When Sally Carroll’s phone stopped working, her network told her it was a technical issue. Five days later, it admitted that a scammer had gained access to her account and stolen her phone number — despite failing the security check three times.
A year ago, Sally, 77, a former paediatric nurse from Kent who was awarded an MBE after founding the charity Transport for Sick Children, had called Utility Warehouse to ask for her husband, Kevin, to be taken off the account. He had been diagnosed with dementia. Sally had an energy, broadband and mobile phone contract with the company, and had been a customer for decades.
On the 21 and 22 January this year, Utility Warehouse was called three times by an unknown man claiming to be Kevin, even though he was in a care home and did not have the capacity to make such a call.
On the first two attempts, the scammer failed to correctly answer personal security questions about the account. But on the third attempt, he was given a PAC code (Port Authorisation Code), which is a 9-digit code that allows you to move your mobile phone number to a new network.
The fraudster was also given Sally’s Utility Warehouse account number and her bank sort code and last four digits of her account number. He was told details of her recent bill and learnt that she had a cashback card with the company. He used these details, alongside the stolen phone number, to set up an Apple Pay account on a new phone and was able to make contactless card payments from her bank account.
The fraudster then spent £300 in nine separate transactions at Bluewater shopping centre in Kent, before Sally’s family realised what had happened and had her cards blocked. The money was reimbursed by her bank, but upset her deeply and triggered heart rhythm problems.
Sally said: “It’s awful. I can feel myself churning up thinking about it. I have stopped doing anything online. I have started using a chequebook. I don’t trust anybody. And since then, I have had a lot more strange phone calls.”
Fraud is now the UK’s most common crime, but only a fraction of cases lead to a prosecution. According to a 2023 public accounts committee report it accounted for about 41 per cent of crime in England and Wales in the year to June 2022, but only about 1 per cent of police personnel were dedicated to fraud. It is estimated that more than £10 billion has been stolen by scammers since 2015 according to the trade association UK Finance.
Jake Moore, an adviser at the cybersecurity firm ESET, said the type of fraud that Sally was a victim of is often known as human hacking because scammers play on the goodwill of customer service staff to bypass security tests. He said: “Helpdesks are, ironically, very helpful.”
Moore recently called a company impersonating his friend — for research purposes and with said friend’s permission. “I bypassed security just by knowing his phone number, his name and guessing two digits of his four-digit security code. I didn’t test it multiple times, but I had a feeling they would have probably helped me until I got through.”
He said that big companies needed to beef up security processes to prevent the theft of phone numbers. He said: “Our phones are our identities. If you lose access to your phone number you’re also losing access to multiple accounts. ”
He also advised customers to put security passwords on their accounts with their phone company and to make sure this is not a number connected to them — such as a birthday or anniversary — because these can easily be guessed by scammers watching what we post online.
‘Mum didn’t even know what a PAC code was’
Sally spent days trying to speak to someone at Utility Warehouse to understand why her mobile phone had no signal and had stopped connecting to the network. When she called the firm for a third time, five days after the scammer had stolen her number, she was told that the system was rebooting. At this point Sally’s daughters — Jane and Alice — stepped in to help.
Jane, 46, was told on January 28 that the “account holder” had requested a PAC code to switch the phone to a different network. Jane told the company that her mother didn’t even know what a PAC code was.
Jane said: “I don’t understand how it didn’t ring alarm bells for anybody, even after three call attempts from the scammer.”
Sally said: “At no point did they actually admit how much information they had given away.”
Despite repeated calls and complaints from the family, it was not until March that Utility Warehouse admitted the extent of the information it had given away. It has now referred itself to the Information Commissioner’s Office, a watchdog, over the breach.
‘My daughters have spent so much time trying to resolve this’
The family is now transferring all Sally’s accounts away from the company.
At first, Utility Warehouse offered £100 compensation. After contact from The Times this offer was increased to £600 and the company said it was sending flowers.
Sally said the money would be shared with her daughters to thank them for the time they spent trying to help her. “The cost to them alone of dealing with this, their hours of work lost, barely covers the £600 gift. They have spent so much time resolving this.”
Utility Warehouse apologised for the stress it had caused and the time it had taken to resolve. The apology flowers have still not arrived.
It said: “We let her down, and we’re committed to making it right. We take fraud very seriously and are reviewing what went wrong — we want to fix it for Mrs Carroll, and make sure we’re learning the right lessons to protect all our customers from fraud. We’ve spoken to Mrs Carroll about a resolution and are following through on everything we agreed. We’ll be writing to her to reiterate our apology and confirm compensation.”
Click Here For The Original Source
