This is a guest post from a 10ways user
I first noticed that my phone was showing ‘no service’ at about 6pm on Thursday for my carrier EE. With functionality / wifi etc still being OK with my phone – I tweeted EE, removed and replaced my SIM card, soft reset my phone …. but still nothing. The next morning I awoke and it was still showing no service. I contacted EE via Skype and spoke with an agent who requested characters from my password – which I was told were incorrect. I answered further security questions and then started speaking to the agent about the fact I was having no service. It was only when they enquired as to whether I received my replacement sim yet ? that I realised something was wrong. At this stage however I had no idea just how wrong things were ….
The fraudster obviously had some of my personal information (name, address, DOB, email address, password for email) and I do not know exactly how they got this information but I was a TALKTALK customer when they had their massive security leak last year and they have never confirmed to me that my information was not affected.
The fraudster contacted EE (with some of my personal data) posing as me requesting a replacement SIM card to be sent out. (EE have as yet been most unforthcoming with this information – as to whether they sent the SIM card out to my home address and intercepted the post, or if they allowed the imposter to update the address and have the SIM card sent here) EE allowed the imposter to access my account and change the password on my account – so I am not ruling anything out. Once the imposter had my new SIM card (this is when my phone started showing NO SERVICE) they firstly got access to my email account by basically putting in my email via webmail and selecting ‘forgotten password’ (with my email provider they will text out a code / temporary password to your mobile.)
Having gained access to my email account, they then accessed my Paypal account and current bank account in much the same way (putting in all information they knew then selecting ‘forgotten password’ which the reminders where then sent to either my email or mobile …. all of which they now had.) Having taken control of my phone and my primary email they then got my Paypal account and my bank current account. Within my current account …. they had made some small online transactions for pence and pounds to some charities which were ‘pending’ but on speaking to the fraud department they had also tried to make numerous purchases for £1000’s to Harrods and other high spec retail outlets …. which had been flagged as fraudulent anyway.
After learning that a replacement SIM had been sent out by EE – I immediately cancelled this and requested a new one. I then tried accessing all my accounts that I could think of : email …. breached and my password had been changed, PayPal …. breached and my password had been changed, bank account ….. breached and my password had been changed …. the day continued like that.
I managed to go through data protection myself with these companies (some of which were impossibly detailed – for example my current account accessed my credit file to ask me questions on there to prove my identity) but at the end of the day – I had regained controlled of my accounts …. well at least I hope I did ! It was really very lucky that I had contacted EE within 20hrs of my phone showing NO SERVICE. The payments in pending will ultimately be refunded and the far larger payments that the fraud department stopped anyway are currently being investigated. I am requested the recorded conversations with my imposter and EE – to hear exactly what was said, if adequate data protection was actually carried out by EE on this occasion and ultimately so I can determine whether I may personally know my imposter
It looks like I caught it before it got out of hand …. the large payments made from my current account had already been flagged up as fraudulent and the smaller payments I think were ‘testing the water’ as to the limits of my current account. All of my passwords have now been changed across all my accounts (not just my financial accounts but my social media stuff) and obviously this is very time-consuming – but they have been into and seen the contents of my primary email address so I need to be sure.
The police told me very little on 101 – but my banks fraud department have told me that actionfraud will be in touch
All the different fraud departments from the financial groups I spoke to today agreed on one thing however – this could never of happened if EE had not sent out a replacement SIM card to someone who was not me. I feel on this occasion EE either operate a very lapse data protection policy or an EE agent did not go through data correction correctly – or was ‘socially engineered’into giving out my information to someone who wasn’t me.
Specific to this type of fraud that I have encountered …. if your phone is showing NO SERVICE – constantly for a period of 30 minutes or more …. contact your carrier immediately.
Other than that by vigilant with your passwords –
the same passwords for all your accounts is a surefire way of
making it easy for the imposter to infiltrate many aspects of your life online.