Phone numbers are used for many activities in daily life, such as verifying account access, using ride-sharing apps, obtaining tickets for events, boarding passes for travel and of course, communicating with friends, family and colleagues. But what happens if your phone number falls into the wrong hands?
Phone numbers were found in 39% of all data breaches, according to research from Verizon from 2024, the most recent year for which this type of data is available. Data breaches against phone carriers – and their third-party vendors – also expose phone numbers with associated accounts. More recently, a data breach at Charter Communications, a major telecom provider, may have resulted in the theft of 42 million records that include customer phone numbers.
Many phone numbers are out in the wild, subject to potential abuse. “Pretty much every person’s phone number around the world is in someone’s database,” said Lance Spitzner, director of workforce cybersecurity training at SANS Institute.
What Can And Can’t Hackers Even Do With Your Phone Number
It’s not a risk in itself for someone to have your phone number in hand, but when combined with other personally identifiable information, such as financial records, it becomes a problem.
A phone number alone is usually not enough to open up access to one’s devices or lock them out of their accounts. A less malicious but simply annoying incident is having your phone number a prime target in sales and robocall contact databases. But the stakes get higher when it falls into the wrong hands.
A phone number can serve as a gateway to malicious activity. “A phone number alone does not provide device access, but it can be used in scams that trick victims into revealing credentials or installing malware,” said Langley Allbritton, president of AI Communications Consulting. “The goal is usually financial fraud, identity theft or account takeover.”
It’s important to note that a hacker cannot gain access simply by calling a victim. “The risk comes from social engineering, convincing someone to share codes, passwords or approve access, not from the call itself,” she added.
1. Spam and Erroneous Notifications
At a minimum, one’s phone number may end up in marketing and robocall databases. The content then pushed out to your phone number may range from product announcements to personalized text scams to allegedly wrong numbers. Some may include links to scam web addresses, while others may just be seeking a response indicating a “live” number in use.
“You get a text: ‘Did you authorize a $200 charge? Reply Y/N,’” explained Patrick Coughlin, CEO and founder at Savi Security. “You reply ‘N.’ Seconds later a polished ‘fraud department’ agent calls, thanks you for flagging it, and says they’ll secure your account and they just need the verification code they’re sending now. That code is actually the attacker triggering a password reset, and you’re reading it straight to them. Victims realize too late, usually when the real account-change alerts start arriving.”
Perhaps just as nefarious are calls or texts from supposed government authorities. Typically, they may represent toll-road authorities warning about unpaid tolls that need to be paid immediately. Other messages may claim to be from the Internal Revenue Service, Social Security Administration or local courts. Notably, government entities will never contact citizens via text or telephone. All such correspondence is in writing, via the post office. Calls or texts claiming to be from banks may also target your phone number.
2. SIM Swapping
SIM-swapping is the most problematic and damaging form of phone-number hacking. An attacker takes a victim’s phone number and pairs it with personally identifiable information to contact a mobile service provider. If they have enough illicitly gathered information to convince a carrier’s customer service representative they are the legitimate phone-number owner, their account will be transferred to a replacement SIM card.
The attacker, for example, may “make up a story about losing your phone or SIM card and needing to transfer your number to a new one,” said Mary Ann Miller, vice president and fraud and cybercrime executive advisor at Prove. Once the attacker gains control of a victim’s number, the scammer “can intercept SMS one-time passwords used for two-factor authentication, giving them access to your bank account and other sensitive services,” she warned.
Unfortunately, a SIM swap is not noticeable until a victim attempts to use their phone, and no longer gets service. At that point, it is urgent they contact their mobile provider, and check and change passwords for all financial and social media accounts.
Preventing SIM swaps can involve a mix of vigilance and technology. The U.S. Federal Communications Commission (FCC) recommends eSim cards, for example, for greater security benefits. “An eSIM card cannot be stolen without stealing the phone, whereas removable SIM cards are sometimes stolen, and used in port-out scams,” the FCC advises.
To determine if you have a SIM or eSIM on an iPhone, go to Settings, scroll to General, then About, then scroll down to see whether Physical SIM or eSIM is indicated. On an Android phone, check the SIM slot on the side of the phone, or go to Settings, then Network & Internet to check for the type of SIM setting.
3. False SIM Swapping Alerts
Just as nefarious as SIM swapping itself is false alerting about a potential SIM swap underway, which may open the door to hackers.
“Victims may receive a notification, potentially through email, advising that their phone number is due to be swapped or is being swapped,” warned Calum Baird, senior digital forensics and incident response consultant at Systal Technology Solutions. “It may also direct them to follow a link if they notice this happening.”
Such false alerts may be phishing attempts to gain password access to your accounts. “If you receive such a notification, you should contact your telecommunications provider directly on a phone number you know to be correct,” Baird said.
4. Porting-Out Scams
Similar to SIM swapping, port-out scams involve scammers using a victim’s phone number, in combination with other personally identifiable information, to switch to another phone carrier. With a new account in the victim’s name, they can reset access credentials to financial and social media accounts.
Of course, carriers have controls and safeguards in place to guard against porting-out scams, such as PINs and passwords associated with their accounts. But still, it’s not ironclad, according to a warning from the FCC. Scammers will attempt to work around carriers’ safeguards by linking potential victims’ phone numbers with both public and pirated information. With such a combination of data, they may be able to convince a phone company representative to port out the number.
Avoiding such scams means being proactive, arranging for a PIN or a password to verify your identity when calling about your phone account, the FCC advises. In addition, be alert – through real-time notifications – for any changes to your financial or other accounts.
5. Subscriber Fraud
Subscriber fraud involves setting up an entirely new account and number under the victim’s name.
“It may take time to discover that subscriber fraud has occurred, and even more time to prove that you did not incur the debts,” according to the FCC.
To address potential subscriber fraud, contact the fraudulent account’s service provider and local law enforcement, too. In addition, keep an eye on your credit profile through one of the three major credit reporting bureaus.
6. Cell-Phone Cloning
Tech-savvy attackers are also capable of monitoring the radio waves of mobile phone transmissions and cloning their own versions of an account on an illegitimate mobile phone.
The cloning process involves replicating mobile phones’ unique electronic serial numbers (ESNs) and mobile identification numbers (MINs). Once the ESN and MIN information is transmitted into the clone phone, mobile carriers “cannot distinguish the cloned cell phone from the legitimate one,” according to the FCC. As in all cases, the first step is to alert your carrier if suspicious charges show up in your account.
7. Phone-Number Spoofing
A hacker or scammer can spoof your number so your contacts – family, friends, colleagues – will see your number displayed and believe they are receiving a call from you. Or, conversely, they may spoof the number of a bank or other trusted source.
“Number spoofing lets a bad actor display a fake or trusted caller ID, so a scam call shows up as your bank, a government agency, or a name you recognize,” said Clayton LiaBraaten, senior industry spokesperson for Truecaller.