Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:
Internet Explorer
Google Chrome
Mozilla Firefox

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Main site > Forums > Household & Travel > Consumer Rights > PAYG mobile phone scam?
  • 1.6k views
  • 15 replies
Search
  • FIRST POST
    • User avatar
      User avatar
      diygardener
      • 35Posts
      • 8Thanks
    • diygardener
    • By diygardener 10th Apr 18, 3:19 PM
    • 35Posts
    • 8Thanks

      What's this?

    diygardener
    PAYG mobile phone scam?
    • #1
    • 10th Apr 18, 3:19 PM
    PAYG mobile phone scam? 10th Apr 18 at 3:19 PM
    WARNING of possible scam using pay by mobile phone service.

    I have just had money deducted from my 3-2-1 PAYG mobile phone balance by a company claiming that I signed up to a "Fitmate" service at a cost of £3.00 per week.

    I am certain that I never signed up for any such service, and most certainly not using my PAYG mobile phone for payment.

    I suspect this may be a very clever scam in that the amount is fairly small, so most people will not bother complaining to their mobile phone service provider (as I did).

    I was horrified to discover that there is no way that the mobile phone service provider can switch off the option to pay for goods and services using one's mobile phone, nor do they have the capability of recovering any payments or terminating any ongoing payments. Instead I was told that I had to text STOP to the number that the (alleged) scammer provided for this purpose - something that cost me an extra 10p on top of the £3.00 that they had already deducted.

    The purpose of this post is to alert others as I feel sure I may not be the only person who will get scammed in this way. I never click indescriminately on links on websites, in emails or SMS texts, so there is no way that I would have - even inadvertantly - enabled this subscription to occur.

    Full text of the messages used to scam me are:

    Message 1 (timed 13:13 yesterday)
    FreeMsg: U have joined to get fit @ (url removed for safety) for £3.00 a week. First 24hrs are free. To cancel text STOP to 83463. Help 03300535848

    Message 2 (timed 13:04 today)
    FreeMsg: U are a member of Fitmate @ (url removed for safety) for £3.00 a week. Send stop to 83463 to cancel. Help 03300535848

    It seems that the second message was sufficient for Three to decide to pay £3.00 from my PAYG balance!

    Now I guess I have to wait for the (alleged) scammers to try again, and again, and apparently there's nothing I can do to prevent it!

    Sorry!

    There are currently no thanks for this post.

Page 1
    • User avatar
      User avatar
      Castle
      • 1,761Posts
      • 2,381Thanks
    • Castle
    • By Castle 10th Apr 18, 3:42 PM
    • 1,761 Posts
    • 2,381 Thanks

      What's this?

    Castle
    • #2
    • 10th Apr 18, 3:42 PM
    • #2
    • 10th Apr 18, 3:42 PM
    According to the number checker, the short code belongs to Tap2Bill Limited:-
    https://psauthority.org.uk/about-us/number-checker

    Sorry!

    There are currently no thanks for this post.

    • User avatar
      User avatar
      paulmu
      • 27Posts
      • 10Thanks
    • paulmu
    • By paulmu 11th Apr 18, 12:17 PM
    • 27 Posts
    • 10 Thanks

      What's this?

    paulmu
    • #3
    • 11th Apr 18, 12:17 PM
    Payforit Scams
    • #3
    • 11th Apr 18, 12:17 PM
    I'm sorry you have become a victim of one of these scams.Tap2Bill have been responsible for numerous scams in the past year. It is quite possible that your number was provided via a rogue App on your ‘phone, or you may have clicked on an innocent looking Ad while browsing the web.

    You need to be aware that while you are connected to the internet via mobile data, your number may be passed by your mobile network to third parties for charging purposes. The mechanism by which this happens is called 'Payforit'.

    This can’t happen while you are connected by WiFi.

    Once the third party has your number they can send you chargeable text messages and, very unfairly in my opinion, it will be your job to argue for a refund!


    The Payforit mechanism was intended to make it easy for consumers to purchase goods and services and have them charged to their 'phone bill. Unfortunately Payforit has proven to be very insecure and hardly a day goes by without someone reporting another scam.


    I have put details of how to deal with these scams on my website at http://payforitsucks.co.uk.



    Unfortunately the mobile network operators have no incentive to bring these scams to an end, as they receive a share of the income from them.

