O2

Welcome to our new Scam Alert Megaguide. There is a LOT of detail and info here, and if you've just been called by a scammer or if you've ever fallen for a scam, then my hope is that you'll learn how to spot these scams, learn how to stay one step ahead of them, and what to do if you've become a victim. The Scams Advice thread will continue to live on and receive updates as and when we see new scams or trends we want to highlight, so make sure to bookmark that thread as well as this one.

ℹ️ Use the index below to jump straight to a specific section
ℹ️ Click on any animated banner to come back to this index

1. Smishing, Vishing & Phishing: What are they?
2. Some of the common vishing scams
3. How vishing scams work
4. How did the scammers know my info?
5. How to spot a vishing scam
6. Don't ignore the OTAC warning message
7. Some of the common smishing scams
8. How to spot a smishing scam
9. How to spot a phishing email
10. What to do if you become a victim
11. Scam Q&A's

Scammers use various formats to try and scam you and these are typically:

• Smishing: A text message sent to you usually trying to trick you into clicking on a link, or the scammer pretends to be a desperate family member in need of money
• Phishing: An email sent to you usually masquerading as an O2 overdue bill (or similar) where the scammer attempts to trick you into urgently clicking on a link or phoning a fake number
• Vishing: A phone call made to you where the scammer pretends to be from O2 and offers you a discount, free upgrade, or a gift for your loyalty - but they need a 'discount code' from you to proceed, and that's where the scam happens. We'll cover this in more detail but you should never give your one-time authorisation code (OTAC) to anybody that's called you and asked for it. Hang up immediately and block the number.
• Quishing: Scammers have realised the potential for mischief in QR codes and it can take several forms, with false QR codes placed in venues on posters or online, or even new codes stuck over the top of existing legitimate ones in pubs and car parks to redirect you to malicious sites. You may also encounter emails saying you need to scan the code to reschedule a package delivery, or pretending there's a problem with your account and you need to scan the code to confirm information. They may even say that they noticed suspicious activity on your account, and you should change the information by scanning the code.
• Competition Scams - If you've recently entered a competition, scammers may target you claiming that you have won the prize and providing a scam link, through which they will harvest your details, including credit/debit card numbers.

Smishing used the be the most prominent form of scam but in recent months we've seen more reports around vishing scams, where someone claiming to be from O2 will call – usually about one of these things:

• To offer you a customer loyalty discount (or a cost of living discount) - this will typically range from 20% to 40% or even higher in some cases
• To offer you a free gift for being a loyal customer - usually this will be an Apple Watch, Samsung Watch, tablet, mobile phone, or some other tech - PS5, Xbox, headphones, gift card, or something else
• To review your account to see if we can reduce your bills or to offer an upgrade - usually for free, though this is less common
• To make you aware of a fraudulent order - but the scam here is that there's been no such activity on your account. You'll be told there's a fraudulent iPhone 13 order on your account (for example) and they need your OTAC to confirm. Shaken, you may hand this out without thinking twice - except what happens here is the scammer uses your OTAC to gain access to your account to make the same fraudulent order they were calling you about, and tell you if/when it arrives, to send it back to a returns address - except it'll be an address the scammer has access to, and not an official O2 address
• To process an upgrade for you - except what happens here is, they intentionally order the wrong device or wrong colour and when you call or message them back (thinking that they're O2), they provide a returns address which won't be O2, but a random address where your package will be intercepted
• These are the main vishing scams we’re seeing regularly – there may be others we’re not yet aware of, so remain vigilant and alert to scammers using new tactics or approaches

The way these vishing scams work are usually the same. Here's how one of these 'discount scam' vishing calls might typically go if you fell foul of the scam:

