The risks associated with mobile banking have been highlighted by the experiences of Guardian Money readers, who have had their handsets commandeered by fraudsters, resulting in their bank accounts being drained.
Guardian Money has noted a worrying increase in reports of mobile phone account takeovers, with O2 frequently mentioned as the problematic provider.
In some reported instances, victims’ email accounts were initially hacked, while in other cases, malware was used to gain control of the phone. Once the email account was compromised and combined with other personal information, fraudsters were able to impersonate the customer to the mobile company, reset passwords, and order replacement SIM cards.
With control of the victim’s mobile phone, fraudsters can easily impersonate them to their bank. By intercepting two-step verification codes sent to the phone, they can take over the bank account and drain it.
These incidents raise concerns about the safety of mobile banking. They underscore the importance of enabling two-step verification on email and other accounts. They also highlight the varied responses of banks in refunding victims of such fraud.
Sarah Downs, a 34-year-old working in a busy media role, recently had her life disrupted after fraudsters took control of her O2 mobile phone and transferred her number to Vodafone.
The ordeal began on June 14 when her phone suddenly went dead. Initially, O2 informed her that the network was down and assured her not to worry. However, minutes later, a colleague contacted her partner, reporting strange messages from Sarah asking for money.
Alarmed, Sarah attempted to access her online banking but found it disabled for security reasons. Visiting her bank the following day, she discovered that her £6,000 savings had been stolen. Although RBS refunded the money, this was only the beginning of her troubles. The fraudsters had ordered an Apple MacBook and iPad using her O2 account, then transferred her number to Vodafone, making it nearly impossible for her to reclaim it until the Guardian intervened.
Sarah recounts her frustration: “I’ve spent over 15 hours on the phone with O2, and they can’t assist me because the number now belongs to Vodafone. I’ve visited the store four times with my passport, a proof of fraud letter, and my driving licence, but all they can do is escalate the issue to the fraud department. It’s impossible to directly speak with them. I’m constantly paranoid about the extent of the information these people have – it feels like my identity is no longer safe.”
An O2 spokesperson responded: “Ms. Downs has unfortunately been a victim of fraud due to a data breach elsewhere. A scammer managed to pass security and multi-factor authentication on her account to order a replacement SIM. We apologize for the delay in resolving her issue and are pleased to have now returned her mobile number to her.”
“As scammers continually evolve, we are investing heavily in anti-fraud measures to protect our customers. To help guard against this type of fraud, we strongly advise customers to use strong and unique passwords for all online accounts and to report to us immediately if their email account has been compromised.”
With banks increasing their security measures and relying more on codes sent via text to mobile banking users, fraudsters have realized that gaining control of someone’s phone can often grant them access to bank accounts.
In February, Money reported on a case involving a north London teacher who lost £3,500 from her Barclays account after fraudsters took control of her O2 mobile service. Barclays refunded her, but she cautioned others to be vigilant if their mobile phone stops working unexpectedly.
Since then, Trevor Graham reported that he and his daughter had their O2 mobile accounts taken over in April, resulting in the theft of £10,000 from various accounts. The fraudsters ordered two e-SIMs and an iPad on his account. In February, O2 claimed it had tightened security to make it more difficult for fraudsters to request e-SIMs and stated it continues to invest heavily in anti-fraud measures to protect consumers.
Ultimately, his bank, the Co-op, refunded him, but the incident caused significant stress and required hours of communication with the involved companies.
“Three months on, I still have not received a proper explanation from O2 as to how this happened. I have since changed all my passwords and hope that this resolves the issue,” he says.
O2 did not respond to Guardian Money’s inquiries about this case.
Patricia Drummond is still battling Barclays to recover the £3,136 stolen from her after her Three mobile phone account was compromised.
The 70-year-old, who works in business accounts, is unsure how the fraudsters accessed her smartphone. Her phone suddenly stopped working and went into “safe mode.” Early the next day, someone logged into her bank account and made a payment, putting her £3,000 into overdraft. Despite providing evidence that she did not authorize the payment and that her phone was targeted, Barclays held her responsible and demanded repayment.
Adding to her troubles, Barclays closed her account in December and referred the matter to debt collectors, despite her paying back £240 a month as agreed. Her son described the bank’s actions as “appalling” and “bullying.” The situation has severely damaged her credit record and her ability to secure credit or another job in accounting.
Three stated that they did not believe her mobile account was taken over and suggested she might have downloaded malware inadvertently.
Barclays did not respond to the Guardian’s request for comment. However, a bank staff member has re-examined the facts and promised a response within 10 days.
How to Protect Your Smartphone from Hackers
To reduce the risk of your phone and bank account being compromised by fraudsters:
Lock Your Phone: Always use a passcode, and enable Face ID or fingerprint login for added security.
Avoid Dodgy Apps: According to Kaspersky, always check reviews and ratings before downloading apps to avoid malware. Keep apps updated to fix vulnerabilities.
Back Up Data: MacAfee advises backing up your phone data to the cloud. This allows you to remotely wipe your phone if lost or stolen while retaining a secure copy of your data.
Use a VPN: A virtual private network protects your data when connecting to public Wi-Fi networks.
Enable Two-Factor Authentication: Use fingerprints and Face ID whenever possible. If not, use text or email for two-factor authentication on your email accounts, mobile operator accounts, and bank accounts. This reduces the chances of your phone account being taken over and, subsequently, your other accounts being compromised.