31-03-2020 10:50 - edited 28-07-2021 14:52
We know Flubot has been in the news more recently due to it becoming a heavily used form of smishing by these scammers, so we want to update you with more information on what Flubot is, how to spot it, and how to stay safe. See full update below for more info.
Flubot scam - What is it?
Flubot is a text message scam. It is part of a large scale smishing attack using a malware named Flubot. Currently it is only impacting Android devices, and is downloaded under the guise of a tracking app or a message with a link to retrieve a voicemail which is installed when you click on the attached link.
If you install the app the malware is then able to take over your device and this allows more infected SMS to be sent to contacts within your device without your knowledge.
Please be aware that if you do install the app, your contacts and your banking apps may have been accessed by the fraudster.
If you have received the message but not clicked on the link and downloaded the app, you can report the message to 7726 and then delete it.
If you have downloaded the app and believe your device has been infected, you will need to remove the malware from your device and you can do this by following the actions recommended by the National Cyber Security Centre, which is to perform a factory reset on your device, which will wipe the device and remove the malware. To carry out a factory reset, please visit the National Cyber Security Centre’s website and search on the text “flubot guidance”. You should NOT perform a back-up to reinstall anything on your device after the factory reset, as that will also reinstall the malware.
Other options that MAY be available are:
- Activating Google Play protect and perform a complete device scan. This action MAY allow you to delete the malware.
- Activate the safe mode on the Android device. Safe mode places a temporary block on third party apps from running. This may let you identify the Flubot app and then uninstall it.
I believe my device is infected – What should I do ?
Please forward the original text message to 7726
If we have identified that your device may be infected by Flubot as part of the monitoring of our network, we may bar your outgoing SMS in order to protect you, your contacts, and our network. To have this SMS bar removed, please follow the advice below on how to remove the malware. Once you have done this please contact customer services
If you advise us that you have removed the malware but this has not been completed, the outgoing SMS bar is likely to be reinstated.
If you have incurred charges to your bill due to Flubot, this will be reviewed and where applicable these charges will be credited back to your account.
However, if you advise us that you have removed the malware and this has not been completed, and you continue to incur costs due to Flubot you may be liable for these charges.
We have seen a number of new examples of the Flubot scam and are taking actions to protect customers from these. We have also made an upgrade to 7726 to make it easier to report calls.
We have had reports of a new variant of the Flubot issue and wanted to highlight what these look like.
You will receive a SMS advising you have a missed voicemail and to click the link provided. Please don’t and if you have see the guidance below on the actions to take.
Please continue to report these to 7726 as it allows us to take the appropriate action to shut these down.
We have now completed a small upgrade to 7726 so that it is easier for you to report a Voice Call rather than just SMS.
To make it easy for you the system will only require a single message
If you receive a call then you should report it as follows:-
Voice (Calling number) e.g. Voice 077305***** or Voice 4477305*****
No words or comments should be included otherwise it will be registered as a text message and not a voice call.
When used you will see the following response:-
Thanks for reporting a nuisance call. The details will be shared with the other operators and law enforcement teams
We've started seeing some texts claiming to be from O2 More or My O2 that refer to various gamling offers or websites, though may not be exclusive to just gambling offers - it's just that that's what we've seen so far. More details below.
I wanted to highlight a few texts we've seen originating from a spoofed 'My O2' or 'O2 More', usually related to gambling offers - but this may not be exclusively. See below some recent examples we've had.
Some of the usual 'tells' that this is a scam and not from O2 can be seed in typos, grammar or punctuation mistakes, such as:
- In the second example, 'Bet on the England Vs Scotland' - what? The whole sentence just doesn't really make any sense as it seems to be missing words like match and 'an' before exclusive
- In the third example they deliberately add spaces to the Gambleaware website to ensure it's not tappable, and the last bit again doesn't flow well
It can be difficult to tell what's a scam and what's real though, so please continue to be vigilant and if you're in doubt, it's best not to open these texts or tap on any of the links. Continue to follow our previous advice to forward suspected scam texts to 7726 for us to investigate.
