on 19-07-2024 13:43
I got a very clever scam call that exposes the lack of security in O2's 2FA verification text.
The guy said along the lines of 'Hi.. we've just noticed the plan your using is outdated because it's still from 2015', simple and believable - didn't ask for any bank information, just suggesting an upgrade.
Then he said 'Yeah I'll just text a code through to you and if you could confirm it'. He pulled this off very smoothly just as an official text from O2 with a easy to read security code comes through. Which is the SCAM.
The text reads 'O2: Your verification code is XXXX'
(The scam is, this is just him pressing 'Forgot Password' to trigger this official O2 text to me, once he has the 2FA code he will log into my account and order a bunch of phones).
Many people will fall victim especially how neatly it was pulled off, and how easy it is to read 4 digits before your eyes.
This scam can be practically eliminated if this 2FA text is reworded to:
'Attempted log-in, never give this code to anyone one the phone. However, if you are trying to log in:'
Or something more concise. That's my suggestion.
Many thanks
on 19-07-2024 14:09
We're fully aware of this and the preceding text to the one with the code clearly states NOT to give the code to anyone.
on 19-07-2024 14:31
on 19-07-2024 14:31
Nothing new under the sun, @swalk. I've lost count of the number of years we've been telling others to never agree to, or open any links, or enter any information from a cold caller, no matter who they say they are.
Block the number and report it free to 7726.
O2 advice here:
https://www.o2.co.uk/help/safety-and-security/phishing-and-smishing-advice
https://www.o2.co.uk/help/safety-and-security/unwanted-calls-and-messages
https://www.actionfraud.police.uk/
How to block a number:
on 19-07-2024 14:34
on 19-07-2024 14:34
Its a social engineering attack, and they pick numbers at random and then call you, as soon as you answer they click on Forgot password, and hope the victim on the end of the phone thinks its a genuine call.
Quite easy to do really with publicly available information from the regulator.
o2 do send a precursor text,. that tells you not to give out the code, and if on the phone to someone who called you to hang up and call o2 to report it. (You always get both texts if not check you havent marked it as spam on your phone)..
What o2 should be doing is pushing customer to use Auth Apps, or RSA based tokens (at the customers expense they are expensive) or USB finger print readers to authenticate
on 19-07-2024 16:00
on 19-07-2024 16:00
Yes, as mentioned this is what happened. However there was no precursor text.
on 19-07-2024 16:01
on 19-07-2024 16:01
Ok great, however the majority of customers are not forum members. It's more efficient just to have a disclaimer in the text message itself.
on 19-07-2024 16:03
on 19-07-2024 16:03
Ok awesome, thanks
on 19-07-2024 17:09
on 19-07-2024 17:09
@swalk You don't need to be a member of this forum to have a little common sense about scam calls and texts. There's a news story every day about people getting taken in by scammers. It happens to people all over the world, and there's only so much any network can do at the moment to protect their customers. Some of the responsibility has to come from the customers themselves.
on 20-07-2024 06:41
on 20-07-2024 06:41
You've lost count of telling people - why not just have the text message tell people automatically?
This is within capability and it's a significant precaution which would reduce scams.
This scam relies on him telling you he's sending you a code to which you simply read.
Only trying to help.
on 20-07-2024 11:03
The messages received are very clear about this if anyone cares to read them.
Not much else to be said.