1. You'll receive a call from someone claiming to be from O2, typically with a strong foreign accent (though this isn't always the case) to offer you a 30% discount for being a loyal customer
2. Before or during the call, you'll be sent the pre-OTAC warning SMS from us followed by your actual OTAC
3. The caller will use various tactics to try and take your mind off reading that first message - they'll try to convince you they're from O2 by saying something like "I just sent you a code to prove I work for O2. Please confirm it?", or something like "I just sent you a discount code. Please confirm it so I can apply it to your account". They may use FOMO tactics so you give them the code quickly without thinking, or they may even become pushy or aggressive to intimate you into giving them your OTAC
4. If the scammer successfully dupes you into providing them your OTAC, at this point they'll lie to you and tell you that your discount has been applied, and you then may be told (or transferred to the promotion department - FYI, there's no such thing) that we're sending you a customer loyalty gift such as an Apple Watch, a hamper or some other incentive
5. What happens next is you then receive (usually next day) a random device - usually a high value iPhone that the scammers ordered while they were in your account. Once you receive it, either you'll receive a call back from the same scammers, or you'd call the scammers back on the scam number they left, and you'll then be given instructions on where to send this device back to. The address you're given is unoccupied, not an O2 property, and is instead used by scammers to intercept the parcel and re-sell it abroad or on the underground market

The OTAC SMS's you receive are from O2 and are legitimate but the caller is a scammer and they have zero affiliation with O2 or our partners. Before or during the call, they'll be on the O2 website and click on the 'forgotten password' option, which then triggers the OTAC messages to be sent to you; because anybody, anywhere can input your number into that 'forgotten password' option, this is not proof the caller works for O2 or has access to your account or our systems.

The OTAC is everything and is the entire basis on how this scam works, so it's imperative you treat your OTAC like your bank card PIN number... Never give it out to anybody under any circumstance. If you provide the scammer with your OTAC, it's akin to you giving a robber the keys to your home. With your OTAC, they can use it to:

• Fraudulently order devices.
• Steal your personal information.
• Change your email and security info.
• Arrange a sim swap or set up call forwarding - which is especially dangerous as it then opens the possibility for them to gain access to your bank as your number is typically used by banks to authenticate yourself.

Sometimes scammers may try to demonstrate their legitimacy by providing you with info or details you’d think only O2 has – such as your name, number, what phone you have – or something else. If during the call you provided the scammer with your OTAC, they will have access to a lot of this information, including your tariff cost, bill history, address info and more, that they can use to try and convince you that they're legitimate. If during a call you haven't provided the scammer your OTAC and they repeat some details to 'prove' they're from O2, it may often be impossible to know how and where this info came from, but we assure you it didn’t come from O2. 

Scammers use various methods and tactics to extract data and piece a profile of you together – often from countless sources that when combined, could make it convincing that they’re legitimate. Some examples of how and where scammers may have found your data or info:

• Website leaks: Some of your information may have been leaked from various websites, none of which have any affiliation or links to O2. You can use services such as ‘Have I been pwned’ to check if your email or phone number and other associated info has been leaked, and you’ll see the source of it
• Phishing: You received an email you assumed was genuine and you replied to it with various information that could be used to build a profile of you, or you clicked a link and you provided info on the dodgy website you were sent to
• Malware: If you’ve installed an unofficial app on your phone, ‘cracked’ software on your PC/laptop, or visited a website that’s installed malware or a virus, all of these could send untold quantities of data and information to scammers
• Remote Access Scams: You’ve given someone remote access to your computer who turns out to be a scammer. While pretending to resolve an issue, they may in the background be installing virus or malware that will steal your files, data and information
• Fake Profiles: You accept a friend invite on Facebook for example, from someone claiming to be a friend or family member who had their account hacked. More often than not, this is a scammer – when you accept the invite, they’ll then have access to info you’ve allowed to be shared, including photos
• Document Theft: Though less common, some scammers do operate ‘in real life’ by intercepting your mail, or finding information that’s not been properly discarded – such as an O2 mobile bill for example, showing your name, account number, mobile number and tariff costs
• Social Engineering: Imagine you receive a call and answer it with “Hi, this is Firstname Lastname” – right away the scammer knows your name and has a number to associate it with. Perhaps you received a call from the same scammer the following week, this time claiming to be from Amazon about a missed parcel and they want to confirm your address which you give – on its own that info isn’t worth much, but the scammer now has your name, mobile number and home address. With those, they can dig deeper and try to build a larger profile, with enough info that may convince you they're legit when they're not
• The 'Dark Web': The Dark Web is a scary corner of the internet where a lot of nefarious and often illegal activities take place, amongst which is often the selling of databases of pre-compiled information that scammers have pieced together from various leaks and sources - so, using combinations of the above, someone may already have pieced a profile of you together that they then re-sell to whichever criminal organisations have the money for it

