on 30-06-2023 15:21 - last edited on 04-03-2024 10:20 by Dave-O2
⚠️ Been called and offered a discount or free gift? ⚠️ ⚠️ Been called and asked for a 6-digit code?⚠️ |
Welcome to our new Scam Alert Megaguide. There is a LOT of detail and info here, and if you've just been called by a scammer or if you've ever fallen for a scam, then my hope is that you'll learn how to spot these scams, learn how to stay one step ahead of them, and what to do if you've become a victim. The Scams Advice thread will continue to live on and receive updates as and when we see new scams or trends we want to highlight, so make sure to bookmark that thread as well as this one.
ℹ️ Use the index below to jump straight to a specific section
ℹ️ Click on any animated banner to come back to this index
Scammers use various formats to try and scam you and these are typically:
Smishing used the be the most prominent form of scam but in recent months we've seen more reports around vishing scams, where someone claiming to be from O2 will call – usually about one of these things:
ℹ️ OTAC stands for one-time authorisation code, meant for you and you alone, as a way to authenticate yourself and prove you are who you say you are. If you give this code to a scammer, they can commit fraud, drain your bank account, ruin your credit score, or cause other damages. You can see what these SMS look like here. |
The way these vishing scams work are usually the same. Here's how one of these 'discount scam' vishing calls might typically go if you fell foul of the scam:
The OTAC SMS's you receive are from O2 and are legitimate but the caller is a scammer and they have zero affiliation with O2 or our partners. Before or during the call, they'll be on the O2 website and click on the 'forgotten password' option, which then triggers the OTAC messages to be sent to you; because anybody, anywhere can input your number into that 'forgotten password' option, this is not proof the caller works for O2 or has access to your account or our systems.
The OTAC is everything and is the entire basis on how this scam works, so it's imperative you treat your OTAC like your bank card PIN number... Never give it out to anybody under any circumstance. If you provide the scammer with your OTAC, it's akin to you giving a robber the keys to your home. With your OTAC, they can use it to:
ℹ️ Someone calling from an official number, but it's still suspicious? You should be aware that sophisticated scammers can now clone the phone numbers of organisations they want to impersonate. Just because the number on your caller display matches an official number or even displays the name of the company you’re calling; it might not be real. If you’re calling back the company, find the number yourself and don’t use the number the suspected scammer may supply. The safest way to contact most UK banks after a supposed fraud call is using the new 159 service. Jump to information about the service here |
Sometimes scammers may try to demonstrate their legitimacy by providing you with info or details you’d think only O2 has – such as your name, number, what phone you have – or something else. If during the call you provided the scammer with your OTAC, they will have access to a lot of this information, including your tariff cost, bill history, address info and more, that they can use to try and convince you that they're legitimate. If during a call you haven't provided the scammer your OTAC and they repeat some details to 'prove' they're from O2, it may often be impossible to know how and where this info came from, but we assure you it didn’t come from O2.
Scammers use various methods and tactics to extract data and piece a profile of you together – often from countless sources that when combined, could make it convincing that they’re legitimate. Some examples of how and where scammers may have found your data or info:
I have covered this in more detail in a previous update, but as convincing as some scams are, there’s a lot you can look out for and hopefully identify them with, including:
Long story short is to please take notice of the first SMS you receive before the one with the code arrives. You can see here what these OTAC messages say, but this is the first one you receive prior to the code arriving:
We cannot stress enough that these OTAC’s are for you, and for you alone. They are a way for you to authenticate yourself and to prove to us that you are who you say you are, so that you can make account changes, order devices legitimately or do anything else you’d want to within your account. By giving this code to anyone else, you are compromising your own security and information and you could cause yourself untold hassle and damage to your credit file which could then impact mortgages, loans, banking products and more.
