Phone Number Porting Scams: How Criminals Steal Your Number

How Number Porting Scams Work

A number porting scam (also called port-out fraud) occurs when a criminal successfully requests that your phone carrier transfer your phone number to a new carrier — one that the criminal controls. The porting process is a legitimate feature of US telecommunications law: you have the legal right to take your phone number with you when you switch carriers. Scammers exploit this right by impersonating you at a target carrier with enough personal information to pass identity verification. Once the port is completed, all calls and texts to your number go to the criminal's device instead of yours.

The information needed to port a number typically includes: the phone number itself, the account holder's name, billing address, the last four digits of SSN (or the full SSN for some carriers), and in some cases the account's PIN or carrier account number. Most of this information is available through data broker sites, previous data breaches, or social engineering the carrier's customer service team. Once the attacker has successfully submitted a porting request with this information, the legitimate carrier must complete the port within one business day under FCC regulations — giving the account holder very limited time to detect and stop the fraud.

The moment the port completes, the victim's phone displays "No Service" and all incoming communications go to the criminal's device. This alone causes significant disruption, but the real damage comes from what scammers do with your number: they use it to reset passwords on accounts that use your phone number for two-factor authentication (banking, email, crypto accounts) via SMS-based 2FA. A criminal who controls your phone number controls your SMS-based 2FA, and therefore controls access to any account that relies on it.

The Relationship to SIM Swapping

SIM swapping and number porting scams achieve the same ultimate objective (taking control of your phone number) through different mechanisms. In a SIM swap, the attacker contacts your current carrier pretending to be you and requests that your number be transferred to a new SIM card — one the attacker controls — within the same carrier. In a port-out fraud, the attacker contacts a different carrier and initiates a legitimate number port to a new carrier. The practical difference from the attacker's perspective is which is easier given the specific carrier's security protocols.

Both attack types have been used in high-profile cryptocurrency thefts. Jack Dorsey (Twitter CEO at the time) had his phone number SIM-swapped in 2019. In 2020, a wave of SIM swap attacks targeted cryptocurrency executives, resulting in losses exceeding $100 million. The FBI issued warnings specifically about SIM swapping targeting cryptocurrency holders in 2022. The FCC's 2023 rulemaking on SIM swap and port-out fraud (FCC 23-62) requires carriers to notify customers when a SIM change or port-out request is received and to implement authentication procedures before completing these actions.

The FTC and FCC have both taken enforcement actions related to SIM swapping and port-out fraud. The FCC's rule requires both types of notifications: a text/call/email to the account on record, and a waiting period for ports unless the customer proactively confirms the request. These requirements represent a significant improvement over the previous industry standard, though implementation and enforcement determine actual impact.

Signs Your Number Has Been Ported

The most obvious sign of a completed port-out fraud is sudden and complete loss of cellular service on your device — no calls, no texts, no data. Your phone will show "No Service" or "SOS Only" continuously even in areas where you normally have good coverage. This is the definitive indicator, though by the time you notice it, the attacker may already have your number and be resetting your accounts. The average time between a completed port and the victim noticing is 4-6 hours — this window is when the most critical damage occurs.

Earlier warning signs include: texts from your carrier about a SIM change or port request you didn't initiate (these are the notification texts the FCC's 2023 rule mandates); unexpected 2FA codes arriving on your phone for accounts you're not currently accessing (which may indicate the attacker is testing account access before the port completes); or calls from your carrier's fraud team about suspicious account activity. If you receive any unsolicited communication about account changes you didn't make, contact your carrier immediately using the number on your bill or their official website — not a number from the suspicious notification.

After a completed port, digital warning signs include: inability to log into email or banking accounts (password reset codes went to your stolen number); unexpected "new device" login notifications from apps on your email or cloud backup accounts; cryptocurrency withdrawal emails from exchanges you hold funds at; or text messages on your primary device suddenly stopping while your calls still work. Document every anomaly with screenshots and timestamps — this documentation is essential for the carrier fraud investigation and any subsequent law enforcement report.

How to Protect Your Number

The most effective protection against port-out fraud is setting a carrier account PIN that is required for any number port, SIM change, or account modification. Every major US carrier offers this: AT&T (call 611 or myAT&T → Account → Account settings → Security passcode), T-Mobile (T-Mobile app → Profile → Advanced Settings → SIM Protection), Verizon (My Verizon app → Account → Account security → Number lock), and Tracfone/Straight Talk (call customer service to set a port-out PIN). The PIN should be unique — not your birthday, not the last four of your SSN, not a PIN you use elsewhere.

Some carriers offer "port freeze" or "number lock" features that require additional verification — including in-store identity verification — before any port can be completed. Verizon Number Lock, T-Mobile SIM Protection, and AT&T Security passcode all provide this functionality at no additional cost. Enable the strongest setting available. This makes social engineering-based port fraud significantly harder because the attacker must physically appear at a carrier store with government ID rather than just knowing your PIN over the phone.

Separating your phone number from your two-factor authentication reduces the impact of a successful port. Use an authenticator app — Google Authenticator, Authy (authy.com), or 1Password — for all accounts that support it, particularly email, banking, and cryptocurrency exchanges. These apps generate time-based one-time passwords (TOTP) that are tied to your device, not your phone number. Even if your number is ported, an attacker cannot generate TOTP codes for accounts using authenticator apps. Replace SMS-based 2FA with authenticator app 2FA on every high-value account as soon as possible.

What to Do If It Happens

If you suspect your number has been ported without authorization, act immediately: call your carrier from any available phone (a landline, a family member's phone, or a Google Voice number) and report unauthorized port-out fraud. Ask the carrier to immediately initiate a port-back (reversing the unauthorized port) and flag your account for additional security. Under FCC regulations, carriers are required to facilitate port reversals for confirmed fraudulent ports. Document the time and details of your call.

While on the phone with your carrier, change the passwords for your most critical accounts using a device other than your phone — a computer is best. Prioritize: primary email account, banking accounts, cryptocurrency accounts, and any account with financial information. For accounts where you've enabled SMS-based 2FA that now sends codes to the attacker, use backup codes (most services issue these during 2FA setup) to regain access, then change the 2FA method to an authenticator app immediately after regaining access.

File reports with: your carrier's fraud department (get a case number), the FTC at ReportFraud.ftc.gov (select "Identity Theft"), your local police department, and the FCC at fcc.gov/consumers/guides/filing-informal-complaint. For any financial accounts compromised using the ported number, contact the financial institution's fraud department and file CFPB complaints at consumerfinance.gov/complaint if banks are unresponsive. Identity theft recovery through IdentityTheft.gov will generate a personalized recovery plan. The recovery process for a port-out fraud can take weeks to months — keeping meticulous records of every step and contact is essential.