A spate of hacked Instagram accounts. A $220 million lawsuit against AT&T. A bustling underground crime ring. They all have roots in an old problem that has lately found new urgency: SIM card swaps, a scam in which hackers steal your mobile identity—and use it to upend your life.

At its most basic level, a SIM swap is when someone convinces your carrier to switch your phone number over to a SIM card they own. They’re not doing it for prank call cover, or to rack up long-distance charges. By diverting your incoming messages, scammers can easily complete the text-based two-factor authentication checks that protect your most sensitive accounts. Or, if you don’t have two-factor set up in the first place, they can use your phone number to trick services into coughing up your passwords.

'In most of the cases that we’ve seen, a sufficiently determined attacker can just take over someone’s online footprint.' Allison Nixon, Flashpoint

SIM attacks appear to be behind a recent string of Instagram takeovers, as well as the very unfortunate, not great time a hacker posted Justin Bieber nudes from Selena Gomez’s account last year. But they can impact other corners of your life as well. A cryptocurrency investor this week claimed that a SIM swap resulted in the theft of $23.8 million-worth of tokens; he’s suing his carrier, AT&T, for 10 times that amount. And Motherboard recently documented a number of incidents in which SIM hijackers drained thousands of dollars out of people’s checking accounts.

A sobering caveat: If a skilled SIM hijacker targets you, there’s realistically not much you can do to stop them, says Allison Nixon, threat research at security firm Flashpoint. “In most of the cases that we’ve seen, a sufficiently determined attacker can take over someone’s online footprint,” she says.

That’s because ultimately, the machinations behind SIM swaps are largely out of your control. Perfect security hygiene won’t always keep someone from fooling your carrier, and in fact, they may not even have to; Flashpoint has found some indications that SIM hijackers recruit retail workers at mobile shops to gain access to protected accounts. A comprehensive SIM swap fix would require fundamentally rethinking the role of phone numbers in 2018. “Phone numbers were never intended to be a way to confirm someone’s identity,” says Nixon. “Phone companies were never in the business to sell identity documents. It was imposed on them.”

The good news is, you can take steps to limit the chances that a SIM swap attack will happen to you—and limit the fallout if it does.

Stick a PIN in It

Every major US carrier offers you the option of putting a PIN or a passcode on your account. Take them up on it. Having one adds another layer of protection, another piece of information an attacker needs before they can compromise your identity. That won’t help against an insider threat, but it’s much better than nothing.

On AT&T, you can set up a “wireless passcode” that’s four to eight digits long by going to your profile, then Sign-in info, then Get a new passcode. You should also add what the carrier calls “extra security,” which just means it’ll require the passcode to manage your account online or in a retail store. You can find that by going again to Sign-in info, then Wireless passcode, and checking Manage extra security.

Verizon actually requires a PIN, but to set yours up or change it, head to this site, then sign into your account. Enter the PIN of your choice twice, click Submit, and you’re done.

For T-Mobile, you have to call instead; dial 611 from your mobile phone and ask to add “Port Validation” to your account, which lets you choose a six to 15 digit PIN. On Sprint, sign into your account, click on My Sprint, then go to Profile and security. Scroll to Security information, and update your PIN there.