PAYG mobile phone scam?

WARNING of possible scam using pay by mobile phone service.

I have just had money deducted from my 3-2-1 PAYG mobile phone balance by a company claiming that I signed up to a "Fitmate" service at a cost of £3.00 per week.

I am certain that I never signed up for any such service, and most certainly not using my PAYG mobile phone for payment.

I suspect this may be a very clever scam in that the amount is fairly small, so most people will not bother complaining to their mobile phone service provider (as I did).

I was horrified to discover that there is no way that the mobile phone service provider can switch off the option to pay for goods and services using one's mobile phone, nor do they have the capability of recovering any payments or terminating any ongoing payments. Instead I was told that I had to text STOP to the number that the (alleged) scammer provided for this purpose - something that cost me an extra 10p on top of the £3.00 that they had already deducted.

The purpose of this post is to alert others as I feel sure I may not be the only person who will get scammed in this way. I never click indescriminately on links on websites, in emails or SMS texts, so there is no way that I would have - even inadvertantly - enabled this subscription to occur.

Full text of the messages used to scam me are:

Message 1 (timed 13:13 yesterday)
FreeMsg: U have joined to get fit @ (url removed for safety) for £3.00 a week. First 24hrs are free. To cancel text STOP to 83463. Help 03300535848

Message 2 (timed 13:04 today)
FreeMsg: U are a member of Fitmate @ (url removed for safety) for £3.00 a week. Send stop to 83463 to cancel. Help 03300535848

It seems that the second message was sufficient for Three to decide to pay £3.00 from my PAYG balance!

Now I guess I have to wait for the (alleged) scammers to try again, and again, and apparently there's nothing I can do to prevent it! :(
«1

Comments

  • Castle
    Castle Posts: 4,159
    First Anniversary Name Dropper First Post
    Forumite
    According to the number checker, the short code belongs to Tap2Bill Limited:-
    https://psauthority.org.uk/about-us/number-checker
  • paulmu
    paulmu Posts: 39
    First Anniversary
    Forumite
    I'm sorry you have become a victim of one of these scams.Tap2Bill have been responsible for numerous scams in the past year. It is quite possible that your number was provided via a rogue App on your ‘phone, or you may have clicked on an innocent looking Ad while browsing the web.

    You need to be aware that while you are connected to the internet via mobile data, your number may be passed by your mobile network to third parties for charging purposes. The mechanism by which this happens is called 'Payforit'.

    This can’t happen while you are connected by WiFi.

    Once the third party has your number they can send you chargeable text messages and, very unfairly in my opinion, it will be your job to argue for a refund!


    The Payforit mechanism was intended to make it easy for consumers to purchase goods and services and have them charged to their 'phone bill. Unfortunately Payforit has proven to be very insecure and hardly a day goes by without someone reporting another scam.


    I have put details of how to deal with these scams on my website at http://payforitsucks.co.uk.



    Unfortunately the mobile network operators have no incentive to bring these scams to an end, as they receive a share of the income from them.

    If you fall victim to one of these scams, the steps you ought to be taking are (with links to detailed instructions):
    1. Stop further charges being made
    2. Get a refund of any charges already taken
    3. Complain to the Phone-paid Services Authority
    4. Protect yourself from further 'charge to bill' scams

    Let me know if can offer any further help or advice. These scams are a disgrace to the mobile communications industry.

    Paul
    payforitsucks.co.uk
  • Castle
    Castle Posts: 4,159
    First Anniversary Name Dropper First Post
    Forumite
    paulmu wrote: »
    Once the third party has your number they can send you chargeable text messages and, very unfairly in my opinion, it will be your job to argue for a refund!
    But the third party will still be required, (if challenged), to provide proof of consent to receive the text messages; otherwise it would be breach of the 1998DPA and the PECR2003 regulations.
  • paulmu
    paulmu Posts: 39
    First Anniversary
    Forumite
    Castle wrote: »
    But the third party will still be required, (if challenged), to provide proof of consent to receive the text messages; otherwise it would be breach of the 1998DPA and the PECR2003 regulations.

    In theory this is true. IF the Phone-paid Services Authority (PSA) takes up your case they will ask for this evidence. They only take up cases where there are a large number of complaints against the same company, so this is the first stumbling block.

    In previous cases pursued by PSA, the 'service providers' have been found to have falsified this 'evidence'. It's quite hard to tell the difference between a genuine signup where the consumer clicked 'OK' and a case where this was done by Javascript exploit without the user's knowledge or consent.
    I'm not aware of any cases which have gone to court to test a consumer's right to demand the evidence and to a refund if this is not provided.
    The essential problem is that the scammers have your money and it can be very difficult if not impossible to get it back.
  • Castle
    Castle Posts: 4,159
    First Anniversary Name Dropper First Post
    Forumite
    paulmu wrote: »
    In theory this is true. IF the Phone-paid Services Authority (PSA) takes up your case they will ask for this evidence. They only take up cases where there are a large number of complaints against the same company, so this is the first stumbling block.
    There's no need to involve the PSA; the customer can simply send a Subject Access Request, (£10 at present, F.O.C after 25th May), and include a request for proof of consent to receive the text messages on their phone number.

