on 30-06-2023 15:21 - last edited on 04-03-2024 10:20 by Dave-O2
⚠️ Been called and offered a discount or free gift? ⚠️ ⚠️ Been called and asked for a 6-digit code?⚠️ |
Welcome to our new Scam Alert Megaguide. There is a LOT of detail and info here, and if you've just been called by a scammer or if you've ever fallen for a scam, then my hope is that you'll learn how to spot these scams, learn how to stay one step ahead of them, and what to do if you've become a victim. The Scams Advice thread will continue to live on and receive updates as and when we see new scams or trends we want to highlight, so make sure to bookmark that thread as well as this one.
ℹ️ Use the index below to jump straight to a specific section
ℹ️ Click on any animated banner to come back to this index
Scammers use various formats to try and scam you and these are typically:
Smishing used the be the most prominent form of scam but in recent months we've seen more reports around vishing scams, where someone claiming to be from O2 will call – usually about one of these things:
ℹ️ OTAC stands for one-time authorisation code, meant for you and you alone, as a way to authenticate yourself and prove you are who you say you are. If you give this code to a scammer, they can commit fraud, drain your bank account, ruin your credit score, or cause other damages. You can see what these SMS look like here. |
The way these vishing scams work are usually the same. Here's how one of these 'discount scam' vishing calls might typically go if you fell foul of the scam:
The OTAC SMS's you receive are from O2 and are legitimate but the caller is a scammer and they have zero affiliation with O2 or our partners. Before or during the call, they'll be on the O2 website and click on the 'forgotten password' option, which then triggers the OTAC messages to be sent to you; because anybody, anywhere can input your number into that 'forgotten password' option, this is not proof the caller works for O2 or has access to your account or our systems.
The OTAC is everything and is the entire basis on how this scam works, so it's imperative you treat your OTAC like your bank card PIN number... Never give it out to anybody under any circumstance. If you provide the scammer with your OTAC, it's akin to you giving a robber the keys to your home. With your OTAC, they can use it to:
ℹ️ Someone calling from an official number, but it's still suspicious? You should be aware that sophisticated scammers can now clone the phone numbers of organisations they want to impersonate. Just because the number on your caller display matches an official number or even displays the name of the company you’re calling; it might not be real. If you’re calling back the company, find the number yourself and don’t use the number the suspected scammer may supply. The safest way to contact most UK banks after a supposed fraud call is using the new 159 service. Jump to information about the service here |
Sometimes scammers may try to demonstrate their legitimacy by providing you with info or details you’d think only O2 has – such as your name, number, what phone you have – or something else. If during the call you provided the scammer with your OTAC, they will have access to a lot of this information, including your tariff cost, bill history, address info and more, that they can use to try and convince you that they're legitimate. If during a call you haven't provided the scammer your OTAC and they repeat some details to 'prove' they're from O2, it may often be impossible to know how and where this info came from, but we assure you it didn’t come from O2.
Scammers use various methods and tactics to extract data and piece a profile of you together – often from countless sources that when combined, could make it convincing that they’re legitimate. Some examples of how and where scammers may have found your data or info:
I have covered this in more detail in a previous update, but as convincing as some scams are, there’s a lot you can look out for and hopefully identify them with, including:
Long story short is to please take notice of the first SMS you receive before the one with the code arrives. You can see here what these OTAC messages say, but this is the first one you receive prior to the code arriving:
We cannot stress enough that these OTAC’s are for you, and for you alone. They are a way for you to authenticate yourself and to prove to us that you are who you say you are, so that you can make account changes, order devices legitimately or do anything else you’d want to within your account. By giving this code to anyone else, you are compromising your own security and information and you could cause yourself untold hassle and damage to your credit file which could then impact mortgages, loans, banking products and more.
Up until the start of 2023, a large proportion of the scams being reported to us via social media were smishing based, with the most common scams being:
Though we’re seeing much less of these than we used to, all the scams above are still around so it's important to remain cautious and think twice about clicking links. Here’s some common signs (but not a guarantee) that a text may be a scam:
Similar to smishing, we’ve not seen a lot of new changes here but we’ve recently seen some new email scams and spam. One such email says “we’re updating your O2 login” with a number to call if you need to discuss it. That number is a scammer, who will then attempt to scam you or extract further info from you they can then use to either sell to other scammers, or use it to commit fraud in your name.
The other email appears to be more spam than scam, but in both this example and the one above, the biggest tell-tale sign it's not from O2 is the email address both emails were sent from, neither of which are legit O2 email addresses.
ℹ️ Take notice than in both example emails below, they state the last 4 digits of a mobile number at the top. Sometimes these may be random, but the email content may come across urgent enough you might not fully notice it's not your number. And sometimes the last 4 digits will actually be yours - to be clear, this does not mean the email is legitimate, just that a scammer knows your number and has used it to make their email look legit. See here for more info as to how these scammers may know your mobile number. |
Example 1: Take note of the fake email address and contact number in use here
Example 2: Take note of the fake email address in use here
Another email to be aware of, which is actually a legitimate email and not from a scammer, is where you've been told "Your O2 account has been locked due to 5 failed login attempts". I'll include a screenshot of this email below - if you've received one that's identical, is also from the same email address, and it's not asking you to click any links or call any numbers, then it's more than likely legitimate. If it does ask you to call a number or click a link, or looks different from below, then it may be a phishing email and you should be cautious.
You'll have received this email either because:
Some scams might pretend to be from O2, or from an organisation you already deal with. It's important that we see examples of phishing emails, texts and websites so we can investigate and shut down scammers.