Up until the start of 2023, a large proportion of the scams being reported to us via social media were smishing based, with the most common scams being:
Though we’re seeing much less of these than we used to, all the scams above are still around so it's important to remain cautious and think twice about clicking links. Here’s some common signs (but not a guarantee) that a text may be a scam:
Similar to smishing, we’ve not seen a lot of new changes here but we’ve recently seen some new email scams and spam. One such email says “we’re updating your O2 login” with a number to call if you need to discuss it. That number is a scammer, who will then attempt to scam you or extract further info from you they can then use to either sell to other scammers, or use it to commit fraud in your name.
The other email appears to be more spam than scam, but in both this example and the one above, the biggest tell-tale sign it's not from O2 is the email address both emails were sent from, neither of which are legit O2 email addresses.
ℹ️ Take notice than in both example emails below, they state the last 4 digits of a mobile number at the top. Sometimes these may be random, but the email content may come across urgent enough you might not fully notice it's not your number. And sometimes the last 4 digits will actually be yours - to be clear, this does not mean the email is legitimate, just that a scammer knows your number and has used it to make their email look legit. See here for more info as to how these scammers may know your mobile number. |
Example 1: Take note of the fake email address and contact number in use here
Example 2: Take note of the fake email address in use here
Another email to be aware of, which is actually a legitimate email and not from a scammer, is where you've been told "Your O2 account has been locked due to 5 failed login attempts". I'll include a screenshot of this email below - if you've received one that's identical, is also from the same email address, and it's not asking you to click any links or call any numbers, then it's more than likely legitimate. If it does ask you to call a number or click a link, or looks different from below, then it may be a phishing email and you should be cautious.
You'll have received this email either because:
Some scams might pretend to be from O2, or from an organisation you already deal with. It's important that we see examples of phishing emails, texts and websites so we can investigate and shut down scammers.
To report a suspicious email:
To report a suspicious text:
ℹ️ Information shared to 7726 will be available to all UK mobile operators, the Information Commissioner’s Office and various approved organisations that are involved in criminal investigations, to enable the to identify the senders. These approved organisations include the National Cyber Security Centre (NCSC) and the Serious Fraud Office (SFO).
ℹ️ Information may also be shared with the organisations who are being targeted by the smishing attacks, to help them protect their customers from fraud. |
To report a suspicious call:
Additional steps
You should also report your phishing experiences to report@phishing.gov.uk. The information provided lets law enforcement organisations remove fraudulent sites and identify patterns of attack used by scammers to help us all defend against them.
ℹ️ Think a fraudster might have access to your O2 account? See our fraud advice, and report it to us straight away. |
Here we'll attempt to answer some common questions we've seen asked via our social media channels. If you have any questions not covered below, or in all of the information above, then let us know in the comments below and one of our Community experts may be able to assist or explain, or drop us a message on Twitter, Facebook or Instagram.
Q. These scammers had all my info - my name, address, how much I pay. How did they have that?
A. If during the call, or on a previous call, you gave the scammer your OTAC code, they could have logged into your account and had access to all of this and more. With access to all of this info, these scammers can make it very convincing that they work for O2 when they don't.
Q. But I didn't give them my OTAC, so how did they know?
A. As covered here, some scammers employ a number of tactics in order to create a profile of you. In some cases, they maybe even purchased such a profile on the dark web - part of a massive database someone may have pieced together using various sources and leaks, none of which may have any links or ties to O2.
Q. How can I better protect myself against scammers and hackers?
A. There is no one thing you can do that will protect you - instead, you need to approach online safety and security with a wide field of view and consider many aspects such as, but not limited to:
Those are just some of the main ways you can help keep yourself safe and secure from scammers, but these criminals are cunning. They will evolve and find new ways to scam you or steal your information or identity to commit fraud, so please be vigilant, take notice of warnings, and trust your gut.
Q. What are you doing about these scammers?
A. We act upon reports submitted to 7726 and act accordingly – either to ban the number and take action if it’s on our network, or report it to the network it belongs to and block it from further contact with our customers.
