T-Mobile employees are receiving text messages that attempt to recruit them for illegal SIM swapping schemes, with offers of about $300 per successful swap.
SIM swap attacks exploit the reliance on SMS-based two-factor authentication (2FA). When attackers trick or coerce a carrier employee into transferring a victim’s phone number to a SIM they control, they can intercept SMS-based verification codes and gain unauthorized access to accounts such as email, banking, or cryptocurrency wallets.
Because SIM swapping undermines a commonly used security method, security experts recommend avoiding SMS-based 2FA when possible. More secure alternatives include authenticator apps such as Authy, Google Authenticator, or hardware security keys like YubiKey, which are resistant to SIM takeover.
The solicitations appear to leverage employee contact information to reach staff directly. Messages come from many different phone numbers—likely to avoid simple blocking—and often invite further communication on the encrypted messaging app Telegram. The texts offer monetary compensation in exchange for cooperating with SIM transfers.
Some messages explicitly claim the sender obtained contact details from the “T‑Mo employee directory,” indicating a potential compromise of internal records:
There is debate about how current the exposed data is. Some recipients targeted by the texts left T‑Mobile months ago, which suggests the directory data may be stale or taken from an older source rather than reflecting a live, ongoing breach. However, the fact that former and current employees are being targeted raises concerns about the integrity and confidentiality of employee information.
Regardless of the precise origin, the incident highlights weaknesses in how employee contact information is stored and protected. A compromised employee directory not only endangers staff through targeted social engineering but also increases risk to customers if attackers succeed in abusing employee access to enable SIM swaps.
Investigations are ongoing to determine the scope of unauthorized access to the directory and whether data is being repeatedly harvested or was obtained in a single event. Until the source is confirmed, this episode serves as a reminder of the persistent threats in digital communications and the need for continuous vigilance by both companies and individuals to defend against fraud motivated by financial gain.
(Photo by Andrey Metelev)
See also: French municipal services disrupted by cyberattack
Unified Communications is a two-day event focused on the future of workplace collaboration, held in California, London, and Amsterdam. The conference is co-located with related industry events exploring digital transformation, IoT, edge computing, intelligent automation, AI and big data, and cybersecurity.
Discover upcoming enterprise technology events and webinars powered by TechForge.