To report a suspicious email:
To report a suspicious text:
ℹ️ Information shared to 7726 will be available to all UK mobile operators, the Information Commissioner’s Office and various approved organisations that are involved in criminal investigations, to enable the to identify the senders. These approved organisations include the National Cyber Security Centre (NCSC) and the Serious Fraud Office (SFO).
ℹ️ Information may also be shared with the organisations who are being targeted by the smishing attacks, to help them protect their customers from fraud. |
To report a suspicious call:
Additional steps
You should also report your phishing experiences to report@phishing.gov.uk. The information provided lets law enforcement organisations remove fraudulent sites and identify patterns of attack used by scammers to help us all defend against them.
ℹ️ Think a fraudster might have access to your O2 account? See our fraud advice, and report it to us straight away. |
Here we'll attempt to answer some common questions we've seen asked via our social media channels. If you have any questions not covered below, or in all of the information above, then let us know in the comments below and one of our Community experts may be able to assist or explain, or drop us a message on Twitter, Facebook or Instagram.
Q. These scammers had all my info - my name, address, how much I pay. How did they have that?
A. If during the call, or on a previous call, you gave the scammer your OTAC code, they could have logged into your account and had access to all of this and more. With access to all of this info, these scammers can make it very convincing that they work for O2 when they don't.
Q. But I didn't give them my OTAC, so how did they know?
A. As covered here, some scammers employ a number of tactics in order to create a profile of you. In some cases, they maybe even purchased such a profile on the dark web - part of a massive database someone may have pieced together using various sources and leaks, none of which may have any links or ties to O2.
Q. How can I better protect myself against scammers and hackers?
A. There is no one thing you can do that will protect you - instead, you need to approach online safety and security with a wide field of view and consider many aspects such as, but not limited to:
Those are just some of the main ways you can help keep yourself safe and secure from scammers, but these criminals are cunning. They will evolve and find new ways to scam you or steal your information or identity to commit fraud, so please be vigilant, take notice of warnings, and trust your gut.
Q. What are you doing about these scammers?
A. We act upon reports submitted to 7726 and act accordingly – either to ban the number and take action if it’s on our network, or report it to the network it belongs to and block it from further contact with our customers.
Q. But what about preventing the calls in the first place?
A. We regularly explore options available to us to tackle the issue of scammers and spammers head on, and we’ll continue to explore all options to reduce and hopefully eliminate (as much as possible) scams and spam being sent to our customers.
Q. I've been a victim of fraud and would like further support or advice
A. There are other sources available, including:
Q. What steps can I take to ensure a QR code is genuine?
Q. How do you contact genuine competition winners?
We will only contact you from our verified social media pages and we will never redirect you to a website, or ask for your credit card details. Remember to check the tick next to our name – our pages are @o2uk on Facebook and Instagram and @o2 on X and TikTok. If you have any concerns or doubts, please private message our verified pages.
on 02-10-2023 17:15
on 02-10-2023 17:15
Unfortunately I've just fallen for the same scam. Phoned O2 and they've taken the details etc. If the phones are delivered tomorrow I'm to refuse delivery. What worries me is that they've set-up £1200 credit for these phones. Fingers crossed 02 are stopping this credit as I don't have any money to pay.
on 02-10-2023 17:44
on 02-10-2023 17:44
@I-am-an-idiot You need to contact your bank as you have given the scammers your financial information. They can help protect your account and stop transactions.
Change your account and online account passwords. Not just your O2 account. All of them.
Don't just rely on O2 to sort this out for you. Report this to the police: https://www.actionfraud.police.uk/
on 02-10-2023 17:49
Flash forward three months......
on 03-10-2023 03:30
on 03-10-2023 03:30
I fell for this scam today ‘hook line and sinker’ 😫. A iPhone 15 is on its way tomorrow.
on 03-10-2023 18:22
on 03-10-2023 18:22
on 07-11-2023 16:35
Hey all,
Just wanted to pop in with some updates and changes. Most of the help and advice in my original post is still valid, but some of it has changed slightly so I'll be making some tweaks to it sometime this week.
Before I get into it, one of the bigger issues we see with scams are account takeovers. The way scammers achieve this is by using the 'Forgotten password' option at the My O2 login page, which previously, would have triggered a 6 digit code (OTAC) to be sent to you via SMS. The scammer would then try and convince you to give them that code which if you did, effectively gives them full control of your account where they can do things such as:
Our Fraud & Security team made a positive step forward by removing OTAC via SMS password and account resets. This has reduced this kind of fraud by a large amount already, and it's sent these scammers scrambling. With any luck, it'll even have made some of these criminal organisations collapse.
Instead, now if you need to reset your My O2 password you are sent a link to the email address your account is registered with and when you click that link, you'll then be able to change passwords.
We have seen examples of these scammers change tactics, with some reports that they are now asking you to forward that email to them, where they would then use your link to change the password themselves - but at this point we imagine this would sound dodgy enough to most customers that they'll be vigilant enough to hang up, block their number, and report it to us by texting CALL to 7726
on 07-11-2023 16:57
on 07-11-2023 16:57
A step in the right direction.
With both of my Bank Accounts I have to Verify via the Banking App.
Maybe a future direction for My O2
on 07-11-2023 20:12
on 07-11-2023 20:12
Does the link sent by e-mail include a warning not to forward it to anyone else ?
on 09-11-2023 11:12
on 09-11-2023 11:12
Hey @Oxonian - I've included a screenshot below of the email that's sent when you click on the 'forgotten password' option. The email does make it clear the link will reset the password.
on 09-11-2023 18:38
on 09-11-2023 18:38