    If you fall victim to one of these scams, the steps you ought to be taking are (with links to detailed instructions):
    1. Stop further charges being made
    2. Get a refund of any charges already taken
    3. Complain to the Phone-paid Services Authority
    4. Protect yourself from further 'charge to bill' scams

    Let me know if can offer any further help or advice. These scams are a disgrace to the mobile communications industry.

    Paul
    payforitsucks.co.uk

    Users saying Thanks (1)

    • User avatar
      User avatar
      Castle
      • 1,761Posts
      • 2,381Thanks
    • Castle
    • By Castle 11th Apr 18, 2:32 PM
    • 1,761 Posts
    • 2,381 Thanks

      What's this?

    Castle
    • #4
    • 11th Apr 18, 2:32 PM
    • #4
    • 11th Apr 18, 2:32 PM
    Once the third party has your number they can send you chargeable text messages and, very unfairly in my opinion, it will be your job to argue for a refund!
    Originally posted by paulmu
    But the third party will still be required, (if challenged), to provide proof of consent to receive the text messages; otherwise it would be breach of the 1998DPA and the PECR2003 regulations.

    Users saying Thanks (1)

    • User avatar
      User avatar
      paulmu
      • 27Posts
      • 10Thanks
    • paulmu
    • By paulmu 11th Apr 18, 3:13 PM
    • 27 Posts
    • 10 Thanks

      What's this?

    paulmu
    • #5
    • 11th Apr 18, 3:13 PM
    Payforit scams
    • #5
    • 11th Apr 18, 3:13 PM
    But the third party will still be required, (if challenged), to provide proof of consent to receive the text messages; otherwise it would be breach of the 1998DPA and the PECR2003 regulations.
    Originally posted by Castle
    In theory this is true. IF the Phone-paid Services Authority (PSA) takes up your case they will ask for this evidence. They only take up cases where there are a large number of complaints against the same company, so this is the first stumbling block.

    In previous cases pursued by PSA, the 'service providers' have been found to have falsified this 'evidence'. It's quite hard to tell the difference between a genuine signup where the consumer clicked 'OK' and a case where this was done by Javascript exploit without the user's knowledge or consent.
    I'm not aware of any cases which have gone to court to test a consumer's right to demand the evidence and to a refund if this is not provided.
    The essential problem is that the scammers have your money and it can be very difficult if not impossible to get it back.

    Sorry!

    There are currently no thanks for this post.

    • User avatar
      User avatar
      Castle
      • 1,761Posts
      • 2,381Thanks
    • Castle
    • By Castle 11th Apr 18, 5:28 PM
    • 1,761 Posts
    • 2,381 Thanks

      What's this?

    Castle
    • #6
    • 11th Apr 18, 5:28 PM
    • #6
    • 11th Apr 18, 5:28 PM
    In theory this is true. IF the Phone-paid Services Authority (PSA) takes up your case they will ask for this evidence. They only take up cases where there are a large number of complaints against the same company, so this is the first stumbling block.
    Originally posted by paulmu
    There's no need to involve the PSA; the customer can simply send a Subject Access Request, (£10 at present, F.O.C after 25th May), and include a request for proof of consent to receive the text messages on their phone number.

    Legally the sender of the message must provide evidence that consent has been specifically given to their company otherwise the text messages are automatically deemed to be unsolicited and in breach of Regulation 22(2) of the PECR2003.
    http://www.legislation.gov.uk/uksi/2003/2426/regulation/22/made

    Processing of your phone number without consent is also unlawful under the 1998DPA.

    Users saying Thanks (1)

    • User avatar
      User avatar
      paulmu
      • 27Posts
      • 10Thanks
    • paulmu
    • By paulmu 11th Apr 18, 7:06 PM
    • 27 Posts
    • 10 Thanks

      What's this?

    paulmu
    • #7
    • 11th Apr 18, 7:06 PM
    Payforit Scams
    • #7
    • 11th Apr 18, 7:06 PM
    There's no need to involve the PSA; the customer can simply send a Subject Access Request, (£10 at present, F.O.C after 25th May), and include a request for proof of consent to receive the text messages on their phone number.

    Legally the sender of the message must provide evidence that consent has been specifically given to their company otherwise the text messages are automatically deemed to be unsolicited and in breach of Regulation 22(2) of the PECR2003.
    http://www.legislation.gov.uk/uksi/2003/2426/regulation/22/made

    Processing of your phone number without consent is also unlawful under the 1998DPA.
    Originally posted by Castle
    OK I asked for this data back in November 2017 and offered to pay (but did not include) the statutory fee. This request was sent by email, and by Royal Mail signed for service to the registered head office of the company. The request was successfully delivered, so I can prove receipt.
    I haven't even received an acknowledgement. What should I try next?

