Protecting yourself against fraud

Update for iOS users

Our ability to protect you from fraudulent links is impacted by iCloud Private Relay.

There are many ways that fraudsters can try to gain access to a customer’s account or their private information. We’re committed to supporting victims of fraud in the following ways:

  • By providing online help pages that detail different types of fraud, guidance on how customers can best protect themselves, and how to report fraud.
  • By working with law enforcement agencies to combat fraudsters and identify current trends.
  • By working with other UK networks and industry partners to combat organised crime and phishing trends.
  • Using our dedicated fraud team to manage customer concerns. We also use a sophisticated suite of systems to monitor and mitigate fraudulent activity.

BBC Scam Safe

Three is a member of Stop Scams UK and is supporting BBC Scam Safe 2024.

We believe that empowering everybody with the tools to help identify scams will help avoid the financial, and emotional, damage caused by this kind of fraud.

1. Don’t respond to any unexpected call, email or text, without checking first. 
If it’s out of the blue, check it’s for you.

  • If it’s a call, hang up, find a number you can trust, and call back on that
  • If it’s your bank, you can call back using the number on the back of your card
  • Or, if concerned, dial 159 to be connected securely to most UK banks

2. Stop and get a second opinion if you’re being forced to make a decision or if you feel rushed

  • No legitimate organisation will object to you asking a friend, family member or colleague for an opinion. Nor will it object to you saying no, or delaying your decision.

3. Report every scam.

  • Even if it didn’t work on you, reporting helps other people
  • Forward suspicious texts to 7726, and emails to report@phishing.gov.uk
  • Report fraud directly to companies involved, so they can alert other customers

For more information go to:

Learn about Three Mobile Protect. Security designed to product you, wherever 
your business takes you.


Stop! Think Fraud

Three is now an official partner of the Stop! Think Fraud national campaign.

The campaign has been developed to streamline and simplify anti-fraud messaging to help protect the British public against fraud.

The campaign aims to:

  • Educate the public on different fraud types and the tactics that might be used against them.
  • Encourage them to take a moment to Stop! Think Fraud when they come into contact with potential fraud, then taking a moment to consider and look into it, before making payments or providing personal details.
  • Empower them by giving them the tools and knowledge to recognise fraudulent behaviour and take action to stop and prevent it.

Learn more about the:


Most common types of fraud

#Spam SMS

Spam messages are usually marketing messages that are sent to you without you requesting them. The people who send these messages may be trying to access your personal information (smishing), sell you a premium rate service, or encourage you to contact them so that you can be referred to another company that will try to sell you something.

Legitimate marketing messages will usually be received from a shortcode or a company that you recognise because in the past you've asked to receive their messages or used a service from them.

Find out more about shortcodes.

Report the message to us by:

  • Forwarding the unwanted message free of charge to 7726.
  • Forwarding the number of the person who sent you the message free of charge to 7726.
  • If you're worried about the spam messages you've received, you can also report your message to the Information Commissioner's Office (ICO) who will be able to help you.
  • It may not be possible for the ICO to follow up individual complaints if you haven't got any details about the company.

Smishing

Text spam (known as SMS Phishing or Smishing for short) is something scammers use to trick you into going to a website or to call a specified number. If you respond, they’ll ask you to provide confidential details, attempt to infect your device with malware, or get you to respond to a premium rate service.

These messages can be very convincing and they might look like they’re from organisations you’ve used before.

Scammers can make Smishing look like genuine messages, but keep an eye out for some of these clues:

Smishing might make you think:

  • You’re going to be locked out of your account, or that your account has been compromised
  • You've won something or can get something for free or at a bargain price if you reply quickly

Remember: you would have to reply to one of these messages to put your device at risk, so they’ll always ask you to take an action.

They might want you to:

  • Click on a link (which might install malware on your device)
  • Enter confidential info like a password or date of birth
  • Phone a number so they can ask you for sensitive info or get you to call a premium rate number

If you think that you have been sent one of these messages don't worry – just remember:

  • Don't click on links unless you're 100% sure they're genuine
  • Think about whether the sender would contact you in this way – most companies won't ask you to confirm bank details over text message
  • Remember that if it looks too good to be true, it probably is

Don't respond to any suspicious messages, you can also report the message by:

  • Forwarding the message to 7726 for free so we can investigate and act.

