Last Saturday, I suddenly lost service on my Three mobile phone and this happened intermittently for the next couple of days.
On the Monday, a large amount of money – £3,235 – was withdrawn from my Coinbase cryptocurrency account which I manage through an app.
It appears someone has duplicated my phone’s Sim card and was able to get in to my Coinbase app through that.
Locked out: H.J lost access to his phone after a fraudster ordered a replacement Sim
While Three has now cut off the duplicate Sim, most of the customer service staff don’t seem to understand what Sim swap fraud is.
They can’t explain how this person was able to pass security checks and order the Sim – or if I can get my money back.
I have contacted Coinbase but haven’t had any answers yet. Can you help? H.J
Helen Crane, This is Money’s consumer champion, replies: Getting hold of our mobiles is the lodestar for scammers right now.
Often they will snatch the phones from our hands before raiding our bank accounts, but unfortunately there is a way they can worm their way into them without even needing to do that.
It is called Sim swap fraud and it sounds as if you are the latest victim.
This is where a fraudster persuades your mobile phone network to send them a replacement Sim card for your number, which they then put into another device.
This means they can receive texts and calls intended for you.
If the scammer also has information such as your usernames or email addresses, they could potentially reset the passwords for your banking and other money apps, as they would be able to pass the two-factor authentication checks which usually rely on copying a code received in a text message.
The first the legitimate customer will hear of it is when their phone service suddenly drops out, because their number is now being used elsewhere.
When you initially contacted Three after discovering the fraud, it agreed to cancel the duplicate Sim and sent you a new one.
But when you asked it to look further into how this happened and asked whether it would compensate you for the money you lost as a result, its response was slow and confused.
Some of those you spoke to referred to your phone being lost or stolen, which it never was. You repeatedly had to point out that you were a victim of Sim swap fraud, and that the person who ordered the new Sim was not you.
I was astounded that it was so easy for this trickster to persuade Three to send them a Sim card with your number.
I contacted the network to ask what checks were undertaken, why this person was able to pass them – and whether it would pay you back for the money you lost.
First, it asked me if you thought a replacement Sim had been requested for your phone, and what the evidence was of that – despite you having told Three this so many times.
You also have a record of an online chat with Three itself where it told you a Sim had been ordered. I can understand why you were so frustrated with their response.
Once we established the details, Three told me that the fraudster would have had to go through stringent security checks to get your replacement Sim.
No service: The first sign of the scam was when our reader’s phone signal dropped for a period
Though it did not reveal the specifics of what was asked, it said the fraudster already had your personal information and was therefore able to pass them.
Based on a phone conversation you had with Three, you believe that the checks only involved a one-time passcode being sent to your email address, and that no extra security questions were asked.
If that is the case, I don’t think it is anywhere near stringent enough. It means anyone who has hacked into someone’s email account can also get into their phone.
Sim swap fraud has been happening for years, and an investigation by the BBC’s Watchdog programme in 2018 found that O2 and Vodafone both handed out replacement Sim cards to potential criminals without completing proper ID checks, so this is not without precedent.
Three said that the Sim card received was a digital eSim, which the fraudster would have needed to get into your email account to access.
Therefore, it is assuming that the fraudster had already hacked into your email account, which was something you suspected. You have now closed it and set up a new one.
In other cases of Sim swap fraud, it is thought scammers have been able to piece together enough information to pass these checks from a combination of things like seeing a passport or driving licence, knowing someone’s address or the last four digits of their debit or credit card number.
As the fraudster got the information to pass the checks from ‘other sources,’ Three says it will not refund you for the money lost.
The other reason Three gave for not refunding you was that the loss of the Coinbase money occurred before you notified Three of the fraud.
That doesn’t stack up in my view. Losing service on your phone can happen for a number of reasons, and you wouldn’t have immediately suspected fraud.
You also didn’t initially realise that money had been taken from your Coinbase, as your password had been changed. It took some time to regain this access.
A Three spokesman said: ‘We take the security of our customer’s phone numbers very seriously. The fight against fraud is constantly evolving due to the changing tactics of criminals, so we continuously review our processes.
