Fake Mobile Carrier eSIM Roaming Scam
Criminals send fake messages impersonating any mobile carrier offering a free roaming eSIM upgrade, tricking customers into scanning malicious QR codes that hand over control of their phone number.
Part of: Fake eSIM & Roaming Scams
Last reviewed: 8 June 2026
This class of scam does not target a single carrier — it operates across all networks by impersonating whichever carrier the victim uses. Fraudsters send generic eSIM-upgrade messages and rely on the recipient assuming the message is from their own provider because the subject matter feels relevant to their service.
The attack is particularly dangerous because eSIM fraud can lead directly to SIM-swap-style account takeovers. Once a scammer controls your mobile number, every account protected by SMS two-factor authentication — including banking, email, and social media — becomes accessible without your password.
Mobile carriers do not proactively push eSIM migrations to customers via email or text with embedded QR codes. eSIM setups always require the customer to initiate the process through the carrier's official app or in-store — any unsolicited eSIM QR code is fraudulent by definition.
How this scam works on the Your Mobile Carrier brand
The attack usually arrives by email or text and claims the customer's phone plan now includes a free international roaming eSIM that they must activate before an upcoming trip. The message uses generic carrier branding — a simple logo placeholder in some cases — and instructs the customer to scan the provided QR code within 48 hours or the offer will expire.
Because the message does not reference a specific carrier name, scammers cast a wide net and rely on a percentage of recipients who are active mobile customers and who are planning to travel.
Some variants are carrier-specific spoofs using domain names like 'att-esim-upgrade.com', 'verizon-esim-roaming.net', or 'o2-esim.co.uk' — taking advantage of the real carrier's brand in the sender name while operating from a fraudulent domain. The outcome is the same: a malicious eSIM QR code that hands the scammer routing authority over the victim's phone number.
Common red flags
- Any unsolicited email or text containing an eSIM QR code you did not request from your carrier
- The message claims your plan 'now includes' an eSIM or roaming upgrade you never ordered
- The sender domain is not your carrier's official domain — check the exact URL carefully, not just the display name
- A countdown timer or expiry date creates pressure to scan the code without verifying
- You receive an unexpected confirmation that an eSIM was added to your account
- You notice you stop receiving calls or SMS messages after scanning a code
How to protect yourself
- Never scan an eSIM QR code you did not explicitly request from your carrier through their official app or website
- If you want to set up or transfer to an eSIM, initiate the process yourself through your carrier's official app or by visiting a store
- Check your device's SIM management settings immediately if you suspect you scanned a malicious code
- Call your carrier immediately if you believe an eSIM transfer occurred — carriers can reverse unauthorised transfers
- Enable app-based two-factor authentication instead of SMS-based 2FA wherever possible to reduce your exposure to SIM-swap attacks
- Request your carrier add a SIM-swap lock or account-transfer PIN to make unauthorised number transfers harder
How to report it
- Contact your mobile carrier immediately at the number on the back of your physical SIM card or on their official website
- Report to your national cyber security authority — NCSC at ncsc.gov.uk (UK), CISA at cisa.gov (US)
- File a report with the FTC at reportfraud.ftc.gov
- Forward suspicious texts to 7726
Frequently asked questions
How do I legitimately set up an eSIM?
Contact your carrier directly through their app or website and request an eSIM. They will generate a QR code for you to scan within the app or send to your registered email after identity verification. Never scan a code you received unsolicited.
What happens to my physical SIM if I scan a fake eSIM QR code?
Your physical SIM usually continues to function, but the scammer's eSIM profile may duplicate your number on their device, allowing them to intercept incoming SMS and calls.
Can my carrier block eSIM swaps?
Yes. Most carriers can add an account PIN or port-out protection that requires additional verification before any SIM or eSIM transfer. Call your carrier to activate this protection.