SIM swap or porting fraud is a form of identity theft where criminals transfer your mobile number to a SIM card they control. By taking over your number, they can intercept SMS verification codes and password reset messages. This can allow them to access your email or crypto exchange accounts and quickly move funds.
Crypto is an attractive target because transfers are fast and hard to reverse. If your exchange or email account relies on SMS for two-factor authentication, a SIM swap can tear straight through your security. With access to your number, an attacker can reset passwords, approve logins, and move funds out in minutes.
This guide walks through practical steps for Australians to reduce the risk across three key areas: your telco, your email, and your exchange account. It also includes a simple example for users of platforms like Swyftx, while keeping the advice relevant, no matter which platform you use.
How SIM swap attacks typically work
SIM swap scams usually follow the same playbook. Once it starts, things can spiral fast.
- Data gathering: Scammers dig up your personal info from phishing, leaks, or even your social profiles.
- Telco impersonation: They call your mobile carrier and pretend to be you.
- Number ported: Your number gets moved to a SIM card they control.
- SMS codes intercepted: They start receiving your text messages and login codes.
- Email or exchange reset: They use those codes to reset your accounts.
- Withdrawals: Money gets moved out, and you’re locked out before you realize what happened.
It works because so many apps still treat a phone number like proof of identity. Once someone hijacks your number, they can grab your login codes and breeze past security checks like they own the place.
Early warning signs you’re being SIM-swapped
The most obvious sign is a sudden loss of signal or “SIM changed/porting” alerts. If your phone shows no service and there is no network outage, something may be wrong. Some carriers send alerts when a SIM change or number port takes place. If you receive such a message without requesting it, treat it as urgent. Also, take note if calls and texts stop arriving without explanation.
Another red flag is unexpected verification codes or password reset emails. If you receive login codes you did not request, someone may be testing access to your accounts. Even if your phone still works, do not brush this off as a glitch.
The #1 defence: stop using SMS 2FA (crypto-specific)
The strongest move you can make is to switch off SMS based two factor authentication wherever possible. Replace it with an authenticator app that generates time-based codes on your device. These codes are not tied to your phone number. Reliable crypto exchanges support this setup. Once you activate it, your phone number is no longer the weak link in your security chain.
For larger balances, consider a hardware security key. This small physical device must be present to approve logins or important changes. Without it, access fails. Where supported, it adds a powerful extra barrier.
Swyftx example: set up 2FA the right way
Reliable platforms like Swyftx offer clear steps to enable two-factor authentication through an authenticator app. You scan a QR code, enter a generated code to confirm setup, and from then on, each login requires both your password and a fresh code from the app. It takes only a few minutes, but it changes your risk profile completely.
The key is to turn this on before you deposit serious funds. Do not wait until your account holds value. Also, store your backup codes in a safe offline location. A locked drawer or secure safe works well. Avoid screenshots or cloud storage, as those can become new points of failure.
Lock down your telco account (carrier-level protection)
Your mobile provider plays a central role in SIM swap attacks, so secure that account too. Add a dedicated telco PIN so no one can request changes without it. Use your carrier’s official app for account management instead of responding to random calls or texts. For instance, Telstra advises customers to use the MyTelstra app, enable facial recognition, and set a Telstra PIN for added protection. Extra layers like these make social engineering much harder.
Never share one-time passcodes with anyone, no matter how convincing they sound. Scammers often pose as telco staff and ask you to read out a code sent to your phone. That code may be the final step they need to move your number. If someone asks for it, end the conversation and contact your provider directly through official channels.
Reduce the “blast radius” if an account is compromised
Start with your email account. It acts as the master reset tool for many services. Use a long, unique password that you do not reuse anywhere else. Add strong two-factor authentication that does not rely on SMS. If your email stays secure, attackers lose a major path into your Exchange accounts.
Activate withdrawal protections on your exchange. Many platforms allow you to set an address allowlist so funds can only go to pre-approved wallets. Some also provide withdrawal locks or time delays. These features buy you time if someone gains access and tries to move funds.
Keep long-term holdings off exchanges. Store them in cold storage, such as a hardware wallet that remains offline. If an exchange account is compromised, only the funds held there are at risk.
What to do if you suspect a SIM swap (fast response plan)
If your phone loses service without warning, contact your telco immediately through its official website or app. Report an unauthorised port or SIM swap and ask them to secure your number. Speed matters here.
From a trusted device, change your email and exchange passwords straight away. Log out of all active sessions and reset API keys if you use them. If you still have access to your crypto account, move funds to a secure wallet.
Stay alert for follow-up scams. Scamwatch warns that fraudsters may call or email and claim to be police or exchange staff. They may pressure you to transfer crypto for safekeeping or share sensitive information. Do not act on instructions from unsolicited contacts. Verify everything independently.
Swyftx trust signal (optional mention, keep it neutral)
Platforms such as Swyftx state that it holds ISO 27001 certification for information security management after an external audit. This shows that the company follows structured security practices at an organisational level.
That said, no certification can stop a SIM swap on its own. Your personal account setup, especially the decision to disable SMS 2FA and activate withdrawal protections, is what blocks most takeover attempts.
Conclusion
SIM swap attacks succeed because they target the weakest link: your phone number. Once an attacker controls it, SMS based security can collapse fast. The solution is simple in principle. Remove SMS from your authentication chain and strengthen every layer that touches your crypto.
If you do only three things, you will stay protected. Turn off SMS two-factor authentication, add a telco PIN, and enable withdrawal protections like allowlists or delays. For long-term holdings, use cold storage. These steps will not make you invincible, but they will make you a much harder target.
