Do you know: The 2024 Internet Crime Report combines information from 859,532 complaints of suspected internet crime!
Real Case:
Oren David Sela spent two years draining bank accounts belonging to elderly victims across California. He stole mail. Hijacked phone numbers through SIM swapping. Used victims’ identities to move money around until he’d taken $1.8 million.
When police arrested him in Beverly Hills in 2022, they found nearly $25,000 cash, expensive jewelry, and numerous fraudulent debit cards. He kept going anyway. Two more property searches in 2022 and 2023 turned up over $70,000 more in cash, stolen mail, fake IDs, and banking information for dozens of victims.
In April 2025, a judge sentenced him to 61 months in federal prison and ordered him to pay back $1,818,369.
His primary tool? Phone numbers. Specifically, the ability to take control of someone’s phone number and receive all their text messages, including those two-factor authentication codes banks send.
This isn’t some rare sophisticated hack. It’s happening at scale.
The Money Behind Phone Number Theft
FBI data shows victims lost over $48.7 million to SIM swapping attacks in 2023 alone. Compare that to 2021, when losses hit $68 million. Between 2018 and 2020 combined, victims lost just $12 million total.
The trajectory shows something disturbing. This type of fraud exploded.
FBI complaints jumped from 320 total between 2018-2020 to 1,611 complaints in 2021 alone. By December 2024, they’d logged 800 more cases.
Individual losses vary wildly. One Tampa resident lost $15,000 from his Coinbase account. Another victim lost $25,000 worth of Bitcoin. Ian Finlay, while on a cruise near Australia, eventually realized fraudsters had hit him for around $50,000 across multiple accounts.
How Your Number Becomes Currency
Major data breaches routinely expose phone numbers alongside other personal information. Not small breaches either.
AT&T announced in April 2024 that hackers stole call and text logs for nearly 100 million customers. That included anyone using Cricket, Boost Mobile, or Consumer Cellular. The stolen data covered May through October 2022, plus some records from January 2023.
Ticketmaster’s parent company Live Nation Entertainment got hit in 2024. Hackers claimed they took 1.3 terabytes of data covering 560 million people. That haul included names, addresses, email addresses, phone numbers, order information, and partial payment card details. They posted it for sale on the dark web.
Facebook’s 2021 breach exposed personally identifiable information from 533 million users. Phone numbers, birthdays, Facebook IDs. The data had actually been stolen years earlier through a security flaw. Facebook fixed it in 2019, but that information still circulates online today.
These aren’t isolated incidents. In January 2024, researchers uncovered what they called the “mother of all breaches.” Over 26 billion records from Twitter, Adobe, Canva, LinkedIn, Dropbox, and others, all in one database.
Your phone number shows up in these databases. Then it gets sold. Criminals buy lists of phone numbers with associated personal details. They use that information to either perform SIM swaps or to spam you with OTP requests trying to break into your accounts.
Data brokers exist specifically to aggregate and sell this information. A phone number linked to your name, address, email, and partial financial details becomes a product. One that multiple buyers purchase for various purposes, not all of them legal.
The OTP Nightmare
Once criminals have your number or gain control of it, the problems multiply fast.
A February 2024 report from India found that nearly 18% of respondents had experienced Account Takeover attacks, many involving OTP fraud. Sixty-two percent of those incidents happened within the past year.
Elon Musk claimed in January 2023 that SMS pumping cost Twitter $60 million annually. Whether that exact figure holds up or not, the scale is real.
The mechanics work like this: You sign up for some random website using your real phone number. That site either gets breached or sells your information. Your number ends up on lists that get passed around or sold. Now you’re getting OTP texts you never requested. Login attempts for accounts you don’t have. Password reset notifications for services you’ve never used.
Sometimes it’s just spam. Other times it’s active attempts to break into your actual accounts. The distinction matters less than you’d think, because both scenarios mean your number is compromised.
If criminals manage a successful SIM swap, they receive your actual two-factor authentication codes. Every banking login, every email password reset, every verification code meant for you goes to them instead. Your phone shows no service. Theirs shows your number.
Where Temporary Numbers Actually Help
Not every website deserves your real phone number. Most don’t.
The dividing line comes down to permanence and importance. Anything tied to your financial life, medical records, or government identity needs your real, permanent number. Everything else? Fair game for temporary numbers.
Think about it this way. That flash sale site offering 70% off random electronics? They don’t need your actual phone number. The loyalty card for a coffee shop you visit twice a year? Temporary number works fine. Some app promising free stuff if you just verify your phone? Definitely use a temporary phone number.
Sites collecting phone numbers often do it for marketing purposes anyway. They want to text you promotions. Build a contact database. Verify you’re a real person without putting in actual effort to verify identity properly.
When a website gets breached six months after you sign up, your temporary number goes into that leaked database instead of your real one. The spam, the login attempts, the OTP requests all go to a number you’ve already discarded.
The Email Parallel
This same logic applies to temporary email addresses. Services like Guerrilla Mail, TempMail, 10 Minute Mail exist for exactly this reason.
You don’t hand out your primary Gmail or Outlook address to every random website demanding email verification. You use a temporary email that self-destructs after a set time or that you simply abandon after getting whatever confirmation you needed.
Phone numbers work the same way. Your real number is valuable. It’s tied to your identity, your accounts, your security systems. Treat it accordingly.
How Temporary Number Services Work
Important Limitations
- ❌ Blocked by financial institutions – Banks, credit cards, investment platforms detect and reject them
- ❌ Government sites refuse them – IRS, DMV, and official services need stronger verification
- ❌ Healthcare portals block them – Medical services require real identity verification
- ⚠️ Purpose-built restriction – These blocks exist for security reasons
What Actually Protects Your Real Number
Lock Down Your SIM
- Enable SIM PIN through your carrier (Verizon, AT&T, T-Mobile). It’s free but not on by default.
- This PIN stops anyone from porting your number even with your personal info.
- If your phone shows “No Service” randomly, call your carrier immediately. That’s a SIM swap happening right now.
Kill SMS Authentication
- Use Google Authenticator, Authy, or Microsoft Authenticator instead of SMS codes.
- These apps generate codes every 30 seconds on your device. No phone number involved.
- Banks push SMS because it’s convenient for them. Ask for app-based auth. Most support it.
Clean Your Digital Trail
- Your number is on Whitepages, Spokeo, BeenVerified, and 40 other sites.
- Use Incogni or DeleteMe services, or spend a weekend doing removal requests yourself.
- Check old forum posts from 2009. That woodworking forum probably still shows your email and location.
- Review Facebook privacy settings. Defaults are public for way too many fields.
Set Up Alerts Everywhere
- Enable login notifications on banks, email, brokerage accounts.
- Any password change should wake you up at 3am if that’s when it happens.
- Minutes matter during an attack.
Use Temporary Numbers
Give your real number to:
- Banks and financial accounts.
- Healthcare providers.
- Government services.
Give temp numbers to:
- Restaurant loyalty programs.
- Retail signups for discounts.
- Newsletter subscriptions.
- Anything that doesn’t actually need your real number.
What You Actually Lose
- Money. $1.8M in the Sela case. $50K for Ian Finlay. $25K Bitcoin theft. These are real.
- Time. Hundreds of hours filing police reports, disputing charges, contacting credit bureaus, changing passwords everywhere.
- Identity. Credit cards opened in your name months later. Someone files taxes using your SSN. The IRS thinks you didn’t report income. Disputing this takes years.
- Privacy. Someone read your emails. Looked at your photos. Knew your daily routine from calendar entries.