We wanted to alert you that we’re starting to see new variations of the recent Flubot SMS scam you may have read about here, on our Social Media feeds, or via the news. Some variants we have seen so far include messages pretending to be from UPS, ASDA and others. We wanted to clarify a couple of points that we hope will help keep you safe over the bank holiday weekend.
- The way the Flubot scam works is that by tapping on one of the links in the message, it takes you to a website that downloads an ‘APK file’. This file is a fake app that installs to your device, and then downloads other apps that make it look like your online banking app (or other apps) which can steal your logins and more
- Because this Flubot scam works by installing an APK file, this is currently specific to Android – but if you’re an iPhone/iOS user, we strongly recommend you follow the same advice below
What to do if you receive one
If you receive a text or email you weren’t expecting and it’s asking you to tap on a link, be suspicious and scrutinise the details. If it’s from a random mobile number, chances are high it’s a scam text. If the link looks odd, chances are high it’s a scam text. If the text has typo’s or poor structuring, chances are high it’s a scam text. In these cases, please forward the text to 7726 for our security team to take further action.
If you get such a text and everything looks absolutely fine, or you were expecting a delivery from the courier mentioned and you think it might be genuine, we urge you to use caution and to contact the company in question to confirm its legitimacy before tapping on any links. If the courier/business cannot confirm the legitimacy of the SMS, please forward the text to 7726 for our security team to take further action.
For more guidance, please visit the National Cyber Security Centre
Mobile network operators are aware of the Flubot SMS scam and are advising customers to be vigilant and careful about clicking on any links received in an SMS. For the full update, tap here or view it below.
The Flubot SMS scam is a piece of malware that impersonates other apps on a victim’s phone to steal their banking credentials and other private information. It spreads through SMS and can eavesdrop on incoming notifications, read and write SMS, make calls, and transmit the victims’ entire contact list back to its control centre.
Actions to take if you believe you have received a Flubot text message
If you believe you have received a Flubot message, customers should forward anything suspicious to 7726 so the links can be tracked.
Be Vigilant and Aware
The best advice if you’re unsure is to ignore, report, and delete.
Here's an example of a Flubot SMS. If you receive anything similar, please don't click any links. Report it as instructed above, then delete it.
Royal Mail email, text and Facebook scams have been around for a long time, but this month we've seen an increase in activity and so we wanted to bring this to your attention to help show you how to spot these, and what to do about them. See more details in the update here.
In February 2021 we updated the OTAC (one time authorisation code) SMS messages we send you when you request certain account actions such as SIM swaps, upgrades or account recoveries. Never share this code with anyone who calls you. See more details in the update here.
In January 2021 we started seeing a convincing new text message scam that pretends to be from the NHS offering you a vaccine. Please see full details in the update here.
In August 2020 we added a new section to this thread highlighting other scam activities you should be aware of. These include details on the 'Wangiri Scam', flyer, and other scams. Please see the update here.
Received a suspicious SMS or Email? There's no need to contact us. See below hints and tips for spotting these scams, and what to do with them.
We often see reports from customers who believe that they may be at risk from fraudsters trying to dupe them into sharing their personal information. These types of scams are known as phishing or smishing – a form of fraud which impersonates a company in order to steal sensitive information such as login, bank or other personal details. We’ve pulled together some information to help you identify these scams and keep your information safe.
What is it?
Phishing or Smishing is when fraudsters attempt to get hold of sensitive information such as usernames, passwords or bank details by pretending to be a trustworthy source in emails (Phishing) or texts (Smishing). These scams work by sending you an email or text that looks like it’s from your bank, service provider or other company, usually asking you to visit a fake website that looks real. If at this point you try logging in, or provide any info, fraudsters will attempt to use that info to commit fraud in your name.
What are you looking for?
As with many scams, it begins with an email or text. Some of these may be from scammers pretending to be O2, and may alert you to an unpaid or overdue bill, and will include a link to pay or ‘view your bill’. This messaging is designed to panic recipients into clicking the link to view the bill.
