It’s the industry’s worst-kept secret, discussed in high-level anti-scam meetings at Britain’s biggest banks and telecom companies.
According to insiders, one major telephone network provider is embarrassingly behind its peers in the fight against fraudsters: O2.
Today, a group representing all major UK banks and technology giants Microsoft, Meta and Google accuse O2 of allowing far more scam text messages to reach its customers than other networks.
Stop Scams says a whopping 99 out of 100 scam text messages appearing on mobile phones involve O2 customers.
Weak security: Stop Scams says as many as 99 out of 100 scam text messages appearing on mobile phones involve O2 customers
It is an important – and very rare – intervention by an industry co-operative body to publicly disgrace a company.
The UK’s largest mobile network has left millions of customers exposed to scam messages and calls, experts say, as it has taken years longer than rivals to implement anti-spam shields that prevent scam messages from reaching mobile phone users.
O2 provides 34.1 million mobile phone connections – and in addition to millions of regular customers, many vital services depend on the network, including over half of the UK’s police forces, many ambulance and fire services, councils and Network Rail.
Here we identify three areas where O2 lets its customers down.
Slow to turn the tide of scam texts
Simon Miller of Stop Scams, the leading cross-industry anti-fraud group, says that in 99 out of 100 cases, anyone claiming to have received a message from a scammer is on O2.
Unlike BT, EE, TalkTalk and Three, O2 is not a member of Stop Scams, which consists of the largest UK companies from the banking, telecoms and technology sectors, including HSBC, NatWest, Nationwide, Microsoft, Meta (owner of Facebook and WhatsApp) and Google, among others.
Mr Miller, the association’s policy director and former head of government affairs at mobile network Three, says O2 has been slower than its rivals to introduce new anti-scam systems.
“They are further behind in installing important shields,” he says. “For any message that gets through, it’s a big risk.”
Most major network providers have built firewalls and spam shields that can block malicious and fraudulent text messages.
On the back: Industry experts say O2 took years longer than rivals to implement anti-spam shields that prevent scam messages from reaching mobile phone users
Three introduced a spam shield three years ago and BT was hot on their heels. Others have followed suit, but O2 has been very slow,” Miller added.
Late last year, O2 finally installed its own complete firewall solution. But experts say it has lasted years longer than its peers, allowing hundreds of millions of scam texts to slip through the net.
An O2 spokesperson told Money Mail that other operators were “slightly ahead of us” in deploying the newer shield, but said it was a matter of months. They added that the network had had an old firewall for several years to deal with the problem.
Mr. Miller says that because artificial intelligence technology is still in its infancy, it will be less well developed as it becomes more intelligent the longer it runs. This means that a fair number of scam texts may go unstopped.
O2 says its system is still robust, but not yet fully automated, so it requires manual oversight. It adds that the highly anticipated technology blocked nearly 27 million scam messages in the first three months of 2023.
However, experts say this shows the magnitude of the number of messages O2 users were able to reach during the time it took for the technology to be introduced.
For every month of delay, millions of texts and calls can slip through the net.
Network provider Three says it blocks more than 100 million messages annually.
In October 2021, EE launched its own anti-spam filter and has prevented 329 million scam text messages from reaching customers.
The fraudsters’ main tactic over the past decade has been “number spoofing,” where they use technology to impersonate your friend, family member, bank, telecom provider, or a government agency.
These messages and calls can be very credible as the name of the institution or person the crook is impersonating appears on your phone screen.
Spoof calls cause chaos
From May, phone companies must block ‘spoof’ numbers used by scammers to impersonate trusted brands, under new Ofcom rules.
They will also have to block calls from abroad that spoof a UK caller ID, and numbers on Ofcom’s ‘not from’ list. These include those that banks and government departments never use for outgoing calls.
Some companies have already implemented these new measures, including TalkTalk, which says complaints about call scams have dropped by 65 percent since then.
BT-owned network EE has already blocked more than 70 million scam calls as it filters international numbers that work as UK numbers.
In August 2022, it launched enhanced technology that blocks up to one million international scam calls per day.
But this has not yet been implemented at O2. A spokesperson says the company is still working and working closely with Ofcom.
Top scam: ‘Number spoofing’ is where fraudsters use technology to impersonate your friend, family member, bank, telecom provider or a government agency such as the IRS
Loopholes let scammers in
Susan Manton, from Kidderminster in Worcestershire, thought nothing of it when she got a call in March and the number flashed as O2 – her mobile provider.
The 67-year-old retired court support officer was delighted to learn that her monthly bill could be reduced to £11.50 – and that as a loyal customer she was eligible for a free Apple Watch.
The caller sent a four-digit PIN, which she read aloud. But the Apple Watch never arrived and her next phone bill showed new devices added to her account, costing £71.07 a month.
‘I called O2 because my bill usually doesn’t exceed £20. Then I discovered that I had been scammed.’
The fraudster hijacked Susan’s account by attempting to log into the O2 website and claiming to have forgotten the password.
A one-time passcode was sent to Susan’s phone. Reading this back allowed the scammer to log in and order new devices from an address of their choosing.
O2 customer service said Susan would receive a call from the fraud team. But no call came.
After the Mail got involved, O2 shut down orders. As a show of goodwill, it placed a credit in Susan’s account to cover a monthly bill.
A spokesperson says: “Each time we send customers a one-time access code, it is preceded by a separate message making it clear that we will never contact a customer to ask them to share it over the phone, and that the code must not be used. shared with someone else.’
Money Mail revealed in February last year that security flaws allowed fraudsters to sign O2 contracts in the name of innocent people. However, the loophole in the law has not yet been fully closed.
To open a contract with O2, you must provide a name, address and date of birth, as well as your bank details. You must also show proof of identity, such as a driver’s license or passport. Other cell phone providers also ask for proof of address, such as a utility bill.
Those whose identities have been stolen often only find out when letters arrive chasing overdue payments.
Jake Moore, a cybersecurity consultant for software company ESET, says: “O2 is aware of the issue and there is certainly more they can do to protect victims.”
An O2 spokesperson said: “We are always developing our processes to help protect our customers from fraudulent messages.”
j.beard@dailymail.co.uk
Some links in this article may be affiliate links. If you click on it, we may earn a small commission. That helps us fund This Is Money and use it for free. We do not write articles to promote products. We do not allow any commercial relationship to compromise our editorial independence.