    Legally the sender of the message must provide evidence that consent has been specifically given to their company otherwise the text messages are automatically deemed to be unsolicited and in breach of Regulation 22(2) of the PECR2003.
    http://www.legislation.gov.uk/uksi/2003/2426/regulation/22/made

    Processing of your phone number without consent is also unlawful under the 1998DPA.
  • paulmu
    paulmu Posts: 39
    First Anniversary
    Forumite
    Castle wrote: »
    There's no need to involve the PSA; the customer can simply send a Subject Access Request, (£10 at present, F.O.C after 25th May), and include a request for proof of consent to receive the text messages on their phone number.

    Legally the sender of the message must provide evidence that consent has been specifically given to their company otherwise the text messages are automatically deemed to be unsolicited and in breach of Regulation 22(2) of the PECR2003.
    http://www.legislation.gov.uk/uksi/2003/2426/regulation/22/made

    Processing of your phone number without consent is also unlawful under the 1998DPA.

    OK I asked for this data back in November 2017 and offered to pay (but did not include) the statutory fee. This request was sent by email, and by Royal Mail signed for service to the registered head office of the company. The request was successfully delivered, so I can prove receipt.
    I haven't even received an acknowledgement. What should I try next?

    You seem very knowledgeable on legal matters. At present the mobile operators hide your consent to pass your number to the 'service providers' in the small print of your contract. Specific consent is not requested. It is currently legal to do this and not to provide an opt-out or specifically request consent.
    Will this change under GDPR?
  • unholyangel
    unholyangel Posts: 16,863
    Name Dropper First Post First Anniversary
    Forumite
    paulmu wrote: »
    OK I asked for this data back in November 2017 and offered to pay (but did not include) the statutory fee. This request was sent by email, and by Royal Mail signed for service to the registered head office of the company. The request was successfully delivered, so I can prove receipt.
    I haven't even received an acknowledgement. What should I try next?

    You seem very knowledgeable on legal matters. At present the mobile operators hide your consent to pass your number to the 'service providers' in the small print of your contract. Specific consent is not requested. It is currently legal to do this and not to provide an opt-out or specifically request consent.
    Will this change under GDPR?


    Have you read the ICO's website on subject access requests? Specifically, this part:
    Can I charge a fee for dealing with a subject access request?
    Yes, an organisation receiving a subject access request may charge a fee for dealing with it, except in certain circumstances relating to health records. If you choose to charge a fee, you need not comply with the request until you have received the fee. The usual maximum fee you can charge is £10. There are different fee arrangements for organisations that hold credit, health or education records
    You keep using that word. I do not think it means what you think it means - Inigo Montoya, The Princess Bride
  • Castle
    Castle Posts: 4,159
    First Anniversary Name Dropper First Post
    Forumite
    paulmu wrote: »
    OK I asked for this data back in November 2017 and offered to pay (but did not include) the statutory fee. This request was sent by email, and by Royal Mail signed for service to the registered head office of the company. The request was successfully delivered, so I can prove receipt.
    I haven't even received an acknowledgement. What should I try next?

    You seem very knowledgeable on legal matters. At present the mobile operators hide your consent to pass your number to the 'service providers' in the small print of your contract. Specific consent is not requested. It is currently legal to do this and not to provide an opt-out or specifically request consent.
    Will this change under GDPR?


    1) In respect of the missing SAR, you can file a complaint with the ICO.

    2) With regards to the phone contract; unless you're told which service providers your number will be provided to, I can't see how it can be legal.

    The legal case for specific consent is set out in Optical Express v Information Commissioner (EA/2015/0014); where consumers filled in a Thomas Cook Survey and ended up with text messages being sent by Optical Express.

    https://panopticonblog.com/2015/09/03/blindly-fumbling-for-consent-pecr-and-optical-express/
  • Castle
    Castle Posts: 4,159
    First Anniversary Name Dropper First Post
    Forumite
    Have you read the ICO's website on subject access requests? Specifically, this part:
    You missed out the second paragraph which follows your quote:-

    "Although you need not comply with a request until you have received a fee, you cannot ignore a request simply because the individual has not sent a fee. If a fee is payable but has not been sent with the request, you should contact the individual promptly and inform them that they need to pay."
  • unholyangel
    unholyangel Posts: 16,863
    Name Dropper First Post First Anniversary
    Forumite
    Castle wrote: »
    You missed out the second paragraph which follows your quote:-

    "Although you need not comply with a request until you have received a fee, you cannot ignore a request simply because the individual has not sent a fee. If a fee is payable but has not been sent with the request, you should contact the individual promptly and inform them that they need to pay."

    The difference is that the part I quoted is backed by legislation, where the part you quoted isn't and is just guidelines given by ICO to data controllers.

    Legislation says:
    (2)A data controller is not obliged to supply any information under subsection (1) unless he has received—
    (a)a request in writing, and
    (b)except in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require.
    You keep using that word. I do not think it means what you think it means - Inigo Montoya, The Princess Bride
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 342.5K Banking & Borrowing
  • 249.9K Reduce Debt & Boost Income
  • 449.4K Spending & Discounts
  • 234.6K Work, Benefits & Business
  • 607.1K Mortgages, Homes & Bills
  • 172.8K Life & Family
  • 247.4K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.8K Discuss & Feedback
  • 15.1K Coronavirus Support Boards