Chapter 16: It's Your Phone Number And It's Putting Everything at Risk
Robert Ross, a former Apple engineer and Silicon Valley angel investor, was sitting at his desk in San Francisco on an ordinary Friday afternoon in October 2018 when something small and strange happened. His iPhone stopped working. The screen still glowed, the apps still loaded, the Wi-Fi still connected. The cellular signal, the bars in the top corner of his screen, simply vanished. "No Service." He assumed a tower was down or a software glitch needed a restart. He set the phone aside.
Then a notification appeared. A withdrawal request from one of his financial accounts. He had not made a withdrawal. He picked up the phone again, tried to call his bank, and realized he had no ability to place a call. No ability to send a text. No ability to receive the security codes his bank needed to verify his identity. In the next twenty minutes, someone on the other side of the country drained $500,000 from his Coinbase account and $500,000 from his Gemini account. One million dollars. Gone. His daughters' college fund. Ninety percent of his net worth. Wiped clean in the time most people spend scrolling through morning emails.
Rob Ross did not get hacked through some sophisticated zero-day exploit or cutting-edge malware. No one broke into his home. No one stole his laptop. A criminal simply called his wireless carrier, pretended to be him, and asked customer service to transfer his phone number to a different SIM card. That was the entire attack. A phone call. A convincing lie. And then every account protected by a text message verification code became an open door.
This crime has a name. SIM swapping. And the phone number you carry around in your pocket, the one tied to your bank, your email, your retirement accounts, your social media, your health insurance portal, and your tax filings, is the single most dangerous piece of personal information in your digital life.
What SIM Swapping Looks Like From the Inside
Your wireless carrier assigns your phone number to a tiny chip inside your phone called a SIM card. When you make a call, send a text, or receive a verification code from your bank, the carrier's network routes everything to the device holding your SIM. SIM swapping works because carriers allow customer service representatives to reassign your number to a new SIM card, and criminals have figured out exactly how to make that happen without your knowledge or permission.
The attack comes in two flavors. In a traditional SIM swap, the criminal contacts your carrier directly, either by phone or by walking into a retail store with a fake ID, and claims to be you. The story is always some version of the same thing: lost phone, damaged phone, need a new SIM. The representative runs through a few security questions, the criminal answers them using information purchased from data brokers or harvested from social media, and the swap goes through. Your phone dies. Their phone lights up with your number.
The second version is called port-out fraud. Instead of staying on the same carrier, the criminal opens an account with a different wireless provider and requests that your number be "ported," or transferred, to the new account. The federal government actually mandates that carriers allow number porting so consumers have the freedom to switch providers. Criminals turned that consumer protection into a weapon.
Both versions follow the same playbook once the number moves. The criminal opens your email app, clicks "Forgot Password," and requests a verification code sent by text. The code arrives on their phone. They reset your email password. From your email, they do the same thing to your bank. To your investment accounts. To your cryptocurrency exchange. To anything and everything connected to that phone number. A Princeton University study in 2020 tested five major carriers and found that attackers succeeded on 80 percent of first attempts, because carriers relied on security questions whose answers were easy to find online or purchase from data brokers.
The entire attack, from the first call to your carrier to the last dollar leaving your account, takes less than an hour. For Rob Ross, the financial devastation took twenty minutes.
The People Inside the Phone Companies Who Help Make This Happen
The scariest part of SIM swapping is not the criminals calling from the outside. The scariest part is the employees helping from the inside.
The FBI identified insider corruption as one of the three primary methods criminals use to pull off SIM swaps. Criminal networks recruit carrier employees through Telegram, offering anywhere from $300 to $5,000 per swap. In 2024, T-Mobile and Verizon employees across the country received unsolicited text messages from unknown numbers offering cash for help executing swaps. One message, obtained during an investigation, read simply: "I got your number from the T-Mo employee directory. I'm looking to pay someone up to $300 per sim swap done."