If you're still not sure, get in touch with the organisation that seems to have sent you the message to see if it's from them.

Just make sure you don't use any of the contact details from the text – go to their website to find more info.

Three will never ask you for personal details. The links we send on our SMS comms will always contain ‘3.UK’ or ‘Three.co.uk’ in the URL. If you receive a message with a variation of these links, please report it. 
 
Find out more information about smishing.

Receiving malicious or nuisance calls

If you receive malicious or nuisance calls, the following action may be useful:

  • If the caller makes a direct threat of harm, call 999. If the threat isn’t immediate, call 101 – the non-emergency number for the police
  • Wait for the caller to speak first
  • Keep calm, don’t talk to the caller and hang up quickly
  • Don’t share any personal information

If you’re worried about receiving malicious or nuisance calls, the following action may be useful:

  • Don’t leave your name and number on your voicemail
  • Don’t reply to texts from numbers you don’t recognise

You can also report the number of the nuisance caller by:

  • Texting CALL followed by the number of the nuisance caller to 7726

For more details on how to manage nuisance calls, please visit:

Ofcom
Telephone Preference Service (TPS)

More types of fraud

Wangiri fraud (a Japanese term meaning “one and cut”) is when a fraudster calls a number and hangs up after one or two rings, which encourages you to call them back. These numbers are often based internationally, so you could receive a charge for calling them back. We're taking the necessary measures to protect and maintain security on our network. However, if you have received an unexpected call from an unknown international number, do the following:

  • Don't answer the phone
  • Don't call the number back
  • Never share any personal information

If you suspect you've received one of these calls, please contact us. When you do, please ensure you include the full number of the call received, country code, and date/time of the call received.

A phishing attack is a scam where people try to get your personal information and use it to commit fraud. Phishing is typically carried out by email, SMS, or through websites that are designed to look like well-known banks or retailers, but are built with the purpose of getting your personal information, such as login details and passwords.

A standard phishing email might warn you that there's a problem with your account and include a link to where you can ‘fix’ the problem. Clicking on links within these emails will take you to websites designed to trick you into entering personal details, such as your password or credit card number. If you give out your personal information to these websites, fraudsters may be able to access your account and set up fraudulent accounts in your name.

Phishing attacks can also happen over the phone where fraudsters pretend to be calling from an organisation such as a bank or retailer. They may ask you to confirm your personal details to continue the call. By asking these questions, they may get enough information to pretend to be you and get through the security checks of your real account with that organisation.

The best way to avoid being the victim of a phishing attack is to be aware of the tricks that scammers use and stay vigilant.

These messages can be really convincing, and they might look like they’re from organisations you’ve used before.

Avoiding a phishing attack

  • Be suspicious of any unexpected phone calls, text messages, or emails asking you about your account or personal information, such as your full name or date of birth. Don't give out any personal information to anyone who has contacted you. Don't follow links attached to an email even if they seem to be from a reputable source.
  • Pay attention to the web address of any website you visit. Malicious websites may look identical to legitimate websites, but the URL may be spelt differently. Or it may have the same spelling but be registered to a different domain, for example .net rather than .com.
  • Don't enter personal information on a website until you have checked that it has a security certification. This may be signposted by a 'Lock' symbol next to the company's name in the URL. If you have any doubts, contact the company directly.
  • If an email seems suspicious, it's a good idea to contact the company directly to check that it's legitimate. Don't use the contact details given in the email or website that's linked to the email. Instead, check your previous emails for contact details
  • Take advantage of any anti-phishing features offered by your email provider and web browser.

Most phones let you see the number of the person calling before you answer, but fraudsters deliberately change their caller ID. This is what’s called spoofing.

Sometimes there's a good reason for a caller to modify the Caller ID, like leaving an 0800 number for the customer to call back. But spoofing callers do this to hide their identity or make you think it's a legitimate call.

For example, identity thieves looking to steal sensitive information such as your bank account or login details might use spoofing to make it look like your bank or credit card company is calling.

Ofcom is working with the international regulators and the telecoms industry to stop this from happening. 

