In January 2024, the Securities and Exchange Commission’s own X account was taken over through a SIM-swap-enabled path, and a fake post claiming a spot Bitcoin ETF had been approved briefly moved crypto markets. An internal review later confirmed that SEC staff had disabled multi-factor authentication on the account six months earlier. The regulatory body that now enforces a 30-day breach-notification clock on registered investment advisors failed to execute the very security practice it now audits them on. SEC’s own statement on the @SECGov X account compromise.
A friend of our family lived through this. It started with a phishing email, escalated to a port-out of their phone number via the PIN that should have protected it, and drained tens of thousands of dollars before anyone caught it. Months later, they were still closing and re-opening bank, utility, and internet accounts, getting a new phone number, and warning everyone in their contacts that messages from the old number were not them. That recovery process is the part no one talks about publicly, and it’s what makes prevention worth the time it takes.
At Adelia Risk, we work with regulated small and mid-sized businesses to boost company-wide cybersecurity protections. This article expands our guidance on mobile device management and mobile application management to cover personal phone usage in business settings. It covers the attack surface your firm’s IT team can’t reach: the carrier account, the SIM, the personal Apple or Google account, and the credit file attackers use to monetize a SIM swap. For any executive who uses a personal phone for multi-factor authentication codes, client calls, or email, this becomes larger than a personal issue.
Lock Down Your Carrier Account First
CHECKLIST EXTRACT
Carrier Controls Worth Setting Today
❏ Verizon Number Lock: Sign in to My Verizon, go to the Security page, and toggle Number Lock on per line. With Number Lock on, Verizon refuses port-out requests for that line. It’s free. Verizon port-out FAQs
❏ Verizon SIM Protection: A separate control on the same Security page that causes Verizon to reject SIM-swap requests until you turn it off.
❏ AT&T Wireless Account Lock: Open the AT&T app (app-only, not on the website), sign in as primary account holder, tap your Account icon, then scroll to and select Wireless Account Lock. Toggle it on per line. AT&T Wireless Account Lock support article
❏ AT&T Extra Security Passcode: An account-level passcode AT&T’s customer care agents ask for on every support call. Set it in your account profile. AT&T passcode instructions
❏ T-Mobile Account Takeover Protection: Sign into T-Life or T-Mobile.com as Primary Account Holder and add Takeover Protection per line. This tells T-Mobile to refuse port-out requests. T-Mobile Account Takeover Protection
❏ T-Mobile SIM Protection: A separate postpaid-only toggle. It doesn’t cover eSIM transfer on Apple devices, so pair it with Account Takeover Protection.
The carrier account is where attackers strike first, so it’s where the defense has to start. In a classic SIM-swap, attackers gather personal details from data broker sites, past breach dumps, and social media, then call your carrier posing as you, claim a lost phone, and ask for a new SIM or eSIM on a device they control. The attack doesn’t break any cryptography. It defeats customer service. CISA and the FBI’s December 2024 Mobile Communications Best Practice Guidance names SIM swapping and mobile phone hijacking as primary threat vectors and recommends an account PIN on every wireless line.
The single most confusing thing about carrier security is that the word “PIN” refers to two completely different things. The account PIN (AT&T calls it an Extra Security Passcode) is the code an agent asks you for on every support call. The port-out PIN, sometimes called a Number Transfer PIN, is a short-lived code generated only when you are legitimately moving your number to a different carrier. Setting an account PIN is not the same as setting a port-out PIN. An account-level lock, like Verizon Number Lock, AT&T Wireless Account Lock, or T-Mobile Account Takeover Protection, is what causes the carrier to refuse port-out requests in the first place. Set the account-level lock. Generate a port-out PIN only when you are actually switching carriers, and only then.