One criminal wrote a software script to search Twitter for posts from people who mentioned working at cell phone carriers. He would then send direct messages offering bribes. He later estimated that about ten percent of the employees he contacted agreed to participate. He bragged to an interviewer that at one point in time, he had a person at every major carrier on his payroll.
Jonathan Katz, a 42 year old store manager at a wireless carrier in New Jersey, used his manager-level system access to execute SIM swaps for $1,000 each plus a cut of the profits. He pleaded guilty in 2024 to five counts of computer fraud. In Manhattan, District Attorney Alvin Bragg brought charges against a ring that included AT&T and T-Mobile retail workers who used their access to steal $435,000 from victims between October 2021 and July 2022. In the case of a gang called "The Community," three carrier insiders were charged, including a Verizon employee who earned a total of $3,500 in bribes and two AT&T contractors in Tucson. Those contractors became the first telecom employees in American history to face federal charges for participating in SIM swap fraud.
Think about what this means for a moment. The people you trust to manage your wireless account, the people sitting behind the counter at the store where you bought your phone, are being actively recruited to sell out your identity. The carrier is not the wall protecting you. In many cases, the carrier is the unlocked door.
How a Phone Number Became the Key to Your Entire Life
Here is the question worth sitting with: How did a ten-digit phone number become the master key to everything you own?
In the mid-2000s, companies needed a way to add a second layer of security beyond passwords. Passwords alone were failing. People reused them across accounts, chose weak ones, and fell for phishing emails. The solution the industry landed on was sending a text message with a one-time code to your phone. Type in the code, prove you have the phone, get into your account. SMS two-factor authentication was born.
The approach spread everywhere because sending a text requires nothing special. No app to download. No device to buy. No technical knowledge. Every phone sold in the last two decades receives text messages. Banks adopted SMS verification. Email providers adopted SMS verification. Social media platforms, cryptocurrency exchanges, government portals, healthcare logins, retirement account dashboards, tax filing services. All of them. The phone number became the default proof of identity across the entire American digital economy.
Today, 56 percent of organizations worldwide support SMS-based verification codes. Among people who have turned on two-factor authentication, 41 percent rely on text messages as their verification method. Coinbase, one of the largest cryptocurrency exchanges in the world, revealed in late 2022 that 95 percent of all account takeovers on its platform involved customers who relied on SMS-based authentication.
The deeper problem goes beyond authentication. Phone numbers also serve as the default account recovery mechanism for most services. Even when someone switches to a more secure authentication method like an app-based code generator, most platforms keep SMS as a backup option in case you lose access to your primary method. That backup option creates a permanent vulnerability. A criminal who takes over your phone number bypasses every other security measure you have in place.
The National Institute of Standards and Technology, the federal agency responsible for cybersecurity guidelines, first warned the country about this problem in July 2016. A draft of their authentication standards called SMS verification "deprecated" and said future versions of the guidelines would no longer allow its use. The final version, published in 2017, softened the language slightly and labeled SMS a "restricted authenticator." The industry's response, by and large, was to keep doing exactly what they were doing. Nine years later, in 2026, SMS text message verification remains the dominant authentication method across the American financial system.
The FCC Finally Stepped In. The Carriers Pushed Back.
On November 15, 2023, all five FCC commissioners voted unanimously to adopt new rules specifically targeting SIM swap and port-out fraud. The order required carriers to verify a customer's identity through secure authentication before processing any SIM change or number transfer. Carriers had to notify customers immediately when a change was requested. Every carrier had to offer free account locks allowing customers to freeze their numbers against unauthorized transfers. Carriers had to train employees on fraud detection and retain records of SIM change requests and fraud incidents for three years.
These rules made sense. They addressed a real problem. And the wireless industry immediately began pushing to delay them.
