SIM Swapping Attacks on Teens: How Criminals Hijack Phone Numbers to Break Two-Factor Authentication

A 16-year-old in suburban Boston had his phone number stolen on a Tuesday afternoon. He didn’t lose his phone. Nobody broke into his house. An attacker called his carrier, claimed to be him, answered a few basic security questions whose answers were scraped from his Instagram profile, and convinced a customer service representative to transfer his number to a new SIM card. Within four minutes, the attacker had bypassed the two-factor authentication on his Gmail, Instagram, and Coinbase accounts. By the time the teenager noticed his phone had lost signal, $4,200 in cryptocurrency — birthday money his relatives had gifted him over two years — was gone. The FBI documented this case type in their 2022 public alert on SIM swapping, and it is far from isolated.

SIM swapping is one of the most underappreciated threats facing teenagers online. Parents who have done everything right — installed two-factor authentication, taught strong passwords, limited social media exposure — are often blindsided by it because the vulnerability isn’t the child’s behavior. It’s the carrier’s authentication process.

Key Takeaways

• SIM swapping transfers a phone number to an attacker’s SIM card by impersonating the account holder with the carrier — the victim’s device immediately loses service
• SMS-based two-factor authentication becomes useless once a SIM swap succeeds, because verification codes now go to the attacker
• Teenager social media profiles are gold mines for the security questions carriers use to verify identity — names, birthdays, pets, hometowns are all public
• Carrier-level protections (SIM lock PINs, port freeze) are available but rarely set up by default
• Authenticator apps and hardware security keys are immune to SIM swapping — SMS 2FA is not

How SIM Swapping Actually Works

The attack exploits a legitimate feature of the mobile network: number portability. When you get a new phone or switch carriers, your phone number needs to transfer to a new SIM card. Carriers have processes to verify you are who you say you are before authorizing that transfer. The problem is that those verification processes are frequently weak.

Step 1: Reconnaissance

Before calling the carrier, an attacker spends time researching the target. For teenagers, this information is often publicly available on Instagram, TikTok, Snapchat, or even LinkedIn-style bios. Attackers look for:

• Full name and date of birth (often in birthday posts)
• Current carrier (visible in group photos when friends tag locations at carrier stores, or visible in device metadata)
• Last four digits of a Social Security number (obtained from data broker sites or prior breaches — for minors these are sometimes part of family data exposed in healthcare or school breaches)
• Home address (visible in yearbook photos, school directories, or tagged locations)
• Mother’s maiden name, pet names, high school name (classic security questions, all frequently posted)

Step 2: Social Engineering the Carrier

The attacker calls customer service — or walks into a retail store — and claims to be the account holder. They may say they bought a new phone, that their SIM was damaged, or that they’re traveling and their phone stopped working. Customer service representatives, who are incentivized to resolve calls quickly, often require only two or three pieces of verification. If the attacker has done their homework, they can pass these checks.

Step 3: The Transfer

Once the carrier is convinced, they deactivate the victim’s SIM and activate a new one in the attacker’s possession with the victim’s phone number. The victim’s phone shows “No Service” or “Emergency Calls Only.” This is the first sign something is wrong — but most people assume it’s a network glitch, especially if it happens mid-day.

Step 4: Account Takeover

With the victim’s number in hand, the attacker visits any site that allows “Forgot Password” with phone-number recovery. Gmail, Instagram, Snapchat, Cash App, Venmo, Coinbase — most of these send a text message code for verification. The attacker requests that code, receives it on the stolen number, and resets the password. They now own the account.

Real Cases Involving Minors and Young Adults

The FBI issued a public alert in February 2022 specifically about the rise in SIM swapping complaints — a 400% increase in reported cases between 2018 and 2021, with losses exceeding $68 million in 2021 alone. While the FBI alert focused on financial losses, law enforcement cases have documented SIM swapping used against minors for non-financial purposes as well, including extortion, CSAM distribution, and account hijacking for harassment.