Keep in mind, for a Verizon business wireless account, only Account Owners and Account Managers can change Number Lock or generate a Verizon business port-out PIN. The AT&T port-out PIN and T-Mobile port-out PIN have similar role-gated controls. In our experience, firms lose track of who holds those roles after a CFO or operations-lead transition, and nobody can authorize a change when a number actually needs to move. Audit your business-account roles while nothing is on fire.
eSIM deserves its own note. With eSIM, the attacker doesn’t need a physical SIM card; a QR code or activation profile is delivered digitally. In a landmark March 2025 arbitration, a California arbitrator ordered T-Mobile to pay $33 million after attackers bypassed a customer’s NOPORT flag and convinced a call center agent to issue a remote eSIM QR code, enabling theft of roughly $38 million in cryptocurrency (BleepingComputer coverage). A diligent attacker will try both port-out and eSIM if they haven’t been locked, so we advise clients to turn on both Account Takeover Protection and SIM Protection on T-Mobile.
Move Multi-Factor Authentication Off Text Messages
CHECKLIST EXTRACT
Authenticator Migration, Without Getting Locked Out
❏ List every account using SMS multi-factor authentication: A password manager’s security report is the fastest way to produce this list. Do it before you change anything else.
❏ Generate and save backup codes for each account: Store them in the password manager as a secure note. Backup codes are the safety net if the phone is lost or the authenticator is wiped.
❏ Add the new authenticator in parallel: Scan each account’s TOTP QR code with both the old authenticator (or SMS) and the new one, so both produce valid codes during the transition.
❏ Turn on passkeys wherever they’re offered: Passkeys are phishing-resistant and sync through iCloud Keychain or Google Password Manager, so they survive a lost phone without backup codes.
❏ Do the migration on a Saturday: Something will break. You want time and a laptop, not a client meeting.
The reason to move off text-message MFA isn’t that SMS got worse over the past year. It’s that NIST has now said so in print. NIST Special Publication 800-63B-4 (final, July 2025) formally classifies SMS one-time passwords as a “restricted authenticator,” meaning organizations using SMS MFA are expected to offer alternatives, inform users, and maintain a migration plan. For a regulated-firm executive, that’s an audit finding waiting to happen. When an examiner under the SEC’s Regulation S-P or a CMMC assessor asks what authenticator is in use on the accounts that reach customer data or CUI, “we’re still on SMS,” will start a longer conversation than you want.
The totp vs sms Comparison is straightforward once you strip out the marketing. A TOTP code generated by an authenticator app on your device is a time-based one-time password that never crosses the cellular network. If an attacker SIM-swaps your number, they get your texts, but they don’t get your TOTP codes. A passkey goes one step further and pins the login to the specific device and website, which is why it’s the only common authentication factor that is genuinely phishing-resistant.
In our experience, the reason executives stall on this isn’t philosophical. It’s that they’re afraid of getting locked out, and that fear is legitimate. The lockout-avoidance protocol on our checklist exists because we’ve seen clients remove SMS MFA before the new authenticator was fully configured, then fail to log in to the account that holds the recovery email, then fail to log in to the account that holds that account’s recovery. The list-first, backup-codes-first, parallel-enrollment approach is what keeps that cascade from starting in the first place. Avoid Authy for MFA as its desktop app is deprecated, and migrating off is painful.
Harden the Personal Apple ID or Google Account
CHECKLIST EXTRACT
Personal Account Hardening
❏ Turn on two-factor authentication on your Apple Account and Google Account: Prerequisite for every other Apple or Google hardening step.
❏ Enable Apple Advanced Data Protection for iCloud: End-to-end encrypts 25 iCloud data categories, including Messages, Photos, Notes, and iCloud Backup. An attacker who takes over your Apple ID still can’t read them. Apple Advanced Data Protection setup
❏ Set up an Apple Recovery Contact or Recovery Key before enabling ADP: With ADP on, Apple can’t help you recover the data. Don’t store the Recovery Key in Notes, Photos, or the Passwords app.