The original compliance deadline was July 2024. Industry groups petitioned for more time. The FCC pushed the deadline back, tying full compliance to a federal paperwork review process. As of March 2026, the exact final compliance date remains unconfirmed in publicly available federal records. The rules exist on paper. Whether every carrier has fully adopted them remains an open question.
The FCC has also imposed serious financial penalties on carriers for security failures. T-Mobile agreed to pay $31.5 million in September 2024 to settle investigations into data breaches in 2021, 2022, and 2023. The 2021 breach alone exposed the personal information of approximately 76 million customers. The 2022 breach involved an illegal SIM swap of a T-Mobile employee's account that gave hackers access to internal company systems. TracFone, a Verizon subsidiary, paid $16 million in July 2024 for vulnerabilities that allowed unauthorized port-outs. AT&T paid $13 million for a vendor cloud breach. The Second Circuit Court of Appeals in September 2025 upheld a $46.9 million FCC penalty against Verizon for failing to protect customer information, a ruling with direct implications for carrier responsibility in SIM swap cases.
These fines are a start. For companies generating tens of billions in annual revenue, they are also a cost of doing business. The real question is whether the new rules will actually prevent your phone number from being stolen the next time a criminal calls customer service with your name and your Social Security number.
The Losses Are Staggering and the Stories Are Devastating
The FBI's Internet Crime Complaint Center has tracked SIM swapping as a distinct category since 2018. The numbers paint a grim picture. From 2018 through 2020, the center received about 320 complaints totaling roughly $12 million in losses. In 2021, complaints surged to over 1,600 with losses reaching $68 million. The 2022 peak brought more than 2,000 complaints and $72.7 million in reported losses. Recent years show a decline in reported complaints, with about 980 in 2024 and $26 million in losses.
Those numbers, as bad as they are, dramatically understate the real damage. The FBI itself has found, through other investigations, that only about 20 percent of cybercrime victims report the crime to law enforcement. Many SIM swap victims report the resulting bank fraud or identity theft to their financial institution rather than to the FBI. The true scope of the problem is almost certainly multiples of what the official statistics show.
The scale of individual attacks keeps growing. On November 11, 2022, the same day the cryptocurrency exchange FTX filed for bankruptcy, a 26 year old from suburban Chicago allegedly orchestrated the largest SIM swap theft in history. Robert Powell, operating under the online name "ElSwapo1," directed a 23 year old co-conspirator named Emily Hernandez to fly to Texas, walk into a wireless store with a fake ID bearing her photograph and an FTX employee's personal information, and execute a SIM swap. Over $400 million in Bitcoin disappeared from FTX within hours. Blockchain investigators traced portions of the stolen funds through mixing services where they were combined with money from criminal organizations linked to Russia. Hernandez pleaded guilty to wire fraud. She had been paid $2,500 for her role in a $400 million theft.
In May 2025, federal prosecutors unsealed a RICO conspiracy indictment, the same organized crime statute originally written for the mafia, against Malone Lam and 12 co-defendants for stealing over $263 million in cryptocurrency. In a single August 2024 attack, the group stole more than 4,100 Bitcoin from one victim in Washington, D.C. The stolen money funded nightclub tabs as high as $500,000 in a single evening, a fleet of 28 exotic cars with price tags between $100,000 and $3.8 million, and cash mailed inside Squishmallows stuffed animals. Nine defendants had pleaded guilty by early 2026.
In January 2024, a man named Eric Council Jr. used a portable ID card printer to create a fraudulent driver's license, SIM-swapped an employee associated with the Securities and Exchange Commission, and used the hijacked number to post a false announcement on the SEC's official social media account claiming that Bitcoin exchange-traded funds had been approved. Bitcoin's price spiked over $1,000 within minutes before crashing more than $2,000 when the SEC issued a retraction. The real ETF approval happened the very next day. Investigators found Google searches on Council's laptop including "how can I know for sure if I am being investigated by the FBI." He received 14 months in prison.
