Two-factor authentication by text message feels secure — the code goes to your phone, and you have your phone. A SIM-swap attack breaks that assumption by stealing the phone number itself.
What a SIM swap is
Your phone number is not permanently tied to the SIM card in your phone. A mobile carrier can move a number to a new SIM — that is a normal service, used when people upgrade phones or lose a SIM. A SIM-swap attack abuses it: the attacker contacts your carrier, impersonates you, and convinces them to move your number to a SIM the attacker controls. From that moment, your calls and texts go to them.
Why that is so damaging
Once the attacker has your number, every SMS code goes to them. They can request password resets that are confirmed by text, and they can pass SMS-based two-factor checks. A number that was your security backup becomes the attacker's master key. This is the core reason security guidance prefers app-based authentication over SMS.
How attackers pull it off
SIM swaps rely on social engineering and information about you. Attackers gather personal details — often from data breaches — to answer a carrier's identity questions. Sometimes they exploit weak verification, or a dishonest insider. The weak point is the carrier's process for proving who you are, not your phone.
How to protect yourself
A few steps help. Ask your carrier to add a PIN or passcode to your account, required before any changes — many carriers offer this. Where you can, move two-factor authentication off SMS and onto an authenticator app or a hardware security key, which a SIM swap cannot touch. And be sparing with the personal details attackers would need to impersonate you.
The takeaway
SIM swapping turns your phone number against you by moving it to an attacker's SIM. It is the clearest reason SMS is the weakest form of two-factor authentication. Lock down your carrier account, and prefer an authenticator app or security key for anything that matters.