❏ Enroll in Google Advanced Protection Program: Google’s strongest personal-account hardening. As of July 2024, a passkey satisfies enrollment instead of two physical security keys. Google Advanced Protection
❏ Remove unused recovery phone numbers and emails: An attacker who controls a forgotten recovery option can start the reset cascade from there.
❏ Review connected apps and OAuth grants: Revoke anything you don’t recognize or no longer use.
Executives with MDM on their work phone often assume their personal Apple ID or Google account is a consumer concern. It isn’t. iCloud backup captures Messages, Notes, and screenshots of sensitive documents. Personal email is the recovery path for most business SaaS tools, because those tools allow password reset via personal email if the work account is lost. Compromise of the personal account is a gateway to the work account, not a parallel problem.
Apple’s Advanced Data Protection is a high-value setting that most of the executives we work with haven’t turned on. With ADP enabled, 25 iCloud data categories become end-to-end encrypted, meaning Apple itself can’t read them and therefore can’t hand them over to an attacker who socially engineers Apple support. The trade-off, and it is a real trade-off, is that Apple can’t recover the data for you if you lose access. That’s why the recovery-contact step has to happen before the ADP toggle, not after. The most common mistake we see is storing the 28-character Recovery Key in the Notes app, which is one of the things ADP is encrypting. When people get locked out, the key is locked out with them.
Google’s Advanced Protection Program is the equivalent for Google accounts. Since July 2024, a passkey satisfies enrollment instead of two physical FIDO2 keys, which takes the friction way down. For anyone with a visible role at a regulated firm, APP enrollment is one of the most defensible moves on the Google side.
Freeze Your Credit at All Five Bureaus
CHECKLIST EXTRACT
Credit Freezes That Actually Close the Loop
❏ Freeze at the big three: Equifax, Experian, TransUnion. Free under federal law, no credit-score impact.
❏ Also freeze at Innovis: The fourth bureau, pulled by subprime and specialty creditors. Commonly missed. Innovis Security Freeze
❏ Also freeze at NCTUE: The telecom and utility bureau, checked by wireless carriers before they open a new account. Directly relevant to sim swap fraud prevention. NCTUE Consumer
❏ Store every freeze PIN and lift PIN in your password manager: You’ll need them to lift a freeze when applying for credit or switching phone carriers.
A SIM swap is rarely the goal by itself; the goal is money. The chain starts with carrier compromise, then email reset, banking or brokerage takeover, and leads to opening new credit lines, all while the attacker controls the phone receiving the fraud-alert call. Freezing credit shortens the money side of that chain. We see Innovis missed in nearly every client engagement, and NCTUE is the one that matters most for SIM swap fraud prevention specifically. Wireless carriers and utilities check NCTUE before opening a new account, which is exactly where a SIM-swap attacker goes next. Make sure to store the lift PINs in your password manager when you set each one up, and not the first time you need to lift the freeze.
Reduce the Exposure Attackers Feed On
CHECKLIST EXTRACT
Shrink Your Data Broker Footprint
❏ Opt out of the top 20 people-search sites: Manually or via a service. Focus on Spokeo, WhitePages, BeenVerified, Radaris, PeopleFinder, FastPeopleSearch, TruePeopleSearch, Intelius, and similar. Manual opt-outs hit roughly 70% removal per Consumer Reports’ 2024 study; the best paid services hit 65–68%.
❏ Treat data-broker opt-out as a recurring task: Brokers re-list within months. Set a semi-annual reminder, or use a service like Optery or EasyOptOuts and review quarterly.
❏ Move off personal email for account recovery on firm applications: Where the business tool allows it, use your work email as the recovery address instead.
Most successful SIM swaps run on information the attacker already collected. Your date of birth, your prior addresses, your mother’s maiden name, the last four of your Social Security number, and the name of your first pet are sitting on data broker sites right now, scraped from public records and breach dumps. The carrier agent who verifies “the customer” during a fraudulent call is checking those data points. Reducing your footprint might not eliminate the attack, but it can raise the cost for attackers.
