It’s the worst-kept secret in the industry, discussed in high-level anti-scam meetings at Britain’s biggest banks and telecoms companies.
According to insiders, one major phone network provider is shamefully lagging behind its peers in the fight against fraudsters — O2.
Today, a group representing all the big UK banks and tech giants Microsoft, Meta and Google accuses O2 of allowing far more scam text messages to reach its customers than other networks do.
Simon Miller of Stop Scams UK, the leading cross-industry anti-fraud group says that in 99 cases out of 100, anyone who says they have had a message from a scammer is with O2.
Weak security: Stop Scams UK says that in 99 cases out of 100, anyone who says they have had a message from a scammer is with O2.
It is a major — and very rare — intervention by an industry collaborative body in publicly shaming a company.
The UK’s largest mobile network has been leaving millions of customers exposed to scam text messages and calls, experts say, because it has taken years longer than rivals to implement anti-spam shields that stop scam messages reaching mobile phone users.
O2 provides 34.1 million mobile phone connections — and as well as millions of regular customers, many vital services rely on its network, including more than half of the UK’s police forces, many ambulance and fire services, councils and Network Rail.
Here, we identify three areas in which O2 is letting down its customers.
Slow to stem the tide of scam texts
Simon Miller, of Stop Scams UK, the leading cross-industry anti-fraud group, says that in 99 cases out of 100, anyone who says they have had a message from a scammer is with O2.
Unlike BT, EE, TalkTalk and Three, O2 is not a member of Stop Scams UK, which is made up of Britain’s largest businesses from across the banking, telecoms and technology sectors, including HSBC, NatWest, Nationwide, Microsoft, Meta (which owns Facebook and WhatsApp) and Google, among others.
Mr Miller, the association’s director of policy and former head of government affairs at mobile network Three, says O2 has been slower than its rivals to introduce new anti-scamming systems.
‘They are farther behind with the installation of important shields,’ he says. ‘For every message that gets through, it is a big risk.’
Most major network providers have built firewalls and spam shields capable of blocking malicious and fraudulent text messages.
Lagging behind: Industry experts say O2 has taken years longer than rivals to implement anti-spam shields that stop scam messages getting through to mobile phone users
‘Three introduced a spam shield three years ago and BT was hot on its heels. Others have followed suit but O2 has been very slow,’ Mr Miller adds.
O2 finally installed its own complete firewall solution at the end of last year. But experts say it has taken years longer than its peers, letting hundreds of millions of scam texts slip through the net.
A spokesman for O2 told Money Mail that other operators were ‘slightly ahead of us’ in implementing the newer shield but said it was by a matter of months. They added that the network did have a legacy firewall in place for several years to tackle the problem.
Mr Miller says that because the artificial intelligence technology is in its infancy, it will be less well developed because it becomes more intelligent the longer it runs. This means a fair number of scam texts may not be stopped.
O2 says its system is still robust but not yet fully automated, so it requires manual checking. It adds that the long-awaited technology blocked almost 27 million scam messages within the first three months of 2023.
However, experts say this shows the scale of the number of messages that were able to reach O2 users during the time it took to put the technology in place.
For every month of delays, millions of texts and calls can slip through the net.
Network provider Three says it has blocked more than 100 million messages every year.
In October 2021, EE launched its own anti-spam filter and has prevented 329 million scam SMS messages from reaching customers.
The fraudsters’ main tactic over the past decade has been ‘number spoofing’, where they use technology to pose as your friend, family member, bank, telecoms provider or a government body.
These messages and calls can be highly believable because the name of the institution or person the crook is posing as will flash up on your phone screen.
Spoof calls cause mayhem
From May, phone companies must block ‘spoof’ numbers used by scammers to pose as trusted brands, under new Ofcom rules.
They will also be required to block calls from abroad spoofing a UK caller ID, and numbers on Ofcom’s ‘do not originate’ list. These include those that banks and government departments never use for outbound calls.
Some companies have already implemented these new measures, including TalkTalk, which says there had been a 65 pc fall in complaints about scam calls since.
BT-owned network EE has blocked more than 70 million scam calls already, as it filters out international numbers operating as a UK number.
In August 2022, it launched upgraded technology which blocks up to a million international scam calls a day.
But this has not yet been implemented at O2. A spokesman says the company is still in the process and working closely with Ofcom.
Top scam: ‘Number spoofing’ is where fraudsters use technology to pose as your friend, family member, bank, telecoms provider or a government body such as the tax office
Loopholes let scammers in
Susan Manton, from Kidderminster in Worcestershire, thought nothing of it when she received a call in March and the number flashed up as O2 — her mobile provider.
The 67-year-old retired court support officer was delighted to hear that her monthly bill could be reduced to £11.50 — and that she was eligible for a free Apple watch as a loyal customer.
The caller sent a four-digit Pin, which she read out. But the Apple watch never arrived and her next phone bill showed that new devices had been added to her account, costing £71.07 a month.
‘I called O2 because my bill is usually no more than £20. That’s when I found I’d been scammed.’
The fraudster hijacked Susan’s account by trying to log in on the O2 website and claiming to have forgotten the password.
A one-time access code was sent to Susan’s phone. Her reading this back allowed the scammer to sign in and order new devices to an address of their choosing.
O2 customer services said Susan would receive a call from its fraud team. But no call came.
After the Mail got involved, O2 closed the orders. As a gesture of goodwill, it issued a credit on Susan’s account to cover one monthly bill.
A spokesman says: ‘Any time we send customers a one-time access code, it is preceded by a separate message making clear that we would never contact a customer and ask them to share this over the phone, and that the code should not be shared with anybody else.’
Money Mail revealed in February last year that security flaws allowed fraudsters to take out O2 contracts in innocent people’s names. Yet that loophole still has not been fully closed.
To open a contract with O2, you need to give a name, address and date of birth, as well as your bank details. You also have to show a form of ID such as a driving licence or passport. Other mobile phone providers ask for proof of address, too, such as a utility bill.
Those whose identities are stolen often find out only when letters chasing late payments arrive.
Jake Moore, a cybersecurity adviser for software firm ESET, says: ‘O2 is aware of the problem and there’s definitely more they can do to protect victims.’
An O2 spokesperson said: ‘Scammers are working in increasingly sophisticated ways and we are always evolving our processes to help protect our customers from fraudulent messages.
Last year, we implemented a new SMS blocking tool, replacing our legacy solution, which is already blocking millions of fraudulent text messages each month, which is in addition to existing measures already in place that help protect customers from scams. We also prevented more than £70m worth of fraudulent activity last year.’