I have covered this in more detail in a previous update, but as convincing as some scams are, there’s a lot you can look out for and hopefully identify them with, including:

• Never give out your OTAC: If you’re ever asked for your OTAC by “O2” – it is 100% a scammer. You don’t even need to contact us to double check, as we will NEVER contact you and ask for this
• Pushy, Insistent or Forceful: If the caller is very pushy and trying to corner you into making a quick decision, this should act as a red flag that they’re likely a scammer. Scams are more successful if you have less time to think it through and this is a tactic scammers employ a lot of – they want you to follow instructions without having time to think about what you’re doing or what they mean
• You ‘insult’ the scammer: If the caller becomes irate or annoyed that you’re questioning if they’re legitimate or not, this should again act as a red flag for you - ultimately if this were a genuine call from O2 and you questioned the legitimacy of it, our agents would likely suggest calling back on a number you'll be able to verify on the O2 website, so you'll know you're talking to a real employee
• The scammer swears: All of our calls are recorded and are regularly reviewed and scored, so our agents know never to swear or insult customers. So if you ever receive a suspect call and the 'O2 person' starts swearing, insulting or similar (eg, "just give me the bloody code so I can help you"), that's a sure sign it's a scammer and you should hang up immediately
• Calls from a mobile number: If you receive a text or call from O2 but it’s from a random mobile number, this will never be us. All our texts use some form of an ‘Alpha Code’ such as O2 UK, and any calls from us will be from a landline number – not a mobile number
• Too good to be true? If you receive a call out of the blue from someone offering a discount, to give you a free phone or upgrade, or some other incentive, you should be VERY cautious and consider hanging up immediately. Remember – if it sounds too good be true, it probably is

Long story short is to please take notice of the first SMS you receive before the one with the code arrives. You can see here what these OTAC messages say, but this is the first one you receive prior to the code arriving:

• *FRAUD ALERT - MUST READ* Has someone called you and asked for a code? Hang up. They DO NOT work for O2 and are trying to commit fraud on your O2 account. Never give a one-time code to anyone who called you. Call us on 202 if you need help. If you requested a code yourself, we’ll be texting it to you shortly.

We cannot stress enough that these OTAC’s are for you, and for you alone. They are a way for you to authenticate yourself and to prove to us that you are who you say you are, so that you can make account changes, order devices legitimately or do anything else you’d want to within your account. By giving this code to anyone else, you are compromising your own security and information and you could cause yourself untold hassle and damage to your credit file which could then impact mortgages, loans, banking products and more.

Up until the start of 2023, a large proportion of the scams being reported to us via social media were smishing based, with the most common scams being:

• You missed a delivery, click this dodgy link to reschedule.
• You need to pay a fee to receive a delivery, click this dodgy link to pay.
• You’re owed money from the Gov or a refund from HMRC, click this dodgy link to receive it.
• You have an outstanding bill. To ensure you don’t get cut off, click this dodgy link to pay it.

Though we’re seeing much less of these than we used to, all the scams above are still around so it's important to remain cautious and think twice about clicking links. Here’s some common signs (but not a guarantee) that a text may be a scam:

• The SMS is from a normal mobile phone number or email address – for example, official texts from O2 will come from O2 UK, O2UK or O2-UK. They’d never show as from a normal mobile number or an email address.
• There’s typo’s or glaring errors or mistakes – most businesses triple check the copy and have several layers or approvals to prevent such things. Scammers however, don’t, so typos, grammatical errors and other anomalies often slip past
• You’re asked to click a link – if the link looks odd, chances are it could be a scam. For scams claiming to be from O2, links may look somewhat convincing, such as somethingo2.co.uk, o2something.co.uk, something-o2.co.uk, o2-something.co.uk, or other links of that nature
• You’re asked to provide banking details, security info or other personal details via sms out of the blue. You should always urge caution here and if in doubt, contact us to check. O2 will never ask you for bank details via text, nor will we ever ask you to reply to a text from us with such details

Similar to smishing, we’ve not seen a lot of new changes here but we’ve recently seen some new email scams and spam. One such email says “we’re updating your O2 login” with a number to call if you need to discuss it. That number is a scammer, who will then attempt to scam you or extract further info from you they can then use to either sell to other scammers, or use it to commit fraud in your name.