The FTC has received thousands of complaints involving teenagers whose accounts were taken over via SIM swapping, particularly Instagram and gaming accounts (Fortnite and Roblox accounts with valuable items or currency have been targeted). In several documented cases, attackers used the hijacked social accounts to impersonate the teen and solicit images from their contacts.

In 2022, the Department of Justice charged members of a group called “Scattered Spider” with SIM swapping attacks that affected minors among other victims. Several members of the group were themselves under 20 years old at the time of the attacks.

Why Teenagers Are Disproportionately Vulnerable

Risk Factor	Why It Affects Teens More
Public social profiles	Teens are more likely to have fully public Instagram/TikTok accounts with personal details visible
Security question answers online	Birthday posts, pet names, school affiliations all commonly posted
Carrier account under parent’s name	Parent may not realize teen needs their own PIN protection
Limited financial account monitoring	Cryptocurrency gifts, gaming balances not regularly audited
Reluctance to report	Teens may not tell parents they lost account access, delaying response
Reused passwords	Password reuse means a stolen number cascades into multiple account takeovers

How to Protect Your Teen’s Phone Number Right Now

Set a SIM Lock PIN with the Carrier

Every major U.S. carrier — AT&T, Verizon, T-Mobile — offers some form of SIM lock or account PIN that must be provided before any SIM change or port is authorized. This is separate from your account login password and must be given verbally when calling customer service.

• AT&T: Log into your account, go to Account Profile, then add a wireless passcode. You can also enable “Extra Security” which requires the passcode for any SIM-related changes.
• Verizon: Set a PIN in My Verizon > Account Settings > Security. Verizon also offers a Number Lock feature that prevents number transfers without additional verification.
• T-Mobile: Set an account PIN at T-Mobile.com > Account > Profile Settings. Enable SIM Protection (Settings > Line Settings > SIM Protection) — this is a T-Mobile-specific feature that blocks SIM swaps even with a valid PIN unless unlocked online first.

Call the carrier if you can’t find these settings. State explicitly: “I want to add a SIM lock and port freeze on this number.”

Move Away From SMS Two-Factor Authentication

This is the single most impactful technical change. Authenticator apps generate codes locally on the device itself — they don’t go through the phone number. A SIM swap has zero effect on an authenticator app code.

Recommended authenticator apps:

• Google Authenticator (simple, works on iOS and Android)
• Authy (adds cloud backup, useful if your teen ever loses their phone)
• Microsoft Authenticator (integrates well if your family uses Microsoft 365)

For accounts that matter most — email, social media primary accounts, financial accounts — switch from SMS 2FA to an authenticator app. For the highest value accounts, hardware security keys (YubiKey) provide the strongest protection, though they require the key to be physically present.

Audit Social Media Privacy Settings

The information attackers use for social engineering comes largely from social media. Review your teen’s Instagram, TikTok, and Snapchat privacy settings:

• Set main account to private (followers only)
• Remove or hide the birthday from the profile
• Don’t display the hometown or high school in the bio
• Turn off location tagging on all posts by default

A detailed walk-through of Instagram privacy settings specifically is available in our article on Instagram account security for kids.

Place a Credit Freeze (Yes, Even for Teens)

SIM swapping that goes after financial accounts often starts with data from credit bureaus. You can place a free credit freeze on your child’s credit file at all three bureaus — Experian, Equifax, and TransUnion — even if they have no credit history. The FTC recommends this specifically for minors. It prevents new credit lines from being opened in their name and removes one source of verifiable data attackers use.

Have a Family Response Plan

Talk to your teen about this specific scenario: if their phone suddenly loses signal and they can’t make calls or send texts, they should immediately borrow another phone and contact you — not wait. Every minute of delay is time the attacker has to change passwords and lock them out. Know the carrier’s fraud line number in advance:

• AT&T Fraud: 1-877-844-5584
• Verizon Fraud: 1-888-483-7200
• T-Mobile Fraud: 1-877-778-2106

What to Watch For Over 3 Months

Month 1: Set the SIM lock PIN on every number in your family plan. Do it today, not next week — it takes 10 minutes per line. Switch your teen’s most important accounts (Gmail, primary social media) from SMS 2FA to an authenticator app.

