/ Money, Scams

Scam alert: fake O2 invoice SMS

A convincing fake text message purporting to be from O2 is doing the rounds. Have you received it? Here’s what makes this one particularly dangerous.

Well-crafted smishing texts or phishing emails will always make you look twice, and that’s exactly what I did when I received this one just two days ago.

I’m with O2, so this fake SMS is clearly finding its intended audience. But what made it stand out as worth a second look?

This one’s all about the layout. It mimics a genuine O2 text message almost perfectly, but it’s yet another phishing scam designed to steal your bank details.

A similar smishing text targeted Giffgaff customers back in April, which again attempted to send recipients to a phishing website,

How can you tell it’s a scam?

Despite its slick layout, there are a few signs that you should always look out for when you receive a text message purporting to be from a business:

⚠ It’s asking you to enter bank details by providing a direct link

⚠ It’s attempting to panic you into action by stating that O2 was unable to process your latest bill

⚠ The URL is suspicious, containing the domain ‘invoice142’ – this site is nothing to do with O2

⚠ It’s arrived from a completely random number, separate to any other communication from O2

You can read all our tips on how to spot a scam on our consumer rights pages here.

Even if you’re a customer of the brand, you should always be wary of unsolicited texts. If you’re not sure, get in contact with the company via its official channels and ask directly – especially if you’ve been asked for bank details.

O2 told us:

O2 takes the safety and security of its customers very seriously. O2 will never email, text or call to ask for a one-time code, password, or other security information you’ve set up on your O2 account.

Receiving a suspicious email, text or voice call won’t harm you in any way. It’s only dangerous if you interact with it.

If you’re suspicious, report it immediately. You can report fraudulent text messages by forwarding to 7726. It won’t cost you anything and it means we can investigate the sender.

There’s lots of useful advice and links on our O2 Fraud and Security webpage.

If you think you may have given sensitive information to scammers, let your bank know immediately, then read our guide to getting your money back.

Have you received this fake O2 text? Have you been sent anything similar out of the blue requesting your bank details?

Let us know in the comments.


Comments

The only effective solution that I can see is for companies to stop using links in texts and emails, so that any that do contain links can be regarded as scams. At present there are legitimate uses for links such as for resetting a password but there must be an another way of doing this, even if it is not quite so convenient.

I’m not an O2 customer but if I was and received a text or email like the one shown I would log into my account in the normal way and check that all was well. If in doubt I would contact the company.

I do appreciate the effort that George and colleagues at Which? are putting in to raise our awareness of scams, but feel we need a solution that will protect us from future scams.

Good advice about the domain name. But anyone who can’t easily identify the domain name of a URL really shouldn’t be using the internet in any form. It is this ignorance upon which the scammers prey.

Unfortunately, all sorts of folk do now need to use the Internet, e.g. to access Government services via official websites. In some cases there simply are no viable alternatives.

Stewart says:
17 July 2020

Can you please explain to me how to easily spot the difference, when the same company uses several different URL’s that are very similar? These are genuine links that I have received by text on my phone from o2 in the last few months.

http://www.o2.co.uk/myo2/viewbill, http://v.o2.co.uk/A6H5r013, http://v.o2.co.uk/X27534y6, o2.co.uk,

As you can see, they are all pretty similar. It is this confusion and most people’s very busy lives upon which the scammers prey. I am not the most intelligent of men, and am not particularly I.T. savvy, but I am by no means stupid, and although I recently did the Which? On-line quiz/test on spotting fake phishing emails etc, but I am still not 100% confident, and I for one find it difficult to tell fake from real sometimes. Any help would be greatly appreciated.

In reply to Stewart, all your links have “o2.co.uk” followed by a slash; that is the domain name, and so those links are genuine. The example given in the article had “invoice142.com” followed by the slash; that was that link’s domain name, which is clearly nothing to do with O2. The text before the domain name (in this case “o2.uk”) is irrelevant and should be ignored. The key part to check is the text immediately before the first slash. Hope that helps.

Mike says:
17 July 2020

http would sound alarm bells to me. Surely a legit company would be https? Why doesn’t Which cover this issue?

Russell says:
18 July 2020

@Mike Telling people to look for https is misleading, because it is very easy for a scam website to set up an SSL certificate on a domain name to create the https.
Looking for “https” and the padlock symbol does not guarantee a safe site.

Mike Shepherd says:
15 July 2020

Well I received the sms today and stupidly clicked on the link.However I realised my mistake and deleted the sms.I gave out no personal information.

I had this same scam message on my mobile and as an email. I am not with O2 which sorted it as a scam.

I agree with wavechange that all legitimate providers should not include links in emails or other messages. If they need you to use a link and you don’t have access to secure messaging they could, perhaps, ask you to email or phone them including a single use key word for them to respond with an email including that word and the necessary link.

I actually find it very helpful when I am sent legitimate links to click.

I do sometimes stop to consider whether or not an email or text is genuine, but it is usually fairly obvious.

It is very convenient and many people are savvy enough to know when the source is legitimate. But there are also many people who are not and who won’t consider whether a seemingly helpful email from an organisation they know might be a fake. We see how many also fall for, to us, more obvious frauds. These are the people we need to protect.

The problem is that the people who you want to protect are the ones who most benefit from links that make the Internet easier to use.

I think attempts to make things safer but harder to use stand little change of success.

Instead of sending a link a legitimate company could send an email or text asking you to log into your account or to ring them (without providing a number).

