Scammer got into my o2 account… and ordered the most expensive iPhone

At the beginning of March I called my mobile network O2 to see if I could get a better deal on my £9 a month SIM-only contract. I couldn’t, so I asked to leave.

But the next day I got a call from what I thought was O2’s customer retention department. I was a bit distracted as I was visiting an elderly relative at the time.

The person told me that as a 15 year old customer I could get a ‘loyalty bonus’ which would reduce my bill to £6. I agreed and went through the security questions.

They then told me I could get a free iPhone 14 – that’s when the alarm bells started ringing. I told them I was not going through with the deal and hung up.

I called O2 customer service and was told I had been scammed.

This person had logged into my account using the information I had given them, ordered a new iPhone for £1,750 and signed a £89 a month contract.

It was all in my name, but the address on my account was changed to that of the fraudster in another part of the country so the phone would ring there.

O2 said I would get a call from its fraud investigators, and in the meantime it would lock the phone and my account. But by the time I got the call, the iPhone was already on its way.

The parcel company, DPD, wouldn’t let me cancel it. I called O2 and it said it would be sorted out but it didn’t – so I kept asking DPD to delay delivery for a week.

But a few weeks ago I was emailed an image of it falling on the scammers’ doormat.

I’m afraid I’ll be cut off or get bad credit. I’m having sleepless nights and I’m sick of the whole situation. LH, by email

Helen Crane from This is Money replies: I’m sorry to hear this happened. You told me you used to work for the police and you were ashamed that you didn’t immediately realize that this was a scam.

But rather than embarrassing you, I’d say this shows just how sophisticated fraudsters have become. They also tend to change their tactics once people start checking them out.

You had also perfectly legitimately called O2 the day before – so someone calling you back to offer you a better deal wasn’t a red flag to begin with.

However, it didn’t take long for you to realize what was going on.

The scammer’s offer of a free iPhone – and the latest model at that – was clearly too good to be true.

As if that wasn’t enough, they also told you that you were going to get some emails about this iPhone, but to ignore them.

These would have been the emails you received saying the iPhone was being delivered… to an address halfway across the country. No wonder the scammer didn’t want you to pick them up.

How could this happen? I spoke to O2 about this and it gave me a lot of useful information that I think will help others avoid becoming a victim – so I’ll try to explain.

First, you said that the person you called already had your name and address. Unfortunately, there are millions of data breaches every year – but how do the fraudsters get those details?

O2 told me that international organized crime gangs often buy tens of thousands of customer details in bulk on the dark web to facilitate their scams, employing people day in and day out to call victims in the UK.

It is impossible to know where your data has been leaked from. That could be one of the undoubtedly hundreds of organizations that have access to your name, address and telephone number. This particular scam is happening to mobile phone customers on all networks.

The next question is how the fraudster accessed your O2 account online and ordered the expensive phone.

The most important piece of information here is the one-time passcode – the number you received in a text message while on the phone with the fraudster and then read back. This is also known as a one-time activation code.

These are used by retailers to confirm that someone is who they say they are when placing an order online. If you hadn’t read it to the scammer, he wouldn’t have been able to complete the purchase of the phone.

O2 said it will send a warning message to all customers immediately before they receive the one-time access code them not to give it to anyone over the phone.

But you didn’t see this message until it was too late, because you were on the phone and didn’t see the first message light up – only the second with the passcode.

You were afraid you’d accidentally hang up the phone if you opened the message completely, so you just read it from the preview that flashed.

The most important thing to remember is that legitimate callers will never ask for one-time passcodes, passwords or PINs, or personal information such as your bank details.

If you’re unsure at any point, it’s fine to hang up, find the company’s official number, and call them back.

One thing O2 was less than eager to explain was why it took so long to cancel the iPhone delivery and to clear the charge from your bill.

After all, you were on the phone with the real O2 just minutes after you finished talking to the scammer.

You were verbally told you didn’t have to pay, but constantly trying to cancel the delivery was stressful and seeing a debt of £1,750 in your name left you awake with potentially bad credit.

Since contacting O2 they have assured me that the debt has now been fully written off and erased from your file.

But I still think O2 could have done a lot better here, and I’m surprised it didn’t compensate you.

You’re happy to admit that giving away the access code was your mistake, but you feel like you gave O2 every chance to get this over with quickly and it didn’t work out.

It could have stopped the phone’s order minutes after it was made, but instead kept worrying you for weeks.

You have since voted with your feet and switched to another network.

You may also consider reporting this to Action Fraud.

A spokesman for Virgin Media O2 said: ‘We have taken action to close the fraudulent account in this customer’s name and clear the debt.

“If you get a call with a deal that sounds too good to be true, it probably is.

“Our agents will never ask you for your one-time access code over the phone, so never share it with an unexpected caller, no matter how legitimate they seem.”