What Are Warning Signs of an In-Progress SIM Swap Attack?

Updated July 13, 2026 6 min read

Most account security threats announce themselves with a strange email or a login alert. A SIM swap does the opposite — the first sign is often that a phone simply stops working, and by the time that’s obvious, an attacker may already be inside several accounts.

The short answer

The clearest warning sign of an in-progress SIM swap is a phone suddenly losing cell signal, texting ability, or calling ability without any obvious cause, such as a missed bill or a known outage in the area. Other signs include unexpected “your SIM has been updated” notifications from a carrier, password reset emails for accounts that weren’t requested, or being logged out of accounts unexpectedly. Any of these, especially in combination, calls for immediate action rather than waiting to see if service returns on its own.

Why a SIM swap works the way it does

A SIM swap happens when someone convinces a phone carrier — often through social engineering or a compromised employee account — to transfer a victim’s phone number to a SIM card the attacker controls. Once that transfer completes, the attacker’s device starts receiving the victim’s calls and texts, including the one-time codes used for account recovery and two-factor authentication. This is part of why SIM swap attacks specifically target cryptocurrency accounts: once a phone number is compromised, an attacker can often reset passwords on linked exchange accounts and intercept the verification codes meant to stop exactly that kind of takeover.

Signs to watch for

Why speed matters more than usual here

Once a SIM swap succeeds, an attacker’s advantage is time — every minute of active phone control is another opportunity to reset passwords, bypass two-factor authentication tied to a wallet or exchange account, and move funds before the real owner can intervene. Contacting the phone carrier immediately to lock down the account and contacting any financial or exchange accounts tied to that number are the two most urgent steps once the signs above appear, well before the full scope of what was accessed is even known.

Why self-custody changes the calculation

An account recovery flow that depends on a phone number is only a meaningful attack surface if something valuable sits behind it. Holdings kept in a self-custody wallet, where private keys aren’t tied to a phone-based account recovery system at all, remove that particular avenue of attack — though self-custody introduces its own risks around securing keys directly, since there’s no institution to call if something goes wrong there instead.

The takeaway

A SIM swap is unusual among account-security threats because the earliest warning sign isn’t a suspicious message — it’s the absence of normal phone service. Anyone who notices signal loss alongside unexpected account activity should treat it as an active attack already underway, not a technical glitch to wait out, since every minute of delay is a minute an attacker keeps working through recovery flows in the background.