Month 2: Audit your teen’s social media for publicly visible personal information. Specifically look for: date of birth, hometown, school name, pet names in posts, and any phone numbers. Remove or restrict these. Review whether the family carrier account has any lines without a SIM lock.

Month 3: Check your teen’s accounts for any unfamiliar login sessions (Gmail > Manage your Google Account > Security > Your Devices). If you have a teen with a Coinbase, PayPal, or Venmo account, verify whether SMS 2FA is still enabled on those and switch it. Consider a credit freeze if you haven’t already.

Frequently Asked Questions

How do I know if my teen’s SIM has been swapped?

The first sign is almost always sudden loss of phone signal — the phone shows “No Service” when there’s normally strong reception. Other signs include not receiving calls or texts that others say they sent, and being suddenly logged out of accounts that ask for SMS verification. If this happens, assume a SIM swap until proven otherwise.

Can SIM swapping happen even if I have a SIM PIN from the carrier?

A strong SIM PIN set in advance significantly raises the bar. However, some attacks still succeed through retailer social engineering or internal carrier fraud — cases have been documented where corrupt carrier employees performed SIM swaps on request. The SIM PIN is the single best protection available, but not a perfect guarantee. Authenticator app 2FA is an essential second layer.

My teen uses an iPhone with Face ID. Does that protect against SIM swapping?

Face ID protects physical access to the phone, but SIM swapping doesn’t require physical access. The attacker never touches the phone — they just redirect the phone number. Face ID offers no protection against a SIM swap.

Is this only a risk for teens with cryptocurrency?

No. SIM swaps are used to take over Instagram, Snapchat, Gmail, and gaming accounts even when there’s no financial balance. Stolen social accounts are used for harassment, blackmail, impersonation, and re-selling. The financial angle is high-profile but not the only motivation.

Can the carrier reverse a SIM swap quickly?

Yes, usually. Calling the carrier fraud line and explaining the situation typically results in re-assigning the number back within 30–60 minutes. The problem is the window of time — even 30 minutes is enough for an attacker to reset multiple account passwords. Speed of reporting is critical.

---

About the author

Ricky Flores is the founder of HiWave Makers and an electrical engineer with 15+ years of experience building consumer technology at Apple, Samsung, and Texas Instruments. He writes about how kids learn to build, think, and create in a tech-saturated world. Read more at hiwavemakers.com.

Sources

1. Federal Bureau of Investigation (FBI). (2022). SIM Swapping — FBI Public Service Announcement. IC3 Alert Number I-022422-PSA. https://www.ic3.gov/Media/Y2022/PSA220224
2. Federal Trade Commission (FTC). (2023). SIM Swapping. Consumer Information. https://consumer.ftc.gov/articles/what-know-about-sim-swapping
3. Federal Trade Commission (FTC). (2024). Child Identity Theft. Consumer Information. https://consumer.ftc.gov/articles/child-identity-theft
4. U.S. Department of Justice. (2023). Members of Scattered Spider Cybercrime Group Indicted for Causing Tens of Millions of Dollars in Losses. DOJ Press Release. https://www.justice.gov/usao-cdca/pr/members-scattered-spider-cybercrime-group-indicted
5. CISA & FBI. (2023). #StopRansomware: Scattered Spider. Joint Cybersecurity Advisory. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
6. Krebs, B. (2022). The Lazy Phisher’s Guide to SIM Swapping. KrebsOnSecurity. https://krebsonsecurity.com
7. Pew Research Center. (2024). Teens and Social Media Use. Pew Research Center. https://www.pewresearch.org/internet/2024/01/teens-social-media/