SALLY HAMILTON: I defend readers who have been treated badly by companies, but I have personally lost £4,000 to fraudsters. Here’s how to avoid making the same mistakes

I may be the Ny Breaking’s consumer champion and spend my days helping readers who have been mistreated by companies and organizations – but I’m also a consumer and learned some hard financial lessons last year.

I want to share them with you so you don’t fall into the same pitfalls. It is with great pleasure that I say goodbye to 2024 – the year marked by two major personal financial disasters.

It started with a flood in our home that caused disruption for almost nine months, including a four-month stint in a rental home and a six-figure repair bill. It ended with a fraudster spending £4,000 on my credit card.

But I enter 2025 as an optimist, because it could have been much worse. Although both incidents were stressful and took up a lot of my spare time trying to resolve, I’m glad I didn’t end up with a penny out of pocket – apart from a £500 excess I had to pay for the claim and an insurance premium that doubled upon renewal.

Our home insurer – Zurich – paid our water damage claim in full and Amex reversed the fraudulent charges charged to my credit card. The companies were not told what I do for a job, so a pat on the back for them for providing excellent customer service.

But I did learn important lessons that I hope will benefit readers as well.

Four pipe leak lessons

1. Find your shutoff valve

To avoid a serious downer after the holidays, I urge householders to tell anyone who watches their home how to turn off the water. We were traveling to Australia when a pipe burst in our first floor bathroom, sending water into the kitchen, hallway, sitting room and basement for four days.

The flooding only ended when my son-in-law happened to come and spend the night. He had to wake us up in the middle of the night for instructions on how to turn off the water.

2. Check for policy exclusions

Most insurers place a limit on how long you can leave a property vacant without voiding coverage. We didn’t think about this when we booked our 35-day trip, as our youngest daughter still lived with us.

She was there almost the entire time, except for one long weekend, which happened to coincide with the pipe burst. Our coverage says we can only leave our home unoccupied for 30 days or a claim may be denied. Fortunately, our daughter was able to prove that she also lived there via receipts for online deliveries.

3. Reclaim water bills

We only know how long the water has been escaping because we later checked our Thames Water account online. We have a smart water meter that measures how much we use and a graph on the bill showed a huge jump starting on Thursday afternoon, only to drop again the following Monday, just as our son-in-law found the shut-off valve.

The total that leaked was a shocking 90,000 liters. The text on our account suggested they thought we ‘might’ have a leak. Real? A phone call or text alert would have been more helpful for us and the environment.

I presented this to the company. A spokesperson for Thames Water said: ‘Our smart meters play a vital role in detecting leaks on the customer side, which represent around a third of leaks on our network. Customers with a smart meter can view their most recent water consumption by logging into their customer account.

‘If water consumption indicates a leak, we will share a warning message when they log in. However, we are always looking for ways to improve our communications and continue to look for new ways to better communicate suspected leaks to our customers. ‘

On the plus side, in cases like ours, at least for the first time, Thames Water is reimbursing the cost of the lost water. Our claim saved us £250.

4. Keep calm and keep going

When a flood hits, a home must be dried out before repairs can begin. But first, safety checks must take place, including for damaged electricity and hazards such as asbestos. This takes time and can be stressful. When the drying started, we had 11 heaters and dehumidifiers humming constantly for three weeks. I had to learn that it only lasts as long as it lasts.

Two fraud lessons

1. You have not received any mail

I’ve learned that it pays to be suspicious if your email remains silent for a long period of time. When I stopped receiving personal emails one Saturday in November, I wasn’t worried at first. I thought my provider’s server was down.

But a few hours later – with still no emails – I became concerned. I normally receive at least 50 a day from friends, family, news media and retailers (confirming orders, deliveries and promotions – which became increasingly popular in the run-up to Christmas).

I tried to log in, but my password was not recognized despite several attempts. I contacted customer service to see what was going on. After being on hold for 45 minutes, they did not explain why my account was locked, but simply advised me to change my password and try again. This seemed to work. But the next day the same thing happened and my emails stopped arriving. The account was locked again.

I changed my password again. When I was locked out for the third time, I was very concerned.

Then a neighbor came over and sent an email to our group chat. He said he received a strange response after emailing me as part of a joint mission. The message stated that a person named Eric Manny could not be reached; his own Internet search suggested that the mysterious emailer shared a name with a famous Nigerian singer. I certainly don’t know anyone with that name.

This set alarm bells ringing. I realized that it wasn’t just a technical problem with my email, but that I had been hacked and the villain had somehow denied me access to my mailbox.

Instead of waiting for the helpline again, I looked for guidance on the provider’s website. Signs of a hacked email include strange names appearing in a contact list and setting automatic forwarding to an unrecognized email. Sure enough, I discovered that several gobbledegook contacts had been inserted into my address list and my emails were being forwarded to “Eric Manny.”

As per the guidelines, I removed the fraudulent names and changed my password again. This finally seemed to work and my email went back to normal.

2. Rising credit card bills

There was no damage done by the email hack, other than my frazzled nerves. Or so it seemed. About a week later, I checked my credit card bill for an expected refund for a delayed train trip.

To my horror, I found three transactions online for John Lewis that I didn’t recognize, worth £4,000, all made with my Amex card from an Apple Pay account. I do shop online at John Lewis, but I don’t use Apple Pay, a digital wallet that allows users to add their credit cards so they can shop with their smartphone.

When I reported the fraud, Amex was polite and reassuring. The agent then asked if I had given away one-time passcodes. These are the codes that Amex sends to verify that it is the real cardholder making an online purchase. Customers receive an OTP via text message and/or email.

Each four-digit code is only valid for ten minutes and must be typed into their device. If it is not used or entered incorrectly, the transaction will not go through. A customer can request a new code if they mistyped it or left it for too long to use.

I had only received one OTP in recent weeks – for an actual purchase of a John Lewis microwave. I now suspect that other messages sent were intercepted by fraudsters via my hacked email. What I couldn’t fathom was how my card details had gotten into their hands. Amex made no comment but canceled my card and said the fraud team would investigate.

A few days later I checked the account and saw that the fraudulent payments had been reversed. Amex simply described the purchases as “fraudulent transactions” and said nothing further.

Fortunately, Amex offers customers protection against such frauds and guarantees that fraudulent transactions will be reversed, as long as customers notify them as soon as they notice them.

Readers, check your bank and credit card accounts regularly for suspicious charges. Also add two-factor authentication (2FA) to better protect everything from email to banking from hackers and fraudsters. 2FA can be a password or personal identification number (PIN) first, with the second level of security being a code sent to your phone or email. Additional measures may include facial or fingerprint recognition. And don’t use OTPs unless you are sure they are for a real transaction.

Change your passwords regularly in case your data has been the victim of a data breach.