What you can do

Never give out personal information on an incoming call, and don't rely on caller ID to identify a caller, especially if they claim to be from someone like your bank.

Hang up the call and call the company back using their official details – maybe check your account statement or the company's website – to find out if the call was genuine. Try to wait at least 5 minutes before you do this to make sure the line clears and you're not contacting fraudsters.

If you think you've been a victim of call spoofing

  1. Contact Action Fraud

    You can call Action Fraud on 0300 123 2040 (standard call rates apply) Monday to Friday between the hours of 8am to 8pm or visit www.actionfraud.police.uk. Action Fraud is the UK's national reporting centre for fraud and internet crime. Remember, if debit cards, online banking, or cheques are involved in the scam your first step should be to contact your bank or credit card company.

  2. Tell Trading Standards

    If you think something may be a scam, you can call 03454 04 05 06 (standard call rates apply) Monday to Friday between the hours of 9am to 5pm and tell the Citizens Advice Consumer Service, who can pass details of the case on to Trading Standards. The Trading Standards service is responsible for protecting consumers and the community against rogue traders and traders acting unfairly.

  3. The Telephone Preference Services (TPS)

    Register your mobile number with The Telephone Preference Service (TPS), it's a free service and is the official central opt out register where you can choose not to receive unsolicited sales or marketing calls from all companies you have given consent to - https://www.tpsonline.org.uk/tps/number_type.html

This is where a fraudster will take out an account in another person’s name. Usually the fraudster will have access to a person's personal information and/or bank details.

If you suspect new account fraud, please contact us or visit our Report a problem page for more information and support.

This is where a fraudster will gain access to a person’s personal information in order to commit upgrade fraud or take control of an account.

If you suspect account takeover fraud, please contact us or visit our Report a problem Page for more information and support.

This is where a fraudster will gain access to a customer’s phone number by swapping the account to a different SIM card. They will then be able to intercept calls and messages intended for you.

If your SIM card suddenly stops working and your phone says it's not registered, please contact us or visit our Report a problem Page for more information and support.

This is where a fraudster will use your personal information to place a call divert on your phone so that any inbound calls are diverted to them instead.

If you suspect a divert has been placed on your phone without your permission, please contact us or visit our Report a problem Page for more information and support.

Porting fraud is where a fraudster will attempt to transfer your number from Three to another network in order to gain control of your phone number.

If you receive a text about your number being ported without your knowledge, you should please contact us or visit our Report a problem page for more information and support.

Protecting yourself from card fraud

Here are some tips to help you make it tougher for someone to get hold of your cards and card numbers:

  • If you receive an email asking for your card details, don’t click any links in the email and delete it immediately. We’ll never ask you to confirm any financial details by email, so if you receive one it could be an attempt to steal your information and you should never reply.
  • When making online purchases, before entering your card details, make sure the web address uses “https” rather than “http”. Also, make sure that your browser displays a lock icon, similar to the one shown below.
  • Never write down your credit/debit PIN number and remember to always change your default PIN after receiving your card.
  • If someone calls you and you’re unsure of who you’re speaking to, never give your financial details over the phone. If someone calls and claims to be from your bank, offer to call them back on a known number to validate the request and then provide them with the information, once you know the request is genuine.
  • If you change your address, inform your bank immediately.

Fake dealer fraud – or mobile phone contract fraud – is when a scammer calls claiming to be from a mobile phone network. They’ll offer a deal on a popular phone, and if the customer agrees, they’ll think they’ve placed an order. In fact, the scammer will have placed an order with a genuine mobile phone provider, like Three, using the customer’s details.

The customer will receive communications confirming the order’s been placed. But when it arrives, it won’t be the phone the customer ordered. The fraudster will then call and ask the customer to return the phone to an address they provide. They’ll say that they’ll send the correct phone and that the postage will be credited back on their first bill.

However, the return address is fake and the new phone will never arrive. If the customer tries to get in touch with the scam seller, they won’t get through. And when they call the real mobile phone provider, they’ll have no record of the order. They’ll only have the original order that the fraudster made.  
 
You can find more information and get advice on how to protect yourself, by visiting our Mobile phone contract fraud article.