The risks of doing banking on your mobile handset have been underlined by the stories of Guardian Money readers who had their mobiles taken over by fraudsters, who then emptied their bank accounts.
In recent months, Guardian Money has become increasingly alarmed at how often people are reporting that their mobile phone account has been taken over – with O2 our most complained-about provider.
In some of the cases we have heard about, victims initially had their email account hacked, while in another, the phone may have been taken over using malware. Once in control of the email account, and armed with other personal data, the fraudsters then posed as the customer to the mobile company, resetting all the passwords and ordering a replacement sim card.
Having assumed control of someone’s mobile phone it is relatively easy to pretend to be them to their bank, using two-step verification codes sent to the phone, to take over the account, and ultimately empty it.
Their stories will leave many wondering whether they still want to use mobile banking on their handset. They are a reminder as to why users must have 2-step verification turned on to email and other accounts. They also show how some banks will refund victims, and others won’t.
Sarah Downs, who is 34 and works in a busy media job, is the latest O2 customer to have their life turned upside down after fraudsters managed to take over her mobile phone and, in her case, port her number over to the rival supplier Vodafone.
She says she first noticed that something was wrong on 14 June when her phone went dead. O2 told her that the network was down and not to worry. Five minutes later a colleague rang her partner to say they had been receiving strange messages from her asking for money.
Becoming alarmed, she says she tried to log on to her online banking only to find that it had been disabled for security reasons. When she visited the bank the next day, she discovered that her £6,000 savings were gone.
Although her bank, RBS, returned the money, it was just the start of her problems. The fraudsters had ordered an Apple MacBook and iPad on her O2 account. They then ported the number over to Vodafone, making it almost impossible to get her number back, until the Guardian intervened on her behalf.
“I’ve been on the phone to O2 for more than 15 hours and they can’t help me – because the number now belongs to Vodafone,” she says. “I’ve been into the shop four times with my passport, a proof of fraud letter and a driving licence – but they’re unable to do anything other than raise it with the fraud department. For some reason it’s impossible to have a conversation with the fraud department. I’m constantly paranoid about what information these people have – I’m starting to feel like my identity is no longer safe.”
An O2 spokesperson said: “Unfortunately, following a data breach elsewhere, Ms Downs has been a victim of fraud, with a scammer able to pass security and multi-factor authentication on the account to order a replacement sim. We’ve apologised for the delay in resolving her issue and are pleased to have now returned her mobile number to her.
“As scammers continually evolve, we are investing heavily in anti-fraud measures to protect our customers. To help guard against this type of fraud, we strongly advise customers to use strong and unique passwords for all online accounts and to report to us immediately if their email account has been compromised.”
As the banks have upped their security and increasingly have relied on codes texted to customers who use mobile or online banking, the fraudsters have realised that if they can take over someone’s phone, they will in many cases be able to access their bank account.
In February, Money reported on the case of a north London teacher who had £3,500 stolen from her Barclays account after fraudsters were able to take control of her O2 mobile service. Barclays later refunded her but she warned others to be on their guard if their mobile phone suddenly stopped working.
Since then, Trevor Graham has been in touch to say he and his daughter had their O2 mobile phone accounts taken over in April, and £10,000 was taken from various accounts in his name. The fraudsters had ordered two e-sims and an iPad on his account. In February, O2 told us it had made it harder for fraudsters to ask for e-sims, and says it continues to invest heavily in anti-fraud measures to keep consumers safe.
In the end, his bank – the Co-op – refunded him and he was not left out of pocket, but he says the incident caused no end of stress and led to hours spent talking to the companies involved.
“Three months on, I still have had no proper explanation from O2 as to how this happened. I have since changed all my passwords, and am just hoping that that is the end of it,” he says.
O2 did not respond to Guardian Money’s questions about this case.
Patricia Drummond is still fighting Barclays to get the bank to return the £3,136 fraudsters took from her after her Three mobile phone account was compromised.
The 70-year-old, who works in business accounts, says she has no idea how the fraudsters were able to access her smartphone handset. In her case, the phone suddenly stopped working and went into “safe mode”.
At 3.50am on the following day, someone was able to log into her bank account and make a payment, which sent her £3,000 into overdraft. Despite she and her family providing evidence that it was not her, and that her phone had been targeted and at no stage did she “authorise” this payment, Barclays has held her responsible, and demanded she repay the money.
To add extra injury to her experience, in December, Barclays shut her account and handed the matter over to two sets of debt collectors, despite the fact that she had been paying back an agreed £240 a month, a decision described as “appalling” and “bullying” by her son. She says the bank has since trashed her credit record and her ability to get credit, or another job in accounting.
Three told us that it did not believe her mobile account had been taken over and suggested she must have inadvertently downloaded some malware.
Barclays failed to respond to the Guardian’s request for a comment about her treatment. However, a member of staff has been in contact with her, has gone away to re-examine the facts, and told her the bank will respond within 10 days.
How to protect your smartphone from hackers
There are a few things you can do to reduce your chance of having your phone and bank account taken over by fraudsters:
• Always lock your phone with a passcode, and use complex passwords – using Face ID or fingerprint login adds another layer of security.
• Don’t download dodgy apps, says cybersecurity company Kaspersky. Look at reviews and ratings on app stores before installing anything to ensure you’re not downloading malware on to your phone. If you do download apps keep them up to date, it says, as hackers can exploit loopholes that may have been fixed in newer versions.
• Back up data on your phone. The cybersecurity company MacAfee says that if your phone is lost or stolen, backing it up to the cloud means you can remotely wipe the data on your phone while still having a secure copy of it. IPhones and Androids both have a way to regularly back up your data.
• Use a virtual private network (VPN), which enables you to connect to public wifi networks with protection from hackers accessing your data.
• Enable two-factor authentication with fingerprints and face ID whenever you can, but with text or email if those are the only options. Do this on your email accounts, account for your mobile operator and banks if possible. Reducing the opportunities for someone to take over your phone account will help prevent your other accounts being compromised.
Mahliqa Ali