This leaves the problem of what to do about resetting passwords, but there must be an alternative to sending a link.

As Malcolm says, the danger is that if the communication appears to be from an organisation we know, we could be caught off-guard.

It seems that making things easier to use has more danger of being used for fraud. I now have to use an app to receive an authentication code before I can make a payment to my credit card provider. We welcome confirmation of payee as another safety step in making a bank transfer. I need a password to look at my energy account. All these make the internet less easy to use but help protect us from being defrauded or making mistakes.

And there’s another, rather important, factor: this two step authentication process, on which many places are now insisting, doesn’t work at all for those of us without mobile coverage.

The default these days is to ask for your mobile to send a text, but that’s no earthly use to us, as we’ve never had mobile coverage.

There is also the problem of older smart phones not able to use the security app. Some providers give the alternative of a card reader to generate a code, I understand.

However, when we complain about insecurity we must surely accept that efforts made to improve it come at some penalty for some. What other options could be used that are universally usable?

WiFi calling allows those with a WiFi router (fairly standard these days) to make and receive mobile calls and I presume that it will also support text messaging.

Companies should give us a choice of ways we can use two factor authentication.

It does seem that there is a prevalent assumption these days that everybody has an internet-enabled smart phone. This is not an inclusive policy but is continuously gaining momentum so the pressure is on to become dependent on internet access, which might have advantages in terms of additional features but many might not be comfortable with it, or be able to afford it – especially if it is necessary to replace them every two or three years in order to keep up-to-date with security.

This is one of the reasons that I feel that there needs to be a choice of ways of making use of two factor authentication, which has become an essential security measure.

And many networks still don’t support wifi calling through a router.

That is another reason why there needs to be a choice for 2FA, but it’s helpful for those who have an unreliable mobile signal.

I think some of my bank’s offer the use of messages sent to landlines for 2FA, but I’ve not tried that option.

Bella says:
16 July 2020

I had this two days ago, just received it again. I wasn’t sure, so deleted it.

Anne says:
17 July 2020

I had this a few days ago. Realised it was a scam straight away and deleted.

Roman Greig-Pylypczuk says:
17 July 2020

I’ve not had the O2 scam text (though I am on O2), but I have had an almost identical one pretending to be from PayPal. Same script, same story. As luck would have it, I had just done a couple of transactions through PayPal and seen the subsequent statements showing them going through. I contacted PayPal through proper channels & they confirmed that they hadn’t sent the earlier ‘phoney’ text.

June Lowe says:
17 July 2020

Received this message. I am a Tesco customer so supplied by O2. It looked as though they were asking for my bank details so I assumed it was a scam. Checked with my account from a different phone. It was of course in order.

Andrew Heathcote says:
17 July 2020

My answer is to phone the Bank/ company on a number that you use and trust, not one in the text/e mail; they will tell you if they have tried to contact you.

David Lamb says:
17 July 2020

I received this message a week or so ago. I’m with GiffGaff who use the o2 network which indicated it was a scam. For any account related issues I always login online anyway and would never trust an unsolicited text link.

Linda says:
17 July 2020

I received the text about a week ago. Fortunately I deleted it straight away as I no longer have an account with O2.

Gordon says:
17 July 2020

I’ve had two of these text, from different numbers so blocking the number does not stop them comming, the first time, I reported it to O2, but frankly they were not particularly interested, they ask me to forward it to them, which I did, but forwarding text messages on an iPhone is not particularly straight forward. With these scammers (Scummers) seemingly able to get hold of customers numbers, and no interest by the phone companies to try and track where they originate from, I think this sort of scam is probably here to stay.

I had the 02 text on 4th May but as I am on PAYG with 02, I knew it must be a scam. I have also had the PayPal text on 11th July from +44796164813 but as I haven’t used PayPal for some years, that didn’t bother me. I guess we just have to be more aware and suspicious in these changed times.

Jenny says:
17 July 2020

I am on giffgaff and received this exact message a few days ago. I used 7726 to report it to O2 (who provide giffgaff service)

Karen Humeniuk says:
17 July 2020

I had this text. Thought it was odd as I have my phone through Tesco (although I am aware they use the O2 network) Reported it to the police on their scam aware website

Anne Holland says:
17 July 2020

I have received this and immediately deleted it, but then that meant I could not report it! I use O2 through another provider, so that highlighted the scam for me right away.

K Harrod says:
17 July 2020

I had the same scam back in Feb or early March, but purporting to be from EE, my provider. I checked the text while doing something else, so didn’t notice the spurious domain name till I’d clicked on the link & entered my EE user name & password. Suddenly alarm bells rang & I immediately changed the EE password, along with passwords to every other important site I could think of & reported the scam to EE. (No online banking, so my bank account was not at risk.) I had regarded myself as quite savvy about scams, but was suitably chastened by my carelessness.

William Ward says:
18 July 2020

I had 2 of these 02 messages yesterday but as I have not been with O2 for a long time I deleted them.

I wouldn’t have replied anyway and would have contacted O2 customer service.

I trust nobody online or txts.

Barry Adams says:
18 July 2020

Yesterday I received the same text supposedly from EE regarding being unable to process my bill – I suspected it was a scam and promptly deleted it

Gerry says:
18 July 2020

O2 seem very dim. What’s the point in carefully choosing the easily remembered ‘SPAM’ code to report dodgy texts, but then advertising it as the instantly forgettable 7726?