The Data Brokers Who Make the Crime Possible
Every SIM swap starts with information. The criminal needs your full name, your date of birth, your Social Security number, your address, your carrier account PIN, and your answers to security questions. Where does all of that come from? Largely from the data broker industry covered earlier in this book.
Approximately 2,400 data brokers operate in the United States, and they collect an average of 1,000 data points on each person with an online presence. They sell names, addresses, phone numbers with carrier identification, dates of birth, Social Security numbers, known family members, email addresses, and answers to the exact security questions carriers use to verify identity. Everything a SIM swapper needs arrives in a single purchase.
Security journalist Brian Krebs documented a cybercriminal who ran a Telegram bot selling access to a data broker's records for $8 to $40 per lookup. The criminal averaged 100 lookups per day through Telegram and 400 per day through direct system access. Most of his customers came from SIM swapping forums. The National Public Data breach in April 2024 exposed up to 2.9 billion records containing names, addresses, phone numbers, dates of birth, and Social Security numbers. The company shut down entirely by December 2024 under the weight of lawsuits.
This is the connection that does not get talked about enough. SIM swapping is not a standalone crime. The data broker industry, operating legally and selling your personal details for pennies, provides the raw material that makes every SIM swap possible. When your information sits in a database that anyone with a credit card or a cryptocurrency wallet can access, the question is not whether someone will try to steal your phone number. The question is when.
California's DELETE Request and Opt-Out Platform, called DROP, launched on January 1, 2026. The platform gives California residents a single place to request removal from all registered data brokers in the state. If you live in California, go to the DROP platform today and submit your request. If you live anywhere else, search for each major data broker individually and submit removal requests directly. Every piece of personal information you remove from these databases makes a SIM swap harder to execute.
What You Need to Do Right Now to Protect Yourself
Every major wireless carrier in America now offers free tools to lock your phone number in place. Not one of these tools comes turned on by default. You have to activate them yourself, and doing so takes about five minutes.
If you use T-Mobile, open the T-Life app or log in to T-Mobile.com. Turn on SIM Protection, which blocks unauthorized SIM swaps on your line. Then turn on Port Out Protection under Services, which prevents your number from being transferred to another carrier. Then set a 6 to 15 digit account PIN through the app, the website, or by calling 611. That PIN will be required for all account changes.
If you use AT&T, open the myAT&T app and activate the Wireless Account Lock. AT&T launched this feature in July 2025, and the lock blocks 12 different types of account changes including SIM swaps, eSIM swaps, and number porting. Even AT&T employees cannot override this lock while the feature is active. Also update your passcode, because the default is the last four digits of your Social Security number.
If you use Verizon, open the My Verizon app and turn on both Number Lock and SIM Protection. Number Lock prevents port-outs to other carriers. SIM Protection prevents internal SIM changes. Both need to be active at the same time because they address different risks. Verizon also imposes a 15-minute cooling-off period after SIM Protection is turned off before any SIM change goes through.
Do this today. Right now. Before you finish this chapter. Call your family members tonight and walk them through the same steps. Your parents, your adult children, your siblings. Anyone who has a phone number connected to a bank account needs these protections turned on.
The second step is to move away from text message verification codes entirely. In December 2024, the FBI and the Cybersecurity and Infrastructure Security Agency issued joint guidance telling Americans point-blank: do not use SMS as a second factor for authentication. This guidance came after the Salt Typhoon cyberattack, in which Chinese government-affiliated hackers penetrated the core networks of AT&T, Verizon, T-Mobile, and Lumen Technologies and gained access to unencrypted text messages, including authentication codes.
The strongest replacement is a hardware security key, a small USB device like a YubiKey (about $50) or Google Titan key (about $30) that you plug into your computer or tap to your phone when logging in. The next strongest option is a passkey, a free, built-in feature on most modern phones and computers that ties your login to your device and your fingerprint or face. Approximately 69 percent of consumers now have at least one passkey, and over one billion passkeys have been created worldwide. Microsoft made passkeys the default for new accounts in May 2025. The third option is an authenticator app like Google Authenticator, Microsoft Authenticator, or the open-source Ente Auth, all of which generate codes on your device rather than sending them over the cellular network.
