If your energy supplier has ceased trading, we’ll provide an update on your case as soon as Ofgem nominate a 'Supplier of Last Resort' to take over as your new supplier. Until that time we appreciate your patience and recommend you take a meter reading.

More information on our SoLR process is available here.

“Mobile account security lapse nearly cost me £4,000”

Ombudsman Services | Last updated Mar 31, 2021

We have included this case study because it highlights some of the challenges that consumers face when they are targeted by fraudsters.

The complaint

  • Mr B received a text message saying there was an issue with the payment of his mobile bill.

  • He responded and provided the required details to correct the issue.

  • A week later, Mr B received another message confirming his porting authorisation code (PAC), how to use it and what to do if he hadn’t requested it. For information, Port Authorisation Code allows a customer to transfer a telephone number from one account to another.

  • He took no action initially as he hadn’t requested a PAC and thought the message had been sent in error.

  • A few days later, Mr B noticed that he couldn’t make calls, send messages, or get online with his mobile.

  • Mr B contacted his mobile provider who explained that a PAC had been requested via his online account and used to transfer his phone number to another provider.

  • The provider explained that it appeared Mr B had been sent and responded to a ‘smishing’ message.

  • Mr B then noticed emails from his bank, confirming the account had been accessed from a new device and the password had been changed.

  • He contacted his bank and found that transactions totalling over £4,000 had been made from his account and several lines of credit had been obtained.

  • Mr B managed to reverse the transactions and contacted the mobile provider to complain about the security of the account.

  • He was dissatisfied with the response and asked for compensation.

What the company said

  • The company confirmed it had not requested payment details via text message and that Mr B appeared to have been targeted by a smishing scam.

  • It confirmed it had received a request for Mr B’s PAC via the online account, meaning the fraudster must have had access to his details and security information to gain access.

  • The company confirmed that as soon as Mr B made contact, it raised a fraud marker and investigation on his account.

  • It also reset the security information, cancelled the SIM and account number and issued new ones.

  • While the company sympathised with Mr B, it didn’t think it was responsible for the security breach.

Our investigation

  • We determined that Mr B had been a victim of a smishing scam.

  • After receiving a smishing text, he provided his account login details, which were captured by the fraudsters.

  • Once the PAC had been requested, the company provided the required SMS to Mr B – explaining he should contact the company if he didn’t request the PAC.

  • Mr B didn’t do this, missing the opportunity to secure the account.

Our decision

  • While we empathised with Mr B, we were satisfied that the company had taken all reasonable steps to protect the account by obtaining relevant security information on all account interactions.

  • We were also satisfied the company had provided sufficient information and notice to Mr B of the activity relating to the account.

  • In our view, the company therefore wasn’t responsible for the fraudulent activity on Mr B’s mobile account or bank accounts.

  • We felt that there had been shortfalls in service related to failed call-backs and delays in setting up the account again.

  • The shortfalls would have been of concern to Mr B while he was going through the worry of being a victim of fraud.

  • Therefore, we required a goodwill payment proportionate to the circumstances.

We use cookies to give you the best experience. By continuing to use our website, you are consenting to the use of cookies as set out in our policy. Find out more