Communications Litigation Today was a Warren News publication.
'Long Aware' of Risks

T-Mobile 'Negligent' in SIM Swap Scam, Alleges Class Action

Scammers transferred out more than $24,000 from a T-Mobile customer’s Coinbase account in a “SIM swap scam,” alleged a Monday class action (docket 2:23-cv-271) in U.S. District Court for Western Washington in Seattle.

Illinois resident Eman Bayani alleges scammers “convinced T-Mobile to transfer access” to his cellular phone number from his registered SIM card to the scammers’ SIM card. The scammers accessed Bayani’s Coinbase account, from which they transferred out over $24,000 in cash reserves and bitcoin, leaving him indebted to the cryptocurrency company for $2,706 that was unlawfully transferred from his bank account to Coinbase, said the complaint.

Bayani signed a contract with T-Mobile for service in December 2021 and lost access to his SIM card eight days later, said the complaint. He and his wife made several trips to T-Mobile stores over a week because of repeated instances of service disruptions, paying fees that employees said were due on his account in order to restore service. Bayani filed a police report while traveling to Paris, Texas.

Scammers were able to perpetrate the scam because of T-Mobile’s “gross negligence” in protecting customers’ private financial and personal information, its negligent hiring and supervision of T-Mobile employees responsible for safeguarding information, and its violation of laws that protect the information of wireless carrier customers, the complaint said. By having access to Bayani’s SIM, scammers could use text verification to reset his passwords on his email, banking and Coinbase accounts and withdraw funds from them, it said.

T-Mobile is aware of the fraudulent practices by scammers, said the complaint, referencing warnings from the FTC and multiple lawsuits with similar allegations. The carrier "has long been aware of the security risks presented by its weak user credential structures and procedures," it said. The company "did not use readily available security measures to prevent or limit such attacks."

The complaint claims T-Mobile violated the Communications Act, Stored Communications Act, Computer Fraud and Abuse Act, and Washington Consumer Protection Act. It was negligent in safeguarding customers’ information and in hiring and supervising employees, alleged Bayani. The plaintiff seeks actual and statutory damages, injunctive relief, pre- and post-judgment interest and reasonable attorneys’ fees and costs.