Fake wireless carrier account suspended phishing — impersonates AT&T, Verizon, T-Mobile, or Sprint, claims wireless account suspended or payment failed, drives to credential/card-harvest page via "verify your payment" link; FTC 2024: telecom impersonation scams cost $330M; AT&T and Verizon among top-5 most impersonated brands

Phishing emails impersonating major wireless carriers (AT&T, Verizon, T-Mobile, Sprint, or generic "your wireless carrier") and claiming the victim's mobile account has been suspended, placed on hold, or has a payment failure — driving to a credential- or payment-card-harvest page disguised as the carrier's account portal. Key facts: (1) FTC 2024: telecom impersonation scams cost Americans $330M in reported losses — a 45% increase over 2022; AT&T and Verizon are consistently among the top-5 most impersonated brands in credential-phishing campaigns, according to Verizon's own DBIR and independent threat intelligence; (2) The attack model is simple: victims who click the link land on a lookalike login page (often hosted on newly registered typosquat domains) where they enter their carrier credentials and often their payment card details under the guise of "confirming" the account update; credentials are then used for account takeover, enabling SIM-swapping attacks that bypass SMS-based MFA on bank accounts; (3) SMS-based phishing ("smishing") is the primary vector for carrier impersonation, but email campaigns targeting carrier customers from data broker lists are a growing secondary vector; (4) Legitimate carrier notifications about payment failures or account suspensions arrive from verified carrier domains and deep-link to the carrier's official app or account management portal — they do not direct customers to third-party link-shorteners or unfamiliar domains. Warning signs: sender domain not the official carrier domain, urgency about account termination within hours, link to a non-carrier domain, no reference to the last 4 digits of your payment method or account number.