We just went through this with my son on AT&T. They were able to hijack his SIM twice. At the very least switch to just using a security key and never used phone based 2FA, which is what we’ve now done for everyone in the family.

SIM swap horror story: I’ve lost decades of data and Google won’t lift a finger | ZDNet