    You seem very knowledgeable on legal matters. At present the mobile operators hide your consent to pass your number to the 'service providers' in the small print of your contract. Specific consent is not requested. It is currently legal to do this and not to provide an opt-out or specifically request consent.
    Will this change under GDPR?

    Sorry!

    There are currently no thanks for this post.

    • User avatar
      User avatar
      unholyangel
      • 12,416Posts
      • 9,714Thanks
    • unholyangel
    • By unholyangel 11th Apr 18, 8:05 PM
    • 12,416 Posts
    • 9,714 Thanks

      What's this?

    unholyangel
    • #8
    • 11th Apr 18, 8:05 PM
    • #8
    • 11th Apr 18, 8:05 PM
    OK I asked for this data back in November 2017 and offered to pay (but did not include) the statutory fee. This request was sent by email, and by Royal Mail signed for service to the registered head office of the company. The request was successfully delivered, so I can prove receipt.
    I haven't even received an acknowledgement. What should I try next?

    You seem very knowledgeable on legal matters. At present the mobile operators hide your consent to pass your number to the 'service providers' in the small print of your contract. Specific consent is not requested. It is currently legal to do this and not to provide an opt-out or specifically request consent.
    Will this change under GDPR?
    Originally posted by paulmu

    Have you read the ICO's website on subject access requests? Specifically, this part:
    Can I charge a fee for dealing with a subject access request?
    Yes, an organisation receiving a subject access request may charge a fee for dealing with it, except in certain circumstances relating to health records. If you choose to charge a fee, you need not comply with the request until you have received the fee. The usual maximum fee you can charge is £10. There are different fee arrangements for organisations that hold credit, health or education records
    Money doesn't solve poverty.....it creates it.

    Sorry!

    There are currently no thanks for this post.

    • User avatar
      User avatar
      Castle
      • 1,761Posts
      • 2,381Thanks
    • Castle
    • By Castle 11th Apr 18, 8:13 PM
    • 1,761 Posts
    • 2,381 Thanks

      What's this?

    Castle
    • #9
    • 11th Apr 18, 8:13 PM
    • #9
    • 11th Apr 18, 8:13 PM
    OK I asked for this data back in November 2017 and offered to pay (but did not include) the statutory fee. This request was sent by email, and by Royal Mail signed for service to the registered head office of the company. The request was successfully delivered, so I can prove receipt.
    I haven't even received an acknowledgement. What should I try next?

    You seem very knowledgeable on legal matters. At present the mobile operators hide your consent to pass your number to the 'service providers' in the small print of your contract. Specific consent is not requested. It is currently legal to do this and not to provide an opt-out or specifically request consent.
    Will this change under GDPR?
    Originally posted by paulmu

    1) In respect of the missing SAR, you can file a complaint with the ICO.

    2) With regards to the phone contract; unless you're told which service providers your number will be provided to, I can't see how it can be legal.

    The legal case for specific consent is set out in Optical Express v Information Commissioner (EA/2015/0014); where consumers filled in a Thomas Cook Survey and ended up with text messages being sent by Optical Express.

    https://panopticonblog.com/2015/09/03/blindly-fumbling-for-consent-pecr-and-optical-express/

    Users saying Thanks (1)

    • User avatar
      User avatar
      Castle
      • 1,761Posts
      • 2,381Thanks
    • Castle
    • By Castle 11th Apr 18, 8:19 PM
    • 1,761 Posts
    • 2,381 Thanks

      What's this?

    Castle
    Have you read the ICO's website on subject access requests? Specifically, this part:
    Originally posted by unholyangel
    You missed out the second paragraph which follows your quote:-

    "Although you need not comply with a request until you have received a fee, you cannot ignore a request simply because the individual has not sent a fee. If a fee is payable but has not been sent with the request, you should contact the individual promptly and inform them that they need to pay."

