The risks of banking on mobile phones have been highlighted by stories from Guardian readers who had their phones taken over by scammers and their bank accounts wiped out.
In recent months, Guardian Money has become increasingly concerned about the frequency with which people have reported having their mobile accounts stolen – with O2 being our most complained about provider.
In some cases we heard about, the victim’s email account was initially hacked, while in another case the phone may have been taken over by malware. Once they take control of the email account and other personal data, the scammers pretend to be customers of the mobile company, reset all passwords and order replacement SIM cards.
Once you take control of someone’s phone, it’s relatively easy to impersonate that person to a bank using a two-step verification code sent to the phone in order to take over the account and eventually empty it.
Their story will leave many people wondering if they still want to use mobile banking on their phone. They remind users why they must enable two-step verification for email and other accounts. They also show how some banks will refund victims, while others will not.
Sarah Downs, 34, who works a busy media job, is the latest O2 customer to have her life turned upside down after scammers managed to steal her phone and pass her number on to a rival Supplier Vodafone.
She said she first noticed the problem on June 14, when her phone died. O2 told her the internet was down and not to worry. Five minutes later, a colleague called her partner to say they had received strange messages from her asking for money.
Shocked, she said she tried to log into online banking but found it was disabled for security reasons. When she went to the bank the next day, she discovered that £6,000 of her savings was missing.
Although her bank, Royal Bank of Scotland, refunded the money, that was only the beginning of her problems. Scammers ordered Apple MacBooks and iPads on her O2 account. They then transferred the number to Vodafone, making it almost impossible to retrieve her number until the Guardian stepped in on her behalf.
“I’ve been calling O2 for over 15 hours but they can’t help me – because the number now belongs to Vodafone,” she said. “I have been to this store four times with my passport, fraud letter and driver’s license but there is nothing they can do except report it to the anti-fraud department. For some reason it is not possible to have a conversation with the fraud department. I have always been concerned about these Feeling paranoid about the information people have – I started to feel like my identity was no longer safe.
An O2 spokesman said: “Unfortunately, following a data breach elsewhere, Ms Downs became the victim of fraud, which enabled scammers to order a replacement SIM card through the account’s security and multi-factor authentication. . We apologize for the delay in resolving her issue and are pleased that her mobile number has now been returned to her.
“As scammers continue to evolve, we are investing heavily in anti-fraud measures to protect our customers. To help protect against this type of fraud, we strongly recommend that customers use strong and unique passwords for all online accounts and to protect their email accounts if their email accounts are compromised. Report leaks to us immediately.
As banks increase security and rely more heavily on codes that are texted to customers who use mobile or online banking, fraudsters are realizing that if they can take over someone’s phone, they can in many cases gain access to them ‘s bank account.
In February this year, Money reported on the case of a north London teacher who had £3,500 stolen from her Barclays account after fraudsters took control of her O2 Mobile service. Barclays later refunded her money, but she warned others to be wary if their phone suddenly stopped working.
Since then, Trevor Graham has been contacted to say that his and his daughter’s O2 mobile accounts were taken over in April and £10,000 was stolen from multiple accounts in his name. The scammers ordered two electronic SIM cards and an iPad on his account. In February this year, O2 told us it was becoming more difficult for scammers to claim electronic SIM cards and said it would continue to invest heavily in anti-fraud measures to keep consumers safe.
In the end, his bank – the Co-op – gave him a refund and he lost no money, but he said the incident caused him endless stress and led to him spending hours talking to the companies involved.
“Three months on, I still haven’t gotten a proper explanation from O2 about how this happened. I’ve changed all my passwords since then and I just want it to be over,” he said.
O2 did not respond to Guardian Money’s questions about the case.
Patricia Drummond is still fighting Barclays to return the £3,136 scammers took from her after her number three mobile phone account was stolen.
The 70-year-old woman, who works in business accounts, said she had no idea how the scammers gained access to her smartphone. In her case, the phone suddenly stopped working and went into “safe mode.”
At 3.50am the next morning, someone logged into her bank account and made a payment, leaving her overdrafted by £3,000. Despite evidence from her and her family that it was not her, that her phone had been targeted and that she had not “authorized” the payment at any stage, Barclays held her accountable and demanded She repays the money.
To make her experience worse, in December last year Barclays closed her account and referred the matter to two sets of debt collectors, a decision despite the fact that she had been paying back the agreed £240 a month. Described as “appalling” and “bullied” by his son. She said the bank has since ruined her credit history and her ability to get credit or other accounting jobs.
Three told us it didn’t believe her mobile account had been taken over, and suggested she must have inadvertently downloaded some malware.
Barclays failed to respond to the Guardian’s request for comment on her treatment. However, a staff member contacted her and went to re-verify the facts and told her the bank would respond within 10 days.
How to protect your smartphone from hackers
Here are some steps you can take to reduce the chance of your phone and bank account being compromised by scammers:
Be sure to lock your phone with a passcode and use a complex password – logging in with Face ID or fingerprint adds another layer of security.
Cybersecurity company Kaspersky says not to download suspicious apps. Check app store reviews and ratings before installing anything to make sure you’re not downloading malware to your phone. If you do download apps, keep them up to date, as hackers can exploit vulnerabilities that may have been fixed in new versions.
Back up data on your phone. Cybersecurity company MacAfee says that if your phone is lost or stolen, backing it up to the cloud means you can remotely wipe the data on your phone while still retaining a safe copy of it. Both iPhone and Android devices have methods for backing up data regularly.
Use a virtual private network (VPN), which allows you to connect to public WiFi networks and prevent hackers from accessing your data.