Consumer Reports’ 2024 study on data broker removal services is worth reading in full before you pick a vendor. The uncomfortable finding is that even the best-paid services only reached 65 to 68 percent removal over four months, and some services only hit single-digit removal rates. Manual opt-outs, which require filling out a form on each broker site and waiting for an email confirmation, reached roughly 70 percent. The practical read for busy executives is that paid services buy you time, not completeness, and either path needs to be revisited at least twice a year to cover re-listed data from fresh public records.
If You Think You’re Being Attacked Right Now
CHECKLIST EXTRACT
The First 15 Minutes
❏ Call your carrier’s fraud line, not regular customer service: Say “I believe my number has been SIM-swapped” and request an immediate account lock and reversal. The FBI IC3 SIM-swap PSA (I-020822) lists this as step one.
❏ Lock your personal email next: Change the password from a trusted device, sign out of all other sessions, review “last account activity,” and check for attacker-added forwarding rules.
❏ Call primary bank, brokerage, and custodian fraud lines: Ask for wire-transfer freezes and an alert flag on the account.
❏ Notify your firm’s IT, CISO, or compliance contact: If the phone had firm or client data access, this starts the regulatory clock. Document the time of discovery.
❏ Reset passwords in this order: email, cloud storage, password manager, crypto, social. Locking down email first is what cuts off the attacker’s persistence path.
❏ File an IC3 complaint and an FTC identity theft report: ic3.gov and identitytheft.gov.
❏ Tell your assistant, spouse, and any active-conversation clients: The attacker will try to impersonate you while you’re locked out.
The warning signs of an active attack are not subtle, but they are easy to dismiss in the moment. Sudden loss of cellular service in a known coverage area. A flood of password-reset emails you didn’t request. Notification emails from your carrier about a SIM change or port request you didn’t authorize. A simultaneous wave of logouts from accounts you were signed into.
In our experience, the first minutes of a SIM swap are the ones that matter; attackers know the window is short and they move fast. That’s why the response order has to revolve around a secondary device. A spouse’s phone, a landline, or a laptop on Wi-Fi. Trying to respond from the compromised phone wastes the minutes you have. It’s also why the carrier fraud line is the first call, not regular customer service. Fraud lines at all three major carriers have faster paths to account locking and reversal, and regular customer service often sends you through steps you don’t have time for.
Regulatory exposure starts at discovery, not at containment. For a registered investment advisor, a SIM-swap that reaches client email, a CRM, or a custodian portal is in the scope of the SEC’s amended Regulation S-P, requiring customer notification within 30 days of discovery. Compliance began on December 3, 2025, for large advisors and is set for June 3, 2026, for small advisors.
For HIPAA-covered entities, the 60-day Breach Notification Rule clock starts if unencrypted protected health information is reachable through the compromised phone, per 45 CFR 164.400–414. For defense contractors handling Controlled Unclassified Information (CUI), DFARS 252.204-7012 requires a 72-hour report to DoD via DIBNet. Writing down the time of discovery the moment you notice something is wrong will pin the clocks to something defensible later.
Prepare the people around you as another layer of defense. An attacker will try to impersonate you to your assistant, spouse, or clients while you’re locked out, so a five-minute notification closes that attack path. The script in the checklist is what we give clients to share with their assistant and family.
When Professional Help Is Worth It
Most of what’s listed above can be handled by an executive in a few focused sessions with a laptop and a Saturday afternoon. The areas where we often see clients get stuck fall less in the personal layer and more in what happens when personal phone security needs to align with firm-wide programs. Firm-wide migration off SMS multi-factor authentication across every business application. An MDM or MAM rollout that complements the personal layer without overreaching into employee privacy. A documented incident plan that can survive a Regulation S-P, HIPAA, or CMMC exam. These are the projects where our Virtual CISO service does most of its work.
If you’ve worked through this article and want IT-level help on any of those, Adelia Risk’s Virtual CISO service is built for regulated small and mid-sized firms.