The other email appears to be more spam than scam, but in both this example and the one above, the biggest tell-tale sign it's not from O2 is the email address both emails were sent from, neither of which are legit O2 email addresses.

Example 1: Take note of the fake email address and contact number in use here

More info

Example 2: Take note of the fake email address in use here

More info

Another email to be aware of, which is actually a legitimate email and not from a scammer, is where you've been told "Your O2 account has been locked due to 5 failed login attempts". I'll include a screenshot of this email below - if you've received one that's identical, is also from the same email address, and it's not asking you to click any links or call any numbers, then it's more than likely legitimate. If it does ask you to call a number or click a link, or looks different from below, then it may be a phishing email and you should be cautious.

More info

You'll have received this email either because:

1. Innocent typo/mistake: Another O2 customer has been attempting to login to their account but has been using your email or number by mistake. Eg, if their email is name123@email.blah and yours is name1234@email.blah such typos/mistakes can happen and be completely innocent
2. Brute force attack: A scammer or hacker is attempting to brute force their way into your account. They may either be attempting to guess your password (Password123 is an easy guess and a common password) or be using a password from a leak or obtained by other means. Please refer back to this section of the guide that explains how scammers can obtain such passwords.

Some scams might pretend to be from O2, or from an organisation you already deal with. It's important that we see examples of phishing emails, texts and websites so we can investigate and shut down scammers.

To report a suspicious email:

• For suspicious emails claiming to be from O2, create a new email draft with ‘Phishing’ as the subject. Attach the suspicious email and send it to spam@o2.com.
• For any other emails, forward the message to the organisation that it claims to be from. You can usually find an email for the organisation on their 'contact us' page of their website

To report a suspicious text:

• Forward the text message, including phone number or company name, to 7726. It won’t cost you anything and it means we can investigate the sender and take action where possible
• If your phone supports SPAM reporting (currently available if you have an Android device using the Google Messenger App, but others will be available soon), then press the SPAM button to automatically forward the message to 7726
  
  

  ℹ️ Information shared to 7726 will be available to all UK mobile operators, the Information Commissioner’s Office and various approved organisations that are involved in criminal investigations, to enable the to identify the senders. These approved organisations include the National Cyber Security Centre (NCSC) and the Serious Fraud Office (SFO).   ℹ️ Information may also be shared with the organisations who are being targeted by the smishing attacks, to help them protect their customers from fraud.

To report a suspicious call:

• If someone calls you saying they're from O2 and they ask for your OTAC, passwords, PIN, bank details or other security or personal info, you should hang up immediately as it is likely a scammer. O2 will never call you and ask you for such info.
• If you have any doubts, call us to check - these could be nuisance calls, so see our advice on what to do about them.
• Remember, we’ll never email, text or call you and ask for a one-time code or password, or for any other security information you’ve set up on your O2 account.
   

Additional steps
You should also report your phishing experiences to report@phishing.gov.uk. The information provided lets law enforcement organisations remove fraudulent sites and identify patterns of attack used by scammers to help us all defend against them.

Here we'll attempt to answer some common questions we've seen asked via our social media channels. If you have any questions not covered below, or in all of the information above, then let us know in the comments below and one of our Community experts may be able to assist or explain, or drop us a message on Twitter, Facebook or Instagram.

Q. These scammers had all my info - my name, address, how much I pay. How did they have that?

A. If during the call, or on a previous call, you gave the scammer your OTAC code, they could have logged into your account and had access to all of this and more. With access to all of this info, these scammers can make it very convincing that they work for O2 when they don't.

Q. But I didn't give them my OTAC, so how did they know?

A. As covered here, some scammers employ a number of tactics in order to create a profile of you. In some cases, they maybe even purchased such a profile on the dark web - part of a massive database someone may have pieced together using various sources and leaks, none of which may have any links or ties to O2.

