I want to start this post differently than most cybersecurity articles you’ve probably read. I’m not going to open with statistics about how many millions of people get hacked every year. I’m going to tell you what happened to me — because it’s the kind of thing that sounds like it happens to other people, right up until it happens to you.
My cell phone SIM card was cloned by a hacker. In the time it took me to realize something was wrong, they had gained access to my cryptocurrency wallet, emptied it, and closed my account with my service provider. My phone went dark — no calls, no texts, nothing but WiFi. I was locked out of my crypto. And when I tried to log into work, I couldn’t do that either — because my multi-factor authentication was set up to send a verification code to the phone number that had just been stolen from me.
One attack. Three simultaneous crises.
I had to call T-Mobile to find out what happened. They told me they had received a request to close my account. That’s when the investigation started — and the long, frustrating process of getting a new phone number, a new SIM card, and notifying everyone in my life of the change began.
I lost some cryptocurrency that day. I lost time. I lost the sense of security that most of us carry around without even realizing it. And I learned more about digital security in the weeks that followed than I had in the previous decade.
That’s what this post is about.
What Is a Cyber Attack and Why Should Preppers Care?
When most people think about emergency preparedness, they think about physical threats — storms, fires, floods, civil unrest. Cybersecurity feels like a different category entirely, something for IT professionals and tech companies to worry about.
That thinking is outdated and dangerous.
Your digital life is deeply intertwined with your physical safety and financial security. Your bank accounts, your phone, your email, your work access, your medical records, your identity — all of it lives in digital systems that can be compromised. A successful cyber attack on an individual can result in financial ruin, identity theft, loss of access to critical systems, and in some cases real physical danger.
And cyber attacks aren’t just targeting individuals. Critical infrastructure — power grids, water treatment facilities, hospitals, financial systems — has been successfully attacked by hackers. A large-scale cyber attack on infrastructure could trigger the kind of widespread disruption that every other section of this site prepares you for.
Cybersecurity is preparedness. Full stop.
What Is SIM Cloning and How Does It Work?
SIM cloning — also called SIM swapping — is one of the most sophisticated and devastating forms of cyber attack targeting ordinary people. Here’s how it works.
Your cell phone’s SIM card is the small chip that connects your device to your carrier’s network. It’s tied to your phone number. When a hacker clones or swaps your SIM, they essentially steal your phone number and transfer it to a device they control.
They do this by contacting your carrier — posing as you — and convincing the carrier to transfer your number to a new SIM. Sometimes they use personal information gathered from data breaches, social media, or phishing attacks to impersonate you convincingly. Sometimes they exploit vulnerabilities in carrier security procedures. In my case, I never found out exactly how they did it. The result was the same regardless.
Once they have your phone number, they have something far more valuable than a phone — they have access to every account that uses SMS text messages for two-factor authentication. That’s your email. Your bank. Your cryptocurrency. Your work systems. Anything that sends a verification code to your phone number is now compromised.
Your phone loses service. Their device gets your texts and calls. And the clock starts ticking.
How I Found Out — and What Happened Next
The first sign something was wrong was that my phone lost service unexpectedly. No calls, no texts — just WiFi. That alone was alarming, but I didn’t immediately understand what had happened.
When I called T-Mobile, they told me they had received a request to close my account. Someone had contacted my carrier, impersonated me successfully, and had my account closed. My number was gone.
By the time I made that call, my cryptocurrency wallet had already been accessed and emptied. The hacker used my phone number to bypass the security on my account, got in, took what was there, and moved on.
Then I tried to log into work. I couldn’t. My multi-factor authentication — the security layer designed to protect my account — was set up to send a verification code via text message to my phone number. The phone number that no longer belonged to me. I was locked out of my own work systems because my security measure had been turned against me.
The recovery process was exhausting. New phone number. New SIM card. Notifying everyone — family, friends, colleagues, every account and service tied to that number. Resetting MFA on every account I could access. It took days to fully sort out and weeks before everything felt normal again.
The Lessons I Took From It
I don’t share that story to frighten you. I share it because every detail of what happened to me contains a lesson that could protect you from the same experience.
SMS-based two-factor authentication is not as secure as most people think. This was my biggest takeaway. Using a text message as your second factor of authentication means your security is only as strong as your phone number — and as I learned, your phone number can be taken from you. I have since moved away from SMS-based MFA wherever possible and switched to authenticator apps that generate codes on the device itself, independent of a phone number.
Your phone number is an identity document. Most people don’t think of their phone number this way, but hackers do. Treat it accordingly. Be cautious about where you share it and what accounts it’s connected to.
Cryptocurrency requires hardware-level security. If you hold any cryptocurrency, keeping it in an exchange or a software wallet that relies on SMS authentication is a significant vulnerability. A hardware wallet — a physical device that stores your crypto offline — is far more secure. This is called cold storage, and it’s what I recommend to anyone holding crypto of any meaningful value.
