Application security, Endpoint/Device Security, Threat Intelligence

Scammers offer cash to phone carrier staff to swap SIM cards

Hand holding sim card, select focus, color effect

Threat actors appear to be using stolen employee records from telephone companies to entice workers to perform illegal SIM swaps in return for quick cash.

In a Reddit thread, current and former employees of T-Mobile and Verizon reported receiving text messages from unknown senders soliciting interest in the scam.

One of the texts, a screenshot of which was posted in the thread, reads: “I got your number from the T-Mo employee directory. I’m looking to pay someone up to $300 per sim swap done, if you’re interested, reply and we can talk.”

Another example message invited the recipient to reply to the offer via Telegram. The texts were sent from a variety of numbers with a range of area codes.

“Myself and a group of former employees all got the same message, all from different numbers and with different verbiage,” one participant in the Reddit thread said.

“My entire store got this this morning,” another person said.

SIM swapping, also referred to as simjacking, is a technique cybercriminals use to breach accounts secured by multi-factor authentication (MFA). If a wireless carrier ports the victim’s details from their legitimate SIM to one controlled by a threat actor, the actor will receive messages intended for the victim, allowing them to take control of their account.

Although cyber gangs often use social engineering to dupe carrier help desk staff into performing the swaps, paying an insider to do the work can be much more efficient.

Criminals working with dated data?

While it was unclear how hackers obtained the mobile numbers of the T-Mobile and Verizon workers who received the texts, both companies have suffered breaches of employee information in the past, including T-Mobile in 2020 and last year.

Also last year, a Verizon staff member gained unauthorized access to a file containing details of about half the company’s 117,00-strong workforce, although the company said at the time there was no evidence the information was misused or shared outside of the organization.

The number of former T-Mobile staff commenting on Reddit that they received the SIM swap text suggested the hackers behind the campaign were working with dated information, rather than up-to-date data recently stolen from the carrier.

This appeared to be reinforced by the company, which said in a statement that T-Mobile did not have a systems breach.

“We continue to investigate these messages that are being sent to solicit illegal activity. We understand other wireless providers have reported similar messages,” the statement said.

Last August, a Cyber Safety Review Board report into the criminal activities of the Lapsus$ threat group recommended U.S. federal agencies be given enhanced powers to combat malicious SIM swapping.

The Federal Communications Commission (FCC) introduced new regulations in November requiring carriers to adopt secure authentication procedures prior to carrying out a SIM swap, and mandating that customers were alerted when SIMs linked to their accounts were changed.

T-Mobile offers a “SIM protection” service customers can activate to prevent SIM changes on their account.

Phone company staff who collude with cyber gangs in SIM swapping schemes face serious consequences. Last month a former manager of a telecommunications company from New Jersey pled guilty to SIM swapping. He is due to be sentenced in July and faces a maximum sentence of five years in prison and a $250,000 fine.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.