‘We have a manual validation process in place, and in this case, a third party had obtained the information required to access [the customer’s] account from other sources.
‘They were therefore able to pass the validation process, and subsequently access [his] email account to retrieve the eSim. The financial loss experienced occurred prior to Three being notified of the situation on 20 March.’
It has put extra security measures on your account going forward, as well as offering you a goodwill gesture of £100 in light of the time it took to look into the problem.
But that still left you more than £3,000 in the red.
Hacked: It seems likely that the fraudster got access to H.J’s emails, enabling the scam
I decided to contact Coinbase, to see if it would help you get your money back – but I didn’t hold out much hope of this happening.
The fraudsters had not got into your account through any fault of Coinbase’s, and crypto platforms can’t attempt to claw back money directly from scammers in the same way banks are sometimes able to.
However, I am pleased to say I was wrong. Coinbase told me it is piloting a new service for UK customers called the Coinbase Account Guarantee.
It means that, if someone gains unauthorised access to your account, you may be able to get reimbursed up to £150,000 – subject to conditions such as filing a police report, having previously completed ‘know your customer’ security checks and having had your account open for at least 30 days.
This is a one-off and customers cannot use the service a second time, even if they are scammed again.
Coinbase told me it believed you would qualify, so I encouraged you to apply.
It was a relatively arduous process, with you having to get hold of a full police report on your case which took around a month.
However, it worked, and a few weeks later, you were repaid £2,200.
That is less than what you lost, because instead of refunding you in cash Coinbase has refunded you the same number of crypto coins you had when the fraudster transferred them out.
Unfortunately the coins you hold have lost value since then, but that is the name of the crypto game and you are still pleased to have got the bulk of what you lost back.
While you were in the refund process with Coinbase, Three contacted both you and me to ask where you had got to and if it looked likely to refund you.
This is unusual in my experience, and suggested to me that it was waiting to see whether Coinbase would refund you before considering its own position – though Three says this was not the case.
If it had decided to pay you back, it would have saved you weeks of your time going back and forth trying to get police reports, for one.
While the scammer may have got to your email account first, I do think Three has failed you here.
It, and other phone networks, should seriously consider upping their security checks when someone orders a replacement Sim – as it is clear the current system isn’t working.
CRANE ON THE CASE
-
I had £5k stolen but HSBC says I went on jewellery buying spree -
I want to move my £20k work pension, why has it taken a year -
Moneybarn tried to take my car: I haven’t missed loan payments -
Air Mauritius lost my luggage and it ruined my holiday -
Muggers used my Revolut account to buy £3,900 of crypto -
London Marathon trainers I ordered from Asics never turned up -
Eon sent my small dance school a shock £95k energy bill -
I paid Virgin and O2 £650 for a Sim card I didn’t want -
Barclays debanked our tennis club and we couldn’t pay the bills -
I paid £5,000 to a kitchen firm that went bust -
Cinch sold us a car… but the bonnet wouldn’t open -
We couldn’t go to Hawaii due to wildfires – but insurer won’t pay -
My call with Three’s bereavement team was strange and upsetting -
HSBC refused switch bonus because I had account 21 YEARS ago -
Ovo bungled my elderly Dad’s £2,285 credit refund -
Thief took my savings – but Revolut says it ‘wasn’t suspicious’ -
My roof blew off in a storm… but my insurer isn’t paying me -
I paid £889 for a robot vacuum that doesn’t work -
My daughter was attacked – but EE won’t refund £260 phone bill -
UPS and Packlink made selling Star Wars toy an epic drama -
The CRANE ON THE CASE naughty and nice list 2023 -
Thames Water says it needs to fit ‘smart’ meter: Is it a scam? -
Our car was flooded in Storm Babet: Where is Sheila’s Wheels? -