Log in to your most important accounts this week, your bank, your primary email, your investment accounts, and check your security settings. If the option exists to switch from SMS verification to an authenticator app, a passkey, or a hardware key, make the switch. Every account you move off SMS is one more door that a SIM swap cannot open.
One frustrating reality remains. Many of the largest financial institutions in America, including Chase, Wells Fargo, Citibank for most account functions, and Vanguard, still offer only SMS-based verification with no app or passkey alternative. If your bank falls into this category, call them. Tell them you want stronger authentication options. File a formal complaint. The more customers demand better security, the faster these institutions will move.
The Legal Tide Is Turning
For years, carriers treated SIM swap losses as somebody else's problem. Victims filed lawsuits. Carriers buried them in arbitration. Courts dismissed claims. The legal ground is shifting in a meaningful way.
The Ninth Circuit Court of Appeals ruled in September 2024 that victims of SIM swap fraud have the right to sue their wireless carrier under Section 222 of the Federal Communications Act. That case, brought by Michael Terpin after losing $24 million through an AT&T SIM swap, was the first appellate ruling to establish that carriers owe a legal duty to protect customers from this specific type of fraud.
In March 2025, an arbitrator ordered T-Mobile to pay $33 million to Joseph "Josh" Jones, a victim who lost over $38 million in cryptocurrency after his T-Mobile account was compromised in February 2020. Jones had set up heightened security on his account with an 8-digit PIN. The attackers bypassed the PIN and executed the swap. T-Mobile attempted to seal the arbitrator's findings, and attorneys accused the company of trying to hide evidence of systemic security failures. That $33 million award is the largest SIM swap-related recovery on record.
The Terpin case against AT&T was set for trial on March 3, 2026. If a jury finds AT&T liable, the precedent will send a clear message to every carrier in America: letting a criminal walk off with a customer's phone number carries a financial cost that makes the necessary security investments look cheap by comparison. That kind of financial accountability is the one force that consistently changes corporate behavior.
Your Phone Number Is Not Just a Number
Everything you have read in this chapter comes down to one uncomfortable truth. Your phone number has been turned into something its designers never intended. A ten-digit sequence originally meant to route voice calls now functions as the password to your financial life, your personal communications, your health records, your government accounts, and your digital identity.
The carriers know this. The banks know this. The federal government has known this since at least 2016 when NIST first warned the country to move away from SMS-based security. And still, in 2026, the default setting on your wireless account leaves your number unprotected. The default setting on most major bank accounts still uses text messages as the only form of two-factor authentication. The data broker industry still sells the personal information that makes SIM swaps possible for less than the price of a fast food meal.
You did not create this system. You did not choose to have your entire financial life hinge on whether a customer service representative at a wireless store can tell the difference between you and a criminal with a convincing story and a fake ID. You did not ask for your Social Security number, your date of birth, and your mother's maiden name to be available for purchase on the open market.
You do have the power to lock your carrier account down today. You do have the ability to switch your most important accounts off SMS verification this week. You do have the right to demand that your bank offer real security instead of a system the FBI has told you to stop using.
Rob Ross, the Apple engineer who lost a million dollars in twenty minutes, went on to found a nonprofit called StopSIMCrime.org dedicated to raising awareness and pushing for stronger protections. He did not accept the loss as inevitable. He fought back.
Five minutes. That is all the time you need to lock your phone number down. Pick up your phone, open your carrier's app, and turn on every protection available to you. Then move your most important accounts off text-message authentication. Then tell the people you love to do the same. The criminals who steal phone numbers count on one thing above all else: the assumption that ordinary people will never bother to take these steps.
Prove them wrong.