Customers urged to be aware of port-out and SMS phishing schemes

TSB’s IT meltdown that saw 1.9 million customers lose access to their online banking services is going to be investigated by the Financial Conduct Authority (FCA).  Last week CEO Paul Pester came under fire by MPs after it emerged that 2,200 customers had suffered fraudulent attempts to access their accounts.  Reports estimate that the technology failures have already cost the bank around 70 million pounds, with 1,300 receiving compensation.

According to figures, 70 times the normal level of fraud attacks were seen last month.  Action Fraud, the UK’s national fraud and cyber crime reporting centre, have seen particular increases in two types of fraud that consumers should be aware of.

Port-Out Fraud

Following TSB’s computer system update the number of reports relating to ‘port out’ fraud has increased, and customers are being urged to be vigilant.

What is Port-Out Fraud?

If you have ever changed your mobile network and kept the same number, your provider will have done so using ‘Number Porting’ – the technical term for keeping an existing phone number and transferring it to a new SIM Card.

Your existing network provider will send you a Port Authorisation Code, known as a PAC.  This code is then shown to the new company, allowing the number to be transferred across.  However, this system is vulnerable to fraud, and it is possible for hackers to steal your number and take over your mobile account.

They may do so by contacting your service provider and impersonating you either over the phone or in store.  They will ask your provider to port your number to a new SIM that they have access to, giving them control of your number.  With access to your number, fraudsters can reset passwords or use it to access any two-factor authentication service, often used by banks and credit card providers.

The sums of money stolen by this type of fraud are often very large.  After initially dismissing text messages from their network provider containing a PAC number, one victim found that £6,000 had been stolen from their TSB current account.

The victim subsequently found out that someone had contacted their phone provider whilst impersonating them, cancelled their contract and transferred the number to a new SIM.

Smishing (SMS phishing)

Whilst most are becoming wiser to email scams, people have a tendency to trust a text message more than an email.  Phishing messages received via text can be very sophisticated to the point they will appear in an existing message thread – tricking people into thinking that they’re a genuine communication.

Since the start of May when TSB experienced IT issues, there has been an increase of 970% in reports of phishing relating to TSB.

The most common phishing scams involve a victim receiving a text message purporting to be from TSB, requesting that the recipient clicks onto a website link. This link will lead to a fake website designed to steal online banking details.

As with the Number Porting scam, some victims are loosing large amounts of money.  One victim lost nearly £4,000 after receiving a text message claiming to be from TSB. Fraudsters used specialist software which changed the sender ID on the message so that it looked like it was from TSB, and the message was added to an existing TSB message thread on the victim’s phone.

The victim clicked on the link within the text message and entered their personal information. Armed with this information, the fraudsters then called the victim back and persuaded them to hand over their banking authentication code from their mobile phone. The fraudsters then moved all of the victim’s savings to a current account and paid a suspicious company.

Mike Wright, Partner at Quantuma has this advice for anyone concerned  about messages or emails they receive:

  • “If you receive a PAC Code notification you weren’t expecting – immediately contact your network provider and terminate the request and notify your bank about your phone number being compromised
  • Don’t automatically click on links you get in an unexpected text or email.
  • Even if a message appears in an existing thread or from someone in your address book, be aware that it could be spoofed. It always pays to double check with the sender.
  • TSB, or any bank, will never ask for a PIN, password or full memorable information by email or text.”

If you have been affected by this, or any other type of fraud, report it to Action Fraud by calling 0300 123 2040, or visiting

(Information provided from the National Fraud Intelligence Bureau and City of London Police)

About us

Quantuma’s investigators work with leading law firms, financial institutions and organisations, advising on complex multi-jurisdictional matters including fraud, litigation, debt/asset recovery, arbitration and corporate.

For more information contact:

Mike Wright, Partner
Quantuma LLP, High Holborn House, 52-54 High Holborn, London, WC1V 6RL
Tel: +44 (0)7970 049497