    Users saying Thanks (1)

    • User avatar
      User avatar
      unholyangel
      • 12,416Posts
      • 9,714Thanks
    • unholyangel
    • By unholyangel 11th Apr 18, 8:59 PM
    • 12,416 Posts
    • 9,714 Thanks

      What's this?

    unholyangel
    You missed out the second paragraph which follows your quote:-

    "Although you need not comply with a request until you have received a fee, you cannot ignore a request simply because the individual has not sent a fee. If a fee is payable but has not been sent with the request, you should contact the individual promptly and inform them that they need to pay."
    Originally posted by Castle
    The difference is that the part I quoted is backed by legislation, where the part you quoted isn't and is just guidelines given by ICO to data controllers.

    Legislation says:

    (2)A data controller is not obliged to supply any information under subsection (1) unless he has received—
    (a)a request in writing, and
    (b)except in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require.
    Money doesn't solve poverty.....it creates it.

    Sorry!

    There are currently no thanks for this post.

    • User avatar
      User avatar
      diygardener
      • 35Posts
      • 8Thanks
    • diygardener
    • By diygardener 13th Apr 18, 9:02 PM
    • 35 Posts
    • 8 Thanks

      What's this?

    diygardener
    Thank you everyone for your suggestions. I have now reported this scam to Action Fraud and have a crime reference number which I have passed on to customer services at "Three".

    I guess I've probably spent more on phone calls reporting this than I lost in the original scam, but I have at least made it perfectly clear to "Three" that I consider them complicit in this scam by not allowing me any way to opt out of the PayForIt service. I think they now understand I am taking this seriously. Being a PAYG customer means I have no itemised bill to refer to which makes it extremely easy for the fraudsters to get away with it undetected.

    Am I correct in assuming that PayForIt transactions are not regulated by the Financial Conduct Authority?

    Anyway - I now wait to see what will happen on Tuesday when the next "subscription" of £3.00 might fall due. I shall be checking my PAYG balance regularly and will report back here if any developments.

    In the meantime, please everyone, be on the lookout for this and similar scams. Individual amounts may appear small but if thousands of people are affected, the profits for the scammers could be quite significant.

    Users saying Thanks (2)

    • User avatar
      User avatar
      boliston
      • 2,642Posts
      • 2,185Thanks
    • boliston
    • By boliston 10th May 18, 11:00 PM
    • 2,642 Posts
    • 2,185 Thanks

      What's this?

    boliston
    I have had some fraudulent charges on my mobile bill for the last 2 months - 5 lots of £4.50 from a scam company called "loaded mobi" - they have been useless in trying to resolve it and just sent me an email saying they cannot help me as I consented to the charges (i certainly did not!) - three have been quite helpful and agreed to refund my account in full but it seems annoying that "loaded mobi" can simply steal money from people and get away with it

    Sorry!

    There are currently no thanks for this post.

    • User avatar
      User avatar
      AndyPix
      • 3,644Posts
      • 2,850Thanks
    • AndyPix
    • By AndyPix 11th May 18, 9:27 AM
    • 3,644 Posts
    • 2,850 Thanks

      What's this?

    AndyPix
    Call your provider and tell them to put a premium rate bar on your number then carry on with life
    Running with scissors since 1978

    Sorry!

    There are currently no thanks for this post.

    • User avatar
      User avatar
      paulmu
      • 27Posts
      • 10Thanks
    • paulmu
    • By paulmu 11th May 18, 9:59 AM
    • 27 Posts
    • 10 Thanks

      What's this?

    paulmu
    I have had some fraudulent charges on my mobile bill for the last 2 months - 5 lots of £4.50 from a scam company called "loaded mobi" - they have been useless in trying to resolve it and just sent me an email saying they cannot help me as I consented to the charges (i certainly did not!) - three have been quite helpful and agreed to refund my account in full but it seems annoying that "loaded mobi" can simply steal money from people and get away with it
    Originally posted by boliston
    You are not alone in reporting the ‘loaded mobi’ scam. It has been reported on other forums and on Twitter. Some people have succeeded in getting a refund from them, but it required persistence. Just because you received a ‘goodwill gesture’ from Three you are not precluded from seeking a refund from LoadedMobi.


    Loaded Mobi is just one of a number of ‘Payforit’ scams. Before charging to you phone account, these companies are supposed to obtain your consent via an online signup process.


    You need to be aware that while you are connected to the internet via mobile data, your number may be passed by Three to third parties for charging purposes. The mechanism by which this happens is called 'Payforit'. This can’t happen while you are connected by WiFi. Once the third party has your number they can send you chargeable text messages.
    If you read the small print of your agreement with Three you will find consent to do this hidden in there. I’m not sure how this sneaky method of obtaining permission to pass information to a third party will square with the GDPR.