Q. How can I better protect myself against scammers and hackers?

A. There is no one thing you can do that will protect you - instead, you need to approach online safety and security with a wide field of view and consider many aspects such as, but not limited to:

1. Never give your OTAC (one-time authorisation code) to anybody that's contacted you. Again, we cannot overstate enough just how crucial it is you never give this out. O2 will never call you to ask for your OTAC, password or other security info - so no matter what a caller says, even if they promise you £1 million, never ever trust them. Hang up, report the number by texting CALL to 7726, and then block it
2. Use a different password for every website. This is where trusted password managers may help, though those obviously come with their own potential risks - but use of these comes down to your own preference
3. Use strong passwords that have no pattern or an obvious obfuscated word. A strong password for example may look like: hY7*9fX$g%5. A very weak password might look like: Password123! - just because you're using a mixture of upper and lower case characters, numbers and symbols doesn't mean it's a strong password; in this case, quite the opposite. We also suggest avoiding passwords based on your name, a pet name, a location or similar
4. Don't install unofficial or modified apps on your phone as this presents a potentially huge risk to your information and security. Many of these unofficial, cracked or modified apps (eg, a modified game APK file for Android that gives more gold) contain malware, virus' or other nasties that can steal files on your device, spy on you, kill your device' performance or worse
5. Be weary of too good to be true offers on social media. Be cautious - always check that the page or account is verified or legitimate. If it's a brand new page, has few fans/followers, or lacks basic info a real company would have, then there's a good chance it's a fake and designed to potentially scam you or obtain data and information
6. Be cautious of a friend/family member messaging you from a different number or a new social media account. Your friend or family member may claim they were hacked so made a new account or got a new number, and they may be asking for money or info... There's a high chance this is a scammer - instead, you should contact the person you know, ideally via a phone call to the number you already had for them, to verify the situation
7. Be suspicious if something feels off. If for example you receive a text, email or call from O2 about an overdue bill and you know it has been paid, then it's better to be overly suspicious and to question the legitimacy of it than to trust it blindly and start clicking on potentially harmful links

Those are just some of the main ways you can help keep yourself safe and secure from scammers, but these criminals are cunning. They will evolve and find new ways to scam you or steal your information or identity to commit fraud, so please be vigilant, take notice of warnings, and trust your gut.

Q. What are you doing about these scammers?

A. We act upon reports submitted to 7726 and act accordingly – either to ban the number and take action if it’s on our network, or report it to the network it belongs to and block it from further contact with our customers.

Q. But what about preventing the calls in the first place?
A. We regularly explore options available to us to tackle the issue of scammers and spammers head on, and we’ll continue to explore all options to reduce and hopefully eliminate (as much as possible) scams and spam being sent to our customers.

Q. I've been a victim of fraud and would like further support or advice
A. There are other sources available, including:

• Take Five to Stop Fraud - straightforward and impartial advice to help you protect yourself against financial fraud
• FFA UK - information about the various types of payment fraud, plus helpful tips and advice
• Action Fraud - the UK’s national reporting centre for fraud and cybercrime
• Get Safe Online – a resource for unbiased, factual and easy-to-understand information on online safety
• Which – advice on scams
• You should also report your phishing experiences to report@phishing.gov.uk. The information provided lets law enforcement organisations remove fraudulent sites, and identify patterns of attack used by the scammers to help us all defend against them.

Q. What steps can I take to ensure a QR code is genuine?

• If you’re on-site in a venue and you come across a QR code – use the “scratch the sticker method” and check you can’t peel off a sticker placed over a legitimate one.
• Always check the URL brought up when you scan the code – you can often spot a dodgy link at that stage. Check the link and watch out for grammatical errors or other signs of fraud.
• Use a reliable QR code reader - most smartphones allow you to scan QR codes with your camera, but if you decide to download a third-party app, ensure it is reliable. Cybercriminals have used fraudulent updates for QR scanning apps to infect users with malware in the past.
• Be cautious of what information you provide after you’ve scanned it – especially if they are asking for personal data – ideally this should be provided directly on a website rather than through links provided by QR codes

Q. How do you contact genuine competition winners?

We will only contact you from our verified social media pages and we will never redirect you to a website, or ask for your credit card details. Remember to check the tick next to our name – our pages are @o2uk on Facebook and Instagram and @o2 on X and TikTok. If you have any concerns or doubts, please private message our verified pages.

iPhone 15 Megathread //  Don't fall for scams  //  How to get Volt benefits
Contact us on Social Media: Facebook // Twitter // Instagram