Clicking the link will either direct you to a fake website or in some cases, download Malware to your computer. The most common type of phishing email will direct you to a fake website and ask you to enter your login details. Malware can be used for a number of things – for example, it could record your keystrokes, enabling fraudsters to piece together even more personal information and login details.
Signs of a Phishing or Smishing Scam
It’s often easy to spot a scam. Be on the lookout for:
- Spelling mistakes
- A ‘from’ email address that doesn’t match the company or organisation
- A text sent from an unfamiliar sender, such as a normal looking mobile number
- Demands that you take action straight away or risk having your account suspended
- A generic ‘dear customer’ header
- Suspect links with extra letters, numbers or substitutions. For example, a phishing scam trying to imitate O2 might replace the letter ‘O’ with the number zero
- Requests for sensitive data like usernames, passwords, D.O.B etc.
Here are some examples of Phishing emails:
Here are some examples of Smishing texts:
What to do
If you’re suspicious about an email you’ve received and it's pretending to be from O2, please send it onto our team to be looked into. DO NOT click on any links. It’s important that we see examples of phishing emails and websites so we can investigate and shut down scammers. To report a suspicious email or website:
- Create a new email draft with ‘Phishing’ as the subject
- Attach the suspicious email
- Send to email@example.com
To report a suspicious text pretending to be from O2, forward the original message to 7726. You may get an automated response thanking you for the report and giving you further instructions if needed. You will not be charged for sending texts to 7726.
Alternatively, if your phone supports SPAM reporting (currently available if you have an Android device using the Google Messenger App, but others will be available soon), then press the SPAM button to automatically forward the message to 7726.
For more info about phishing from our support pages, click HERE.
For more info and advice on how to safeguard against fraud, visit the Fraud Advisory Panel.
For more info on spam texts click here.
We'll update this thread regularly, as and when there are new scams you should be aware of, or we want to share any details that will help ensure you don't fall foul to scammers.
on 31-03-2020 10:52
06-08-2020 16:51 - edited 06-08-2020 17:14
AUGUST 2020 UPDATE
I wanted to share some recent examples of phishing, smishing and scams in general. All of the advice in the original post further up is still correct and up-to-date, and you should always maintain vigilance when you're unsure on the legitimacy of any message you receive. The information below is purely to update you on some of the new techniques we're seeing at O2, with the hope it helps more of our customers stay safe and secure.
Firstly, a quick update on the terminology:
- Phishing: When fraudsters attempt to get hold of sensitive information such as usernames, passwords, and credit card details, by pretending to be a trustworthy source in an email
- Smishing: Same as the above, but when it happens via a text message instead
- Vishing: Same as above, but when it happens via a phone call instead
Before we get into this one, it's important to know what 'Wangiri' means. In Japanese, it translates to 'one ring and drop'. The purpose of this scam is that you'll receive a phone call from some unusual or obscure international number, which will typically terminate before you ever get a chance to answer it (which you never should).
Unsuspecting customers who see a missed call may not think twice about calling back... What if it's a family member on holiday? This is exactly what these scammers are hoping for and as soon as you call that number back, bang, that's you just been stung a hefty premium rate call charge. What's O2 doing about these? We block numbers are soon as we become aware of them, and have investigated them. In many cases we'll have outbound blocked the number before you even receive the dodgy call, but these scammers are all around the world and new numbers are setup often, so this kind of scam is unfortunately likely to exist in the world for as long as there are phones.
Recent smishing examples
Smishing, like above, is likely to be something that will always exist, so it's important that customers on all networks, all around the world, remain vigilant and be able to spot the signs of a smishing attempt to ensure they don't get caught off guard and find themselves with extortionate charges due to falling for these scams.
See the screenshot below - this is a common example of the kind of smishing report we're receiving regularly, with the only thing changing from text-to-text being the URL. Don't worry about the number - that's the number of the scammer, and not of any customer.