    The Payforit mechanism was intended to make it easy for consumers to purchase goods and services and have them charged to their 'phone bill. Unfortunately Payforit has proven to be very insecure and hardly a day goes by without someone reporting another ‘Payforit’ scam.


    The problem is that there are various ways of abusing this system. Malicious javascript embedded in a web page can obscure the information which is supposed to be displayed. So for example you can get ‘subscribed’ by clicking start on a video. This is called ‘clickjacking’. A more recent exploit has been the embedding of code into mobile phone Apps which silently sign you up to these services.


    When these companies make charges to your mobile phone, nobody checks that they have consent to do so. It is like someone walking into your bank, armed with only your account number, and claiming that they have consent to take money out of your account. They wouldn’t get far with your bank, but Three and the other mobile networks just hand the money over.


    If they refuse a refund, the company who took your money should provide you with proof of your consent. Usually, faced with this demand they refund. Ultimately, the only way of forcing the issue is to pursue a legal claim. Thy will then be forced to either prove consent or pay back your money.


    In order to limit the damage and the level of consumer dissatisfaction, the regulator (The Phone-paid Services Authority) requires all subscriptions costing more than £4.50 per week to have a ‘double opt-in’. This means that a PIN number is sent to your phone and you are required to enter the PIN to complete the payment. This, of course, makes it much more difficult to use Javascript exploits or rogue Apps to sign up consumers fraudulently. No surprise then that the majority of ‘Payforit’ scams are for £4.50 per week!


    EE recently imposed a requirement for a double opt-in on ALL subscription services which should give better protection to their customers. Unlike Three, EE will allow their customers to opt out of ‘charge to bill’ which will prevent these charges.



    The Phone-paid Services Authority (PSA) regulates companies operating via ‘Payforit’. They are a regulator and not an ombudsman, and will not assist consumers individually. However, they do investigate reports and take action including fines of up to £400,000 in the worst cases. It is worth reporting scams to the PSA but don’t expect too much!


    Unlike most networks, Three will not allow you to opt out of third party charges. If you want to remain a Three customer you have no choice but to expose yourself to this extremely vulnerable system.
    Dealing with these scams is time consuming and frustrating. In 2012, the networks provided a document in evidence to Ofcom called Mobile Operators’ Code of Practice for the management and operation of PFI. It states:
    “Each mobile operator will take responsibility for ensuring that customer queries and complaints are dealt with in accordance with their regulatory obligations under General Condition 14. This includes resolving complaints directly or ensuring that the API or merchant clients resolve them in accordance with its internal processes and contractual obligations. If there is an allegation that an API or merchant is not properly dealing with the complaint, a mobile operator will secure resolution of that complaint directly.”
    The assurance given in the last sentence of this paragraph is not happening in practice.


    The Consumer Rights Act 2015 provides specific requirements for refunds for digital content. In particular Section 45(3) of the act requires that the refund be made back to the account from which the money was taken. This is not happening in practice. I have heard of refunds being made by text based postal order, Paypal or Bank Transfer. The method is either inconvenient or required giving additional personal information to the company. Section 45(4) of the Act requires that refunds be provided within 14 days of the agreement to refund. In practice this is rarely complied with. Refunds are promised, but need to be continually chased.


    I have created a website http://payforitsucks.co.uk to assist consumers when they have problems with ‘Payforit’ scams and to campaign for this system to be reformed to provide proper consumer protection.

    Sorry!

    There are currently no thanks for this post.

    • User avatar
      User avatar
      paulmu
      • 27Posts
      • 10Thanks
    • paulmu
    • By paulmu 11th May 18, 10:03 AM
    • 27 Posts
    • 10 Thanks

      What's this?

    paulmu
    Call your provider and tell them to put a premium rate bar on your number then carry on with life
    Originally posted by AndyPix

    Whatever you do DON'T rely on a Premium rate bar to protect you from 'Payforit' scams. The effect will be that you will not see the texts, but WILL still be charged. Three admit that they cannot stop these charges. Some of the other networks can. You need to ask for a 'Charge to Bill' bar. I believe that O2, Vodafone and EE can offer such a bar.

    Sorry!

    There are currently no thanks for this post.

Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

562Posts Today

5,803Users online

Martin's Twitter
NewsBlog