SIM-Swap Account Takeover Targeting T-Mobile Customers
Criminals use stolen personal data to convince T-Mobile to transfer a victim's phone number to an attacker-controlled SIM, giving them access to SMS one-time codes and enabling rapid takeover of financial accounts.
Part of: SIM Swap Scams
Last reviewed: 8 June 2026
T-Mobile has been the subject of several high-profile data breaches in recent years, meaning that attackers sometimes already hold T-Mobile account details — names, account numbers, billing addresses — needed to pass identity verification checks. This stolen data feeds directly into SIM-swap schemes where criminals impersonate the legitimate account holder.
The attack targets the weakest link: the interaction between a customer-service agent and a caller armed with correct-sounding personal information. T-Mobile has introduced a NOPORT account feature that restricts number porting, and enhanced PIN requirements, but the volume and sophistication of attacks means some succeed.
After gaining control of the victim's number, attackers target accounts most likely to yield fast, hard-to-reverse monetary gain: cryptocurrency exchanges, stock-trading apps, and peer-to-peer payment services like Cash App and Venmo.
How this scam works on the T-Mobile brand
T-Mobile attackers often combine a SIM swap with a preceding credential-stuffing attack: they obtain the victim's T-Mobile login from a breach database and log in to the My T-Mobile portal to initiate the SIM change online, bypassing human agents entirely. This makes the fraud faster and reduces the social-engineering risk on the attacker's part.
In store-based attacks, the criminal presents a fake or stolen ID that matches the victim's name and address. T-Mobile retail employees are trained to verify identification, but a convincing document can defeat the check. Insider employees who accepted bribes to process SIM swaps have been prosecuted in multiple US jurisdictions.
Following the swap, the attacker resets passwords at targeted services using the now-controlled phone number. Victims often realise something is wrong only when their phone goes dark and they attempt to make a call, by which time financial damage may already have occurred.
Common red flags
- Your T-Mobile handset suddenly shows no signal or Emergency Calls Only with no network outage reported
- T-Mobile sends a confirmation email for a SIM change or device upgrade you did not request
- You stop receiving SMS messages, including routine two-factor codes from other services
- A T-Mobile PIN or account verification request appears in a chat or text you did not initiate
- Financial app login-attempt notifications arrive on your secondary email for actions you did not take
- Unexpected My T-Mobile logins appear from unfamiliar locations in your account security history
How to protect yourself
- Enable T-Mobile NOPORT and account SIM lock features via My T-Mobile to prevent unauthorised number transfers
- Use a strong, unique account PIN that does not match your SSN, date of birth, or other guessable personal data
- Migrate SMS-based two-factor authentication on financial accounts to an authenticator app or a hardware security key
- Use a secondary, private email address for your T-Mobile account that is not publicly associated with your name
- Subscribe to credit monitoring and consider a credit freeze to limit collateral damage from identity theft
- If service drops, call T-Mobile at 1-800-937-8997 immediately from a different phone
How to report it
- Call T-Mobile at 1-800-937-8997 and report the SIM swap; ask them to lock the account and restore your original SIM
- Report to the FTC at reportfraud.ftc.gov and to the FBI at ic3.gov
- Notify affected financial institutions and ask them to flag your accounts for unusual activity
- File an identity theft report at identitytheft.gov
- If a T-Mobile store employee may have been involved, report this to T-Mobile corporate security in addition to law enforcement
Frequently asked questions
T-Mobile had data breaches — does that make SIM swap more likely for me?
Past breaches mean some account information is already in attacker hands, lowering the research effort needed to impersonate you convincingly. This is a strong reason to enable NOPORT and switch to authenticator-app two-factor rather than SMS.
What is T-Mobile NOPORT?
NOPORT is a T-Mobile account-protection feature that blocks your number from being ported to another carrier until you personally remove the restriction. Activate it in My T-Mobile or at a store with ID.
Can bribed insiders at T-Mobile stores carry out SIM swaps?
This has occurred and led to criminal prosecutions. If you suspect an inside job, report it to T-Mobile corporate security and law enforcement. Enabling NOPORT and using non-SMS second-factor authentication reduces the impact.