Q. But what about preventing the calls in the first place?
A. We regularly explore options available to us to tackle the issue of scammers and spammers head on, and we’ll continue to explore all options to reduce and hopefully eliminate (as much as possible) scams and spam being sent to our customers.
Q. I've been a victim of fraud and would like further support or advice
A. There are other sources available, including:
Q. What steps can I take to ensure a QR code is genuine?
Q. How do you contact genuine competition winners?
We will only contact you from our verified social media pages and we will never redirect you to a website, or ask for your credit card details. Remember to check the tick next to our name – our pages are @o2uk on Facebook and Instagram and @o2 on X and TikTok. If you have any concerns or doubts, please private message our verified pages.
on 09-11-2023 18:41
on 09-11-2023 18:41
The link in that email should really only be a onetime click and then only valid for a 5-10minutes before expiring, and o2 should be pushing for 2FA and one of those should be the option to use an Authenticator App, as OTP via SMS is insecure...
on 09-11-2023 19:04
on 09-11-2023 19:04
on 09-11-2023 19:16
on 09-11-2023 19:16
Users are stupid... Doesnt matter how many times you tell them not to do something they still do... You should see the results from the phishing simulations we do at work, it makes you worry at times..
on 09-11-2023 21:23
on 09-11-2023 21:23
Those users who ignore the first text and give the code in the second one to the scammers undoubtedly are.
When I worked in banking, our head of data protection got scammed - simply dropped his guard for a moment.
Nail hit on the head by @madasaf1sh !
on 09-11-2023 21:25
If no one was stupid there would be no scams.
on 10-11-2023 18:18
on 10-11-2023 18:18
on 10-11-2023 18:20
and some are always looking for someone else to blame.
on 11-11-2023 05:07
on 11-11-2023 05:07
Im new O2 costumer been verging media long time never had trouble with them. last week I been scammed I received iPhone 15 and I called O2 said are not from them and are going to solve the issue. The problem I signed the contract with them. I’m in stress.
on 11-11-2023 05:30
on 11-11-2023 05:30
Sighs....
@Amaryllis1979 If you think you’ve been the victim of fraud – whether it’s because you’ve given details to someone over the phone, or clicked on a link in a suspicious text or email there are things you can do:
Contact your bank if you think you may have given out financial information. They can help protect your account and stop transactions.
Change your account and online account passwords. Not just your O2 account. All of them.
Forward fraudulent texts to O2 for free on 7726.
Contact Action Fraud on 0300 123 2040.
Call your Virgin Media or O2 customer services number if you think somebody’s taken out a contract using your details.
Virgin Media customers can phone 150 from their landline or 0345 454 1111 from any other phone.
O2 customers can call 202 from their O2 phone or 0344 809 0202 from any other phone.
You can block the number that called you, or any number you think may be suspicious.
How to block a number:
https://www.samsung.com/us/support/answer/ANS00062352/
https://support.apple.com/en-us/HT201229
There are also these links to look at:
https://www.o2.co.uk/help/safety-and-security/phishing-and-smishing-advice
https://www.o2.co.uk/help/safety-and-security/unwanted-calls-and-messages
https://www.actionfraud.police.uk/
You can also reach O2 via social media:
Facebook (https://o2uk.co/O2CFB), Twitter (https://o2uk.co/O2CTW), or Instagram (https://o2uk.co/O2CIG)
on 06-01-2024 13:02
I rang 202 to get an update on an ongoing fraud case. The agent I spoke to said before they can access my account they need to send me an SMS with a OTPC and I need to give this to them as it is a new policy to combat fraud? I said I am not going to give any OTPC sent to me as that is how I got scammed in the first place. They said the security warning only applies if someone rings you and not when you ring 202. Is this correct? I have NEVER had to do this as I have security answers that agents usually use to verify my identity. Somehow, my fear that some scammers WORK for O2 is somehow not that far fetched.