Ombudsman Services | Last updated Mar 31, 2021
We have included this case study because it highlights some of the challenges that consumers face when they are targeted by fraudsters.
Mr B received a text message saying there was an issue with the payment of his mobile bill.
He responded and provided the required details to correct the issue.
A week later, Mr B received another message confirming his porting authorisation code (PAC), how to use it and what to do if he hadn’t requested it. For information, Port Authorisation Code allows a customer to transfer a telephone number from one account to another.
He took no action initially as he hadn’t requested a PAC and thought the message had been sent in error.
A few days later, Mr B noticed that he couldn’t make calls, send messages, or get online with his mobile.
Mr B contacted his mobile provider who explained that a PAC had been requested via his online account and used to transfer his phone number to another provider.
The provider explained that it appeared Mr B had been sent and responded to a ‘smishing’ message.
Mr B then noticed emails from his bank, confirming the account had been accessed from a new device and the password had been changed.
He contacted his bank and found that transactions totalling over £4,000 had been made from his account and several lines of credit had been obtained.
Mr B managed to reverse the transactions and contacted the mobile provider to complain about the security of the account.
He was dissatisfied with the response and asked for compensation.
The company confirmed it had not requested payment details via text message and that Mr B appeared to have been targeted by a smishing scam.
It confirmed it had received a request for Mr B’s PAC via the online account, meaning the fraudster must have had access to his details and security information to gain access.
The company confirmed that as soon as Mr B made contact, it raised a fraud marker and investigation on his account.
It also reset the security information, cancelled the SIM and account number and issued new ones.
While the company sympathised with Mr B, it didn’t think it was responsible for the security breach.
We determined that Mr B had been a victim of a smishing scam.
After receiving a smishing text, he provided his account login details, which were captured by the fraudsters.
Once the PAC had been requested, the company provided the required SMS to Mr B – explaining he should contact the company if he didn’t request the PAC.
Mr B didn’t do this, missing the opportunity to secure the account.
While we empathised with Mr B, we were satisfied that the company had taken all reasonable steps to protect the account by obtaining relevant security information on all account interactions.
We were also satisfied the company had provided sufficient information and notice to Mr B of the activity relating to the account.
In our view, the company therefore wasn’t responsible for the fraudulent activity on Mr B’s mobile account or bank accounts.
We felt that there had been shortfalls in service related to failed call-backs and delays in setting up the account again.
The shortfalls would have been of concern to Mr B while he was going through the worry of being a victim of fraud.
Therefore, we required a goodwill payment proportionate to the circumstances.