This article in the Guardian is a cautionary tale.

EE texted to say they had processed my sim activation request, and the new sim would be active in 24 hours. I was told to contact them if I hadn’t requested this. I hadn’t, so I did so immediately. Twenty-four hours later, my mobile stopped working and money was withdrawn from my bank account.

With their alien sim, the ­fraudster infiltrated my handset and stole details for every account I had. Passwords and logins had been changed for my finance, retail and some social media accounts. Worst of all, two longstanding email accounts are forever irretrievable as the hacker set up their own two-factor authentication, allowing them to halt any password alteration requests, and change my lifelong mobile number.

There is a lesson here for all of us.

First: do turn on two-factor authentication. This is always better than not having it on.

Second: if possible, turn off text messages as a second authentication (if you can). Use a two factor authentication code generator instead. Do not have several different options switched on at once – that reduces your security, as it gives more attack surfaces for the bad guys. Switch off text messaging if possible.)

And of course, do use long, complex, randomly generated passwords. Store them in a password manager.