Scams and phishing
Help and support
Scams and Phishing | Help & Support | O2
Remember, if someone calls you claiming to be from O2, we would never ask for one-time passcodes, passwords and PINs, or personal information like your bank details. So, make sure you check who they are by asking where they're calling from. If you have any doubts, just give us a call on 202 (free from your O2 mobile) or on 0344 809 0202 (standard UK rates apply) to check. These could be nuisance calls, so see our advice on what to do about them.
Phishing is when fraudsters attempt to get hold of sensitive information such as usernames, passwords, and credit card details, by pretending to be a trustworthy source in an email. When this happens through text message, it’s known as smishing. When someone calls you, it’s vishing.
These scams work by sending you an email or text, or by someone calling you and pretending to be from your bank, service provider, the Police, or another trusted company. The message or caller might ask for personal or financial information, such as personal security details, bank details, one-time codes, or passwords, or they might ask you to visit a fake website that looks real. The site will have a form asking for personal information like usernames, passwords, bank account details, or pins.
These messages or calls can be very convincing and look or sound like genuine messages sent by organisations you already deal with. They might even appear within an existing text message string from an organisation you know, for example, some of ours are ‘My O2’, ‘O2UK’, ‘O2SwapMySim’.
Remember, we will never email, text, or call you and ask for a one-time code, password, or other security information you've set up on your O2 account.
- Signs of a scam
Signs that an email, message or call might not be genuine:
- it contains spelling mistakes
- there’s a generic 'dear customer' header
- it asks you to provide sensitive personal or financial information or passwords, or to make transactions by following a link in the message
- there are suspect links or there’s a name in the header with extra letters, numbers or substitutions. For example, a phishing scam trying to imitate O2 might replace the letter 'O' with the number zero
- it asks you to call a certain number you don’t recognise. In this case, call your bank on a number that you trust, like the one on the back of your card, to check the message is authentic
- the sender uses an urgent tone, telling you to act now.
Receiving a suspicious email, text or call won’t harm you in any way. It’s only dangerous if you interact with it. Remember:
- don’t click on links unless you’re 100% sure they’re genuine
- take a moment to stop and think. Trust your instincts. If it looks suspicious or too good to be true, there’s probably a catch
- don’t give away any of your personal details.
If you're suspicious about an email, text or call, report it immediately.
- More tips to protect yourself
The National Cyber Security Centre (NCSC) offers the following advice to help protect yourself online:
- ton two-factor authentication for important accounts
- protect important accounts using a password of three random words
- create a separate password that you only use for your main email account
- update the software and apps on your devices regularly (ideally set to ‘automatically update’)
- save your passwords in your browser
to protect yourself from being held to ransom, back up important data.
Never assume who's on the other end
Sophisticated scammers can now clone the phone numbers of organisations they want to impersonate. Just because the number on your caller display matches an official number or even displays the name of the company you’re calling; it might not be real. If you’re calling back the company, find the number yourself and don’t use the number they supply. The safest way to contact most UK banks after a supposed fraud call is using the new 159 service. Jump to information about the service here
Beware of calling back instantly
If you’re unsure who’s on the other end of the line, hang up. If the person on the phone says they are from a bank, you can now dial 159 to be put in touch directly with most UK banks. Click here to jump to more information on the 159 service
- 'FluBot' text scam
FluBot is a text message scam that is part of a large-scale smishing attack. Currently, it only affects Android devices and is downloaded under the guise of a message with a link to a tracking app or to retrieve a voicemail. The messages can appear to be from a delivery service like DHL, or other companies like Argos and Amazon.
If you click the link in the message, the malware may automatically download to your device. If the app is installed, the malware can take over your device, allowing more infected text messages to be sent to your contacts without your knowledge. The fraudster could also gain access to your messages and online banking details.
- Reporting a scam email, text or call
Some scams might pretend to be from O2, or from an organisation you already deal with. It's important that we see examples of phishing emails, texts and websites so we can investigate and shut down scammers.
To report a suspicious email:
- for suspicious emails claiming to be from O2, create a new email draft with ‘Phishing’ as the subject. Attach the suspicious email and send it to firstname.lastname@example.org.
- for emails, forward the message to the organisation that it claims to be from. You can look up the email address to send it to on that organisation’s website
To report a suspicious text:
- forward the text message, including phone number or company name, to 7726. It won’t cost you anything and it means we can investigate the sender
- if your phone supports SPAM reporting (currently available if you have an Android device using the Google Messenger App, but others will be available soon), then press the SPAM button to automatically forward the message to 7726.
Information shared to 7726 will be available to all mobile operators, the Information Commissioner’s Office and various approved organisations that are involved in criminal investigations, to enable the to identify the senders. These approved organisations include the National Cyber Security Centre (NCSC) and the Serious Fraud Office (SFO). Information may also be shared with the organisations who are being targeted by the smishing attacks, to help them protect their customers from fraud.
To report a suspicious call:
- If someone calls you saying they're from O2 and they ask for personal information, one-time codes, passwords and PINs, including bank details, make sure you check who they are first. Ask where they're calling from and take a number to call them back.
- If you have any doubts, call us to check - these could be nuisance calls, so see our advice on what to do about them.
- Remember, we’ll never email, text or call you and ask for a one-time code or password, or for any other security information you’ve set up on your O2 account.
You should also report your phishing experiences to email@example.com. The information provided lets law enforcement organisations remove fraudulent sites and identify patterns of attack used by scammers to help us all defend against them.
Think a fraudster might have access to your O2 account? See our fraud advice, and report it to us straight away.
Other sources of help
For more information:
- Take Five to Stop Fraud - straightforward and impartial advice to help you protect yourself against financial fraud
- FFA UK - information about the various types of payment fraud, plus helpful tips and advice
- Action Fraud - the UK’s national reporting centre for fraud and cybercrime
- Get Safe Online – a resource for unbiased, factual and easy-to-understand information on online safety
- Which – advice on scams
- You should also report your phishing experiences to firstname.lastname@example.org. The information provided lets law enforcement organisations remove fraudulent sites, and identify patterns of attack used by the scammers to help us all defend against them