Recovery takes longer than you expect. The immediate crisis — getting a new SIM, a new number — is the easy part. The ripple effects take much longer to fully resolve. Every account, every contact, every service tied to your old number needs to be updated. Plan for days of work, not hours.
How to Protect Yourself From SIM Cloning and Cyber Attacks
Here is what I now do differently, and what I recommend to everyone reading this post.
Add a PIN or passcode to your carrier account. Most major carriers — T-Mobile, AT&T, Verizon — allow you to set a separate account PIN that must be provided before any changes can be made to your account. This is one of the most effective defenses against SIM swapping. Call your carrier today and set this up if you haven’t already. It takes five minutes.
Switch from SMS-based MFA to an authenticator app. Apps like Google Authenticator or Authy generate time-sensitive codes on your device that don’t depend on your phone number. Even if a hacker steals your number, they can’t generate these codes. Go through your most important accounts — email, banking, work — and switch from text-based verification to an authenticator app wherever the option exists.
Use strong, unique passwords for every account. A password manager makes this practical. Using the same password across multiple accounts means one breach compromises everything. A password manager generates and stores complex unique passwords for every site so you don’t have to remember them.
Be cautious about what personal information you share online. Hackers gather information from social media, data breaches, and public records to build a profile they can use to impersonate you. The less you share publicly — birthdate, phone number, hometown, family members’ names — the harder you are to impersonate.
Monitor your accounts actively. Set up alerts on your bank and credit card accounts for any transaction. Check your credit report regularly. The faster you detect unauthorized activity, the faster you can respond and limit the damage.
Freeze your credit. A credit freeze prevents new accounts from being opened in your name without your explicit authorization. It’s free, it’s reversible when you need it, and it’s one of the most powerful identity theft protections available. Contact each of the three major credit bureaus — Equifax, Experian, and TransUnion — and request a freeze.
Secure your cryptocurrency with cold storage. If you hold any meaningful amount of cryptocurrency, move it off exchanges and software wallets and onto a hardware wallet. A hardware wallet stores your private keys offline, meaning a hacker who compromises your phone number or your exchange account cannot access your crypto. This is the standard I now hold myself to.
Have a backup MFA method for every critical account. Before you need it, set up backup authentication methods for your most important accounts — especially work systems. If your primary MFA method becomes inaccessible, you need an alternative way in that doesn’t depend on a phone number or device that could be compromised.
Back up your important data. Ransomware attacks — where hackers encrypt your files and demand payment to restore access — are increasingly targeting individuals, not just corporations. Regular backups to an external drive that isn’t permanently connected to your computer, or to a secure cloud service, mean a ransomware attack loses most of its leverage over you.
The Bigger Picture: Infrastructure Cyber Attacks
Individual attacks like what happened to me are serious. But the larger cyber threat — attacks on critical infrastructure — deserves attention in any preparedness discussion.
Power grids, water treatment plants, hospitals, financial systems, and transportation networks have all been successfully targeted by hackers in recent years. A sophisticated attack on power grid infrastructure, for example, could trigger a grid-down scenario affecting millions of people simultaneously. The Colonial Pipeline attack in 2021 disrupted fuel supplies across a significant portion of the Eastern United States through a ransomware infection.
I cover grid-down preparedness separately on this site, but the connection is worth making explicitly here: cybersecurity is not just a personal finance issue. It is an infrastructure issue, and the same preparedness principles apply. Have what you need on hand. Don’t depend entirely on systems that can be disrupted. Have backup plans for communication, power, water, and food.
Your Cyber Preparedness Checklist
To make this actionable, here’s what I recommend doing this week — not someday, this week:
Call your cell carrier and add an account PIN. Download an authenticator app and switch your most critical accounts away from SMS-based MFA. Set up a password manager if you don’t have one. Freeze your credit with all three bureaus. Set up transaction alerts on your financial accounts. Back up your important files to an external drive. If you hold cryptocurrency, research hardware wallets and move your holdings to cold storage.
None of these steps require technical expertise. All of them meaningfully reduce your vulnerability to the attacks that are most commonly targeting ordinary people right now.
A Final Word
I didn’t expect to become someone who talks about cybersecurity. I expected to talk about storms and power outages and bug out bags. But what happened to me changed my perspective on where the threats actually live in the modern world.
Your digital life is real life. The money in your accounts is real money. The access to your job, your medical records, your family communications — all of it is real, and all of it can be taken from you by someone sitting at a keyboard anywhere in the world.
Prepare for it the same way you prepare for anything else. Learn the threat. Take practical steps. Don’t wait for it to happen to you before you take it seriously.
I waited. Learn from that.
Stay ready.
Note: Some links in this post are affiliate links. If you purchase through them, I may earn a small commission at no extra cost to you. I only recommend gear I actually believe in.