“Mobile account security lapse nearly cost me £4,000”

Ombudsman Services | Last updated Mar 31, 2021

We have included this case study because it highlights some of the challenges that consumers face when they are targeted by fraudsters.

The complaint

  • Mr B received a text message saying there was an issue with the payment of his mobile bill.

  • He responded and provided the required details to correct the issue.

  • A week later, Mr B received another message confirming his porting authorisation code (PAC), how to use it and what to do if he hadn’t requested it. For information, Port Authorisation Code allows a customer to transfer a telephone number from one account to another.

  • He took no action initially as he hadn’t requested a PAC and thought the message had been sent in error.

  • A few days later, Mr B noticed that he couldn’t make calls, send messages, or get online with his mobile.

  • Mr B contacted his mobile provider who explained that a PAC had been requested via his online account and used to transfer his phone number to another provider.

  • The provider explained that it appeared Mr B had been sent and responded to a ‘smishing’ message.

  • Mr B then noticed emails from his bank, confirming the account had been accessed from a new device and the password had been changed.

  • He contacted his bank and found that transactions totalling over £4,000 had been made from his account and several lines of credit had been obtained.

  • Mr B managed to reverse the transactions and contacted the mobile provider to complain about the security of the account.

  • He was dissatisfied with the response and asked for compensation.

What the company said

  • The company confirmed it had not requested payment details via text message and that Mr B appeared to have been targeted by a smishing scam.

  • It confirmed it had received a request for Mr B’s PAC via the online account, meaning the fraudster must have had access to his details and security information to gain access.

  • The company confirmed that as soon as Mr B made contact, it raised a fraud marker and investigation on his account.

  • It also reset the security information, cancelled the SIM and account number and issued new ones.

  • While the company sympathised with Mr B, it didn’t think it was responsible for the security breach.

Our investigation

  • We determined that Mr B had been a victim of a smishing scam.

  • After receiving a smishing text, he provided his account login details, which were captured by the fraudsters.

  • Once the PAC had been requested, the company provided the required SMS to Mr B – explaining he should contact the company if he didn’t request the PAC.

  • Mr B didn’t do this, missing the opportunity to secure the account.

Our decision

  • While we empathised with Mr B, we were satisfied that the company had taken all reasonable steps to protect the account by obtaining relevant security information on all account interactions.

  • We were also satisfied the company had provided sufficient information and notice to Mr B of the activity relating to the account.

  • In our view, the company therefore wasn’t responsible for the fraudulent activity on Mr B’s mobile account or bank accounts.

  • We felt that there had been shortfalls in service related to failed call-backs and delays in setting up the account again.

  • The shortfalls would have been of concern to Mr B while he was going through the worry of being a victim of fraud.

  • Therefore, we required a goodwill payment proportionate to the circumstances.