SIM Swap scams are one of the few scams that you would could do everything correctly, and still be a victim of it. The reason is it has nothing to do with your intervention. The hacker will contact your cellular company, and the idea is to convince the representative that they are you. Once they done that, they will convince the representative to move your phone number from your SIM to their SIM. This will effectively cancel out your SIM, and any calls or SMS messages goes to the hacker’s phone. Since this is all social engineering, there is very little you can to protect yourself.
Now why would a hacker want your phone number? There is a possibility that you can get your number back reasonably quickly, but by the time you noticed, find a working phone, and call your carrier, the damage may already be done. The reason for this is many companies will use SMS as a 2 Factor Authentication (2FA) method to verify it is you. For example, the hacker might try to get them to send you a 2FA SMS message to gain access to the email account. Since they have your phone number, they will get the SMS code. They are now in your email account. The same can go for social networks, and worse of all – bank accounts. As long as they have access to your phone number, they have access to all of the services that offers SMS 2FA.
So how do you protect yourself? First, don’t tell people your carrier. No one really needs to know that. If people already know who your carrier is, then follow the next advice. Next, get a different SMS number for SMS 2FA. Do NOT give anyone this new number. Only companies that insist on SMS 2FA should have this number. This will mean even if a hacker SIM swapped your primary number, they won’t have access to your bank accounts. It will also give you a phone line to call your cellular provider after a SIM Swap. Do not place your 2FA number on the same phone of your primary number. Most newer smartphones supports dual SIM, but you should get a second phone for this 2FA text message. Also, try to use a different provider. For those in the US, Freedom Pop offers a $10 service, and Tello offers plans starting at $5. Keep in mind, you just need SMS and voice calls if someone hacked your primary number.
Next, if possible – have a number lock on your phone. With a number lock, one of two things will happen. The first is your carrier will have you setup with a 4-6 digit number as your PIN. The second option is you can use the carrier’s app to lock your number. If you set up a PIN, then your carrier will require that you provide the PIN to do any account level activity. The second option is the carrier will send you an SMS with a 6 digit code. In either instance, this PIN must be provided for you to unlock your number. Your number must be unlock to move it to another SIM. This will mean that even if a hacker knows your phone number (pretty easy to do), and your provider (somewhat easy to do), they will need that PIN to unlock your number, and transfer the SIM. That PIN will therefore be your saving grace against the social engineering. I will still suggest that you put your SMS 2FA on a number not provided to offer more protection for your financial resources.
Another option that not enough companies support is use of an authenticator app. When logging in with a new device, you would be required to provide your UID and password (as expected), and a 6 digit number from the authenticator app. This is unique to your device, and the number changes every minute. This means that the hacker will need to know the ID, password, and the ever changing 6 digit number. There is an 8 digit number that you can get from the company to fall back on in case your device is not available, but these 8 digit numbers are only to gain access to your account, and you should provide a new authenticator app to gain access to your account. Keep in mind that you would only need this 6-8 digit number when logging in on a new device, or when your cookies are deleted. NO one from the company will ask for this PIN. Do NOT give the code to anyone, and make sure you are using the company’s site to log in. Even though the number changes every minute, this does not provide a fool-proof resource.
Unfortunately, too many companies do not offer authenticator compatibility. This will be ideal for bank, and other financial resources, but at least the companies I use, only PayPal offers authenticator app compatibility. If more banks supported the authenticator app, it will dramatically reduce the chance of someone’s bank account getting drained of everything. I know if I had a bank, I will offer this as a means of authentication.