There are several things to note from this smishing example:
- The number. Had this text been real, it would show as from O2 and not from what appears to be a normal mobile number
- Quite often, the dates won't align. If I know my bill comes out on the 1st of the month for example and I got this text mid-month, that should set alarm bells that it may not be legit
- The URL. One look at this example as it's quite obvious that it's not the O2 website.
- Typos or grammatical errors. There's nothing untowards about the layout of this text, though if you look at the last O2 billing text you received, you'll see there's a space between 'O2' and ':' at the start of the text. If you ever see a sloppy typo or similar, this should be a red flag and indicate something sinister may be going on
Flyers and other scams
Unfortunately the list goes on. Scammers and criminals will do anything for an easy £ and as their desparation grows, so too will the complexity of their scams. Other recent scams we've witnessed have been:
- Flyers or leaflets: It's unusual for a scammer to go to this much effort, but we recently spotted this scam circulating in the Camden area. If it's too good to be true, it normally is. The website itself should also ring alarm bells, as all of our offers are on the main o2.co.uk website.
- Email or website surveys: If you've received an email purporting to be from O2, either offering something in exchange for doing a survey, or promoting a stock clearance, then this is a phishing scam and is not something that we do.
- Website popup surveys: Though I don't have a screenshot example to share, you should also be weary of any pop-ups you see when browsing the internet. If you're browsing the internet and ramdonly get an O2 pop-up or advert that says you've been selected at random to win something, or if you answer a few questions you'll win a prize, then these are scams. These are not from O2 and we have nothing to do with them, and you should never click on these or give them any information. Ever.
- Fake O2 customer services: This isn't new, but a very recent example caught our eye that we wanted to share due to some convincing aspects of it. If you are contacting O2 via Social media, then you should ONLY TRUST THE OFFICIAL PROFILES BELOW. If you're asked to follow a random Twitter profile that isn't @O2, it's likely a scam. We will also never ask you to initiate an SMS to a shortcode number.
- Official O2 customer services on Social Media:
- Twitter: https://twitter.com/o2. @O2Sports and @O2Music are also genuine, as is @TelefonicaUK - though these aren't 'customer service' channels.
- Facebook: https://www.facebook.com/o2uk/
- Instagram: https://www.instagram.com/o2uk/
- In the screenshots below, here's what's happening... In the first one, the fake account would wait for the customer to reply to them and then eventually, the account would ask the customer to text 'Y' to a certain premium SMS shortcode, in order to authenticate themselves. In screenshot 2, it shows what happens if you follow this action through.
on 06-08-2020 20:56
So so many ways to steal your money!
on 07-01-2021 11:53
JANUARY 2021 UPDATE
I wanted to bring to your attention a new, clever, and very convincing scam that is doing the rounds via text message (smishing). The ongoing Covid-19 situation is cause for concern for all of us and this scam prays on fear and vulnerability in the hope that you won't think twice about it being illegitimate.
The text pretends to be from the NHS and says "We have identified that your are eligible to apply for your vaccine" and to click on a link to apply. When you click the link it takes you to a very convincing looking website made to look like the real thing (see screenshots below) which then asks you for a load of personal details including your name, date or birth, address, proof of address, and payment card details. Obviously with all of this info, scammers could cause a lot of havoc and commit fraud in your name, and this request for detailed personal information should be your first warning point.
As always, please continue forwarding suspected smishing/scam SMS's to 7726 so we can investigate and take action against it.
Any text message coming from a new or untrusted source containing a link should be treated with caution. The best way to find information about a Covid-19 test or vaccine is to visit the GOV.UK website directly or by looking it up through a trusted source. Do not click on links in unsolicited texts or emails.
There have also been reports of cold calls regarding the vaccine beginning to take place, where scammers are asking people to pay for the vaccine over the phone. If you receive one of these calls, please hang up immediately.
on 07-01-2021 12:13
Cannot believe that people stoop so low as to do this kind of thing...
Please note, this is not customer services and we cannot access your account. Do not publish personal details (email, phone number, bank account).
Link to our guide on how to contact them can be found here
on 07-01-2021 14:12
These pondlife will always find new scams unfortunately