DEAR SALLY:
My son, who is in his 20s, had his iPhone stolen on his way home earlier this year by two guys, one of whom told him he had a knife.
At 8:30 am someone had hacked his phone and taken out a loan
with Halifax for £25,000. The loan was approved and granted at 11am and the money was transferred from my son’s account to someone else’s.
At 3pm my son managed to get a new phone and SIM card, although he discovered he no longer had access to his iCloud storage. When he finally got to his Halifax account, he discovered what had happened.
After two hours on the Halifax helpline, he was told the loan application was legitimate and he was owed the money.
How could such a loan be taken out without an application form and proof of income?
The man on the phone said it was because it was an ‘online loan’. The case was closed and my son was told to make the refunds.
Anon
Sally Hamilton replies: Some aspects of this case will likely surprise and disturb readers, as they did me.
When I read your letter, I was alarmed to hear about your son’s ordeal. It appeared to be an example of a growing form of phone crime, with gangs not only stealing devices in the hope of selling them on for a few quid, but also seeing them as a source of greater wealth.
Our phones are full of personal information that could give criminals the keys they need to access the owner’s online banking, potentially allowing them to plunder their accounts.
You told me that after you reported the incident to Halifax, you alerted the police and an officer was at your door within an hour.
When your son logged into his account the next day, he found a message from his bank stating that he would have to pay over £600 a month for 72 months to repay the loan.
Together you called Halifax. You said an operator explained that the bank considered the application legitimate because the loan had passed your son’s phone and facial ID security steps. It turned out that someone had called the bank at 8:32 a.m. and 11:05 a.m. that day to authorize transactions from the account.
I was baffled at how your son’s phone could provide such easy access to his bank account, especially since it required a PIN or facial recognition to operate it. One possible explanation was that since your son said he was on his phone at the time of the incident, the thieves could have retrieved useful data and taken action before the phone locked itself.
To further determine how the robbers could have hijacked your son’s phone and to find out why Halifax denied his claim, I have asked the bank to reopen your case. To my surprise, I learned that your son had been scammed on another mobile phone – this time stolen from him while he was on the train last year. It appears that a ‘third party’ logged into his banking app from Saudi Arabia and made a payment from his account.
As on the later occasion, the fraudster had apparently used the bank’s login and password details stored in the phone’s Notes app. After this first incident, Halifax refunded your son (£260, you told me) and arranged for his login details to be changed.
Halifax explained that it denied your son’s second claim based on the information it received when he first reported the problem and the “evidence” present in its systems. At that time there had been no report of the police visiting your house. Your son later updated Halifax and confirmed that his banking passwords were saved again in the Notes app.
This provided a partial explanation for how a crook could have deceived Halifax, but the mystery remains as the loan application required additional financial information that was apparently not stored on the phone.
Halifax also says your son was unable to provide details of the police who interviewed him, nor was he able to validate the crime reference numbers provided. She does not believe she did anything wrong by initially denying your son’s claim, but upon review of the case, she believes she could have intervened before the money was lost due to the unusual pattern of activity in the account .
She has therefore decided to settle the loan and remove it from your son’s file.
Hours after a mobile phone was taken by thieves, hackers took out a £25,000 loan
I’m still scratching my head because I find it hard to believe that anyone could be careless enough to be robbed like this twice – and Halifax clearly had his doubts too. If I had been aware of the first incident from the beginning, I might have had reservations about pursuing this case.
Halifax has advised your son that storing login details on his phone is not a secure way to manage his security details, and should he experience a similar incident in the future, Halifax may consider this gross negligence and refuse to refund him.
A Halifax spokesperson said: ‘We have great sympathy for our customer as a victim of theft. It is important that customers let us know as soon as possible if their data has been compromised and provide us with accurate information when making a fraud claim.
‘We strongly advise against saving login details for internet banking on a telephone.’
I hope this case will encourage all readers to be careful about what is accessible on their phones.
Straight to the point
I had to cancel my British Airways holiday to Italy because my husband needs heart surgery. We paid a non-refundable deposit of £150 and a flight upgrade of £68. My refund request has been rejected and we have no travel insurance.
A.D., Pinner.
BA apologizes for your experience. You have received a refund.
I dropped my tanzanite and diamond ring and the tanzanite cracked. A jeweler quoted me £5,510 for a similar stone.
But Lloyds Bank, which handled the insurance claim for Saga, said it would pay just £2,268 for a repair. I asked to pay in cash, but Lloyds said it would only set me back £1,452, minus a £250 excess.
SS, via email.
Lloyds Bank apologizes and says it has offered to repair the ring or make a cash settlement. You opt for a cash settlement and in these cases the amount is equal to the amount that repairs would cost the supplier.
MY partner bought a car from an online dealer and the hood handle didn’t work. We reported it to the dealer, but soon the socket stopped working and an error light appeared. The repairs have still not been made three months later.
D.P., Somerset.
The dealer apologizes and has now repaired the car. Your partner has also received the initial administration costs back.
Last August I booked an Ambassador Cruise Line trip through Reader Offer LTD (ROL). I paid a deposit of £485 in May, but in the following weeks my wife passed away. I asked ROL if I could cancel the cruise but was told I would not get a refund.
RW, via email.
ROL expresses its condolences. Although you have paid a non-refundable deposit and have not purchased travel insurance, ROL and Ambassador Cruise Line have agreed to refund your deposit as a gesture of goodwill.
Scamwatch
Households should beware of scam emails offering financing for solar panels, Action Fraud warns.
Recipients are asked to check if they qualify for financing to cover the initial costs of installing solar panels.
But links in the email ask for personal and financial information that could be used by fraudsters. Clicking on the links can also download malware onto a device.
Action Fraud has received 971 reports of the scam emails in just two weeks.
If you receive the email, do not click on the links. Forward it to report@phishing.gov.uk instead of.
Some links in this article may be affiliate links. If you click on it, we may earn a small commission. That helps us fund This Is Money and keep it free to use. We do not write articles to promote products. We do not allow a commercial relationship to compromise our editorial independence.