer PIN page > Enable Number Lock | Transfer PIN commonly expires in 7 days, keep Number Lock on when not switching |
| T-Mobile | Temporary Port Out PIN (Transfer PIN) | T-Life app or T-Mobile.com: Profile > Line settings > Request Transfer PIN (or Create PIN) | Port Out Protection, SIM Protection | T-Life: Line settings > Port Out Protection, and Security > SIM Protection | You may need to turn off Port Out Protection to port, turn it back on after |
| US Cellular | Transfer PIN (varies) | Typically via customer service or in-store | Account/line restrictions (varies) | Often requires support | Ask for the strongest available “port-out block” and SIM/eSIM change verification |
| Visible (Verizon network) | Port-out controls (varies) | Use Visible Help Center guidance | Unauthorized port-out and SIM swap protections | Follows Visible account processes | Start with Visible’s official steps: Visible security protections |
If your carrier offers both a transfer PIN and a lock, use both. The transfer PIN is the key, the lock is the door.
The 10-minute checklist to reduce SIM-swap risk today
Set a timer and do this once, then review it every few months (and after any carrier outage or account change).
- Change your carrier account passcode to something unique and non-personal.
- Remove unknown account managers and review line permissions (family plans and small-business plans get targeted because there are more “helpers” to trick).
- Turn on port-out protection (Number Lock, Port Out Protection, or the closest equivalent).
- Enable SIM/eSIM change protection if your carrier has it (often called SIM Protection or extra verification).
- Turn on security alerts for account logins, SIM changes, eSIM activations, and number transfer requests.
- Update your carrier contact email to an address you control and actively monitor.
- Stop using SMS for 2FA on your most important accounts (email, banking, payment apps, crypto exchanges, password manager).
- Save recovery codes for critical accounts in a password manager or offline, not in your photo gallery.
A good rule: if losing your number for one hour would cost you money, it deserves these settings.
High-risk hardening checklist (crypto, founders, public-facing roles)
If you’re more likely to be targeted, treat your phone number like a badge, not an identity.
- Move key accounts to passkeys or security keys (hardware keys are hard to phish and don’t depend on your phone number).
- Use an authenticator app, not SMS, for 2FA on everything that supports it.
- Lock down your primary email: strong password, authenticator or security key, and reviewed recovery options.
- Separate roles: keep your banking and exchange logins on an email address you don’t use publicly.
- Ask your carrier about in-store only changes for SIM and eSIM swaps (some accounts can be flagged for stricter verification).
- Audit any shared plan access quarterly, and remove old employees, partners, and “temporary” admins.
Replace SMS 2FA, or the carrier work won’t be enough
Carrier locks reduce the chance of takeover, but they don’t fix the bigger problem: too many services still treat your phone number as proof of identity.
Priorities that pay off fast:
- Email first: If someone gets your email, they can reset almost everything. Secure it before you worry about smaller accounts.
- Banking and payments next: Switch to authenticator-based codes or app approvals when possible.
- Crypto exchanges and wallets: Avoid SMS entirely. Use a security key where supported and store backup codes offline.
If a service won’t let you remove SMS recovery, consider changing the email to one dedicated to high-value accounts, then tighten recovery options there.
What to do if your phone suddenly loses service
Speed matters. The first few minutes are when criminals try password resets.
- Call your carrier from another phone (or use chat from a known-good device) and say: “Possible SIM swap, freeze changes, restore my number.”
- Lock your email account: change password, revoke sessions, check forwarding rules.
- Reset passwords for financial and crypto apps, starting with the ones tied to your phone number.
- Contact your bank or exchange to place a temporary hold if you see suspicious activity.
If you can’t log into email, use your pre-saved recovery codes or account recovery flow right away.
Conclusion
SIM-swap attacks don’t win because they’re technical, they win because they’re fast and messy. The best defense is setting carrier rules that slow changes down, then removing SMS as a single point of failure. Spend 10 minutes on port-out PIN controls, number locks, and alerts, then harden your email and 2FA choices. Once these are in place, stop sim swap risk drops from “one bad call to support” to “several barriers an attacker has to break.”
