Phishing, smishing and vishing advice
Help and support
Phishing, smishing and vishing advice | Help & Support | O2
We will never email, text or call you and ask for a one-time code, password, or other security information you’ve set up on your O2 account.
Phishing is when fraudsters attempt to get hold of sensitive information such as usernames, passwords, and credit card details, by pretending to be a trustworthy source in an email. When this happens through text message, it’s known as smishing. When someone calls you, it’s vishing.
These scams work by sending you an email, text, or by someone calling you pretending to be from your bank, service provider, the Police or another trusted company. The message or caller might ask for personal or financial information such as personal security details, bank details, one-time codes or passwords, or they might ask you to visit a fake website that looks real. The site will have a form asking for personal information like usernames, passwords, bank account details or pins.
These messages or calls can be very convincing and look or sound like genuine messages sent by organisations you already deal with. They might even appear within an existing text message string from an organisation you know, for example, some of ours are ‘My O2’, ‘o2uk’, ‘O2SwapMySim’.
Signs of a phishing, smishing or vishing scam
Signs that an email, message or call might not be genuine:
- it contains spelling mistakes
- there’s a generic 'dear customer' header
- it asks you to provide sensitive personal or financial information, passwords, or to make transactions by following a link in the message
- there are suspect links or there’s a name in the header with extra letters, numbers or substitutions. For example, a phishing scam trying to imitate O2 might replace the letter 'O' with the number zero
- it asks you to call a certain number you don’t recognise. In this case, call your bank on a number that you trust, like the one on the back of your card, to check the message is authentic
- the sender uses an urgent tone, telling you to act now.
Receiving a suspicious email, text or voice call won’t harm you in any way. It’s only dangerous if you interact with it. Remember:
- don’t click on links unless you’re 100% sure they’re genuine
- take a moment to stop and think. Trust your instincts. If it looks suspicious or too good to be true, there’s probably a catch
- don’t give away any of your personal details
If you're suspicious about an email, text or call, report it immediately.
Reporting a scam email, text or call
Some scams might pretend to be from O2, or from an organisation you already deal with. It's important that we see examples of phishing emails, texts and websites so we can investigate and shut down scammers. To report a suspicious email, text or website:
- Forward the text message, including phone number or company name, to 7726. It won’t cost you anything and it means we can investigate the sender
- If your phone supports SPAM reporting (currently available if you have an Android device using the Google Messenger App, but others will be available soon), then press the SPAM button to automatically forward the message to 7726.
- Information shared to 7726 will be available to all mobile operators, the Information Commissioner's Office and various approved organisations who are involved in criminal investigations (including the National Cyber Security Centre (NCSC) and Serious Fraud Office (SFO) to enable them to identify the senders. Information may also be shared with the organisations who are being targeted by the Smishing attacks to help them protect their customers from fraud.
- For emails, forward the message to the organisation that it claims to be from. You can look up the email address to send it to on that organisation’s website
- For suspicious emails claiming to be from O2, create a new email draft with ‘Phishing’ as the subject. Attach the suspicious email and send it to firstname.lastname@example.org.
Remember, if someone calls you saying they're from O2 and they ask for personal information, one-time codes, passwords and PINs, including bank details, make sure you check who they are first. Ask where they're calling from and take a number to call them back. If you have any doubts, call us to check - these could be nuisance calls, so see our advice on what to do about them.
Think a fraudster might have access to your O2 account? See our fraud advice, and report it to us straight away.
For more information:
- Take Five to Stop Fraud - straightforward and impartial advice to help you protect yourself against financial fraud
- FFA UK - information about the various types of payment fraud, plus helpful tips and advice
- Action Fraud - the UK’s national reporting centre for fraud and cybercrime
- Get Safe Online – a resource for unbiased, factual and easy-to-understand information on online safety.
- Which – advice on scams
- You should also report your phishing experiences to email@example.com. The information provided lets law enforcement organisations remove fraudulent sites, and identify patterns of attack used by the scammers to help us all defend against them.
The National Cyber Security Centre (NCSC) offers the following advice to help protect yourself online:
- Turn on two-factor authentication for important accounts
- Protect important accounts using a password of three random words
- Create a separate password that you only use for your main email account
- Update the software and apps on your devices regularly (ideally set to ‘automatically update’)
- Save your passwords in your browser
- To protect yourself from being held to ransom, back up important data.