Rightio charged my elderly mother £353… to change a FUSE -
I have £1,300 in scrapped Tesco savings stamps -
My car broke down and now the RAC has LOST it -
I took a BA voucher during Covid, but now I’m too ill to fly -
Why can’t we cancel Sky TV? We’ve written, emailed AND phoned -
I owe £8,400 in PCNs as my name was spelt wrong on TfL record -
I’ve been trying to sort my £6,120 energy bill debt for a DECADE -
My Premier Inn room was 28 degrees: Why isn’t it refundable? -
Barclays shut our community garden bank account -
I got a parking ticket waiting in the McDonald’s drive-thru -
My brother passed away before stag party, where is my refund? -
Tesco Mobile refused me a phone contract… because I don’t drive -
Where is PPI rebate I’m paying Brooksdale a 48% cut to get? -
P&O cruise turned into holiday from hell when I caught norovirus -
Nationwide has frozen my bank account… for being too charitable -
Does pension credit mix-up mean my wife overpaid care fees? -
I sold a caravan to Royale Resorts, where’s my money? -
My vulnerable in-laws got ‘debanked’ by HSBC -
My K-pop obsessed mum racked up hundreds on Spotify -
UPS charged me an extra £441 to post my boat sail -
My case was broken on Ryanair flight and I can’t get money back -
Enterprise charged me £982 for damage to Nissan Micra rental car -
I was switched to Ovo and now my bills are mind-boggling -
Scammer bagged an iPhone 14 using MY O2 account -
A Chinese firm registered its business at MY home address -
I sold my laptop online but buyer claimed I never sent it -
Evri delivered my son EMPTY BOX instead of Christmas present -
Where is inheritance we were promised by ‘heir hunters’ -
I’m locked out of my BA account, have I lost my 650,000 Avios? -
A scammer bought £3,000 flights using MY card -
We booked ‘superior’ cruise cabin but got one next to engine -
My 13-year-old was scammed via Paypal. It says he owes £4,500 -
I sent £2,000 of my late wife’s savings with wrong account number -
Ovo billed me £33,000 for a month of energy use in my two-bed flat -
Eon left a leak after it fitted my new boiler and the ceiling fell in -
My camera doesn’t work and I can’t contact online dealer -
I am terminally ill but can’t cash my Scottish Widows pension -
Most shocking CRANE ON THE CASE horror stories from 2022 -
I was sent a shoddy mobility scooter… but Amazon says it’s fine -
My son was stranded in Australia in 2020 – I’m still waiting for… -
Home Office rejected my visa, when will I get NHS payment back? -
Investec won’t renew my 93-year-old mum’s savings with no ID… or… -
I built my own house and HMRC should refund VAT – where is it? -
We booked our holiday for the right dates… but the wrong year -
I’ve been waiting three years to get refund for Thomas Cook holiday -
TalkTalk sold me an internet phone line that doesn’t work -
Barclays says it’s closing my accounts and I have no idea why -
I spent £1,200 on hotels and trains when Blablacar bus was late -
Holiday Extras won’t pay out for trip after our son’s death -
My ex racked up £30k in Dart Charge PCNs due to mental health -
My bills went bananas after I had a smart meter installed -
My Cork flight was cancelled and Aer Lingus no longer flies -
Why won’t BA pay for my lost laptop and jewellery? -
I parked in more than one marked bay – can Premier Park fine me? -
My son got chickenpox before our holiday… can we get a refund? -
Our Tui wedding was booked where same-sex marriage isn’t legal -
Why won’t Ovo let me pay after it didn’t bill me for nine months? -
Northern Provident went under, where is my £10k Isa cash? -
I moved out of my damp home but British Gas wants £5k in bills -
My Macbook won’t turn on, why won’t John Lewis fix it? -
Bulb wants to charge me £2k for energy I used four years ago -
A fraudster hacked my email and went on a £6k credit card spree -
I’m owed a £164 tax refund after Covid cancelled my holiday -
My son turned 18 – why can’t he access his Child Trust Fund? -
My son spent £1,000 on iPad games… will Apple refund me? -
My BA flight and car hire has dropped by £500 – can I rebook?
Some links in this article may be affiliate links. If you click on them we may earn a small commission. That helps us fund This Is Money, and keep it free to use. We do not write articles to promote products. We do not allow any commercial relationship to affect our editorial independence.