O2 GDPR Letter


Telefónica UK Limited
 Correspondence Department
 PO BOX 694
 Winchester
 SO23 5AP

DPO@O2.com

 Dear Sir or Madam

Information rights concern – Payforit API


I am concerned that you are not handling my personal information properly.

My concerns relate to the operation of the Payforit payment mechanism on your network. I have recently been the victim WAP Billing fraud through the Payforit mechanism which you operate. The system has a serious vulnerability which means that clickjacking and iFraming exploits embedded in a malicious webpage can result in consumers becoming unknowingly subscribed to Payforit subscription services. This vulnerability only applies when the consumer is accessing the internet via mobile data and results directly from the fact that O2 supply the consumer’s phone number to the API.

In case you are unfamiliar with this, here is a link to the Payforit rules. If you refer to page 10 you will see that the processing includes a step where “At the same time, the mobile number of the consumer is transferred to the API by the consumer’s mobile network. “. This cannot happen if I access the same website using a WiFi connection.

In my own case I became subscribed to ..

[Give details of your own case. Include the name of the company, the name of the service, the amount you lost, and any problems you had obtaining a refund.]

I would like to know the basis on which this specific processing (the passing of my phone number to a third party via the Payforit API) is being carried out. I have never given explicit consent for this, so assume that it is being processed on a “legitimate interests” basis. I understand that this processing reduces the “friction” in purchasing certain phone paid services and that O2 may seek to claim this is a “legitimate interest”. However it is not necessary, as it is quite possible for me to purchase those same services via a WiFi connection without O2 compromising my phone number in this way.

If mine was an isolated case I would be less concerned. However it would appear that this mechanism is subject to widespread abuse and is being used as a method of defrauding consumers. To see the extent of the problem take a look at these links:

https://uk.trustpilot.com/review/lasevia.com

https://uk.trustpilot.com/review/www.ferdamia.com

https://uk.trustpilot.com/review/sb7mobile.com

https://uk.trustpilot.com/review/nuyoo.co

https://uk.trustpilot.com/review/fitguru.tv

https://community.o2.co.uk/t5/Pay-Monthly/Nexgen-Ltd/m-p/1197558

https://community.o2.co.uk/t5/forums/searchpage/tab/message?q=payforitsucks&sort_by=-topicPostDate&collapse_discussion=true

I’m sure that the regulator, the Phone-paid Services Authority will have logged many similar cases.

I think you’ll agree that the scale of the problem is quite shocking and that something needs to be done.

It might also be worth mentioning to you that EE had a problem with WAP billing fraud (including, but not limited to Payforit) prior to February 2018, when they introduced a requirement for additional verification of the consumer’s consent to charge. This has virtually eliminated Payforit fraud on the EE network. A request on the O2 forum for a similar measure has so far fallen on deaf ears. https://community.o2.co.uk/t5/Discussions-and-Feedback/Premium-rate-services-petition-to-O2/td-p/1188385/highlight/false

It is largely as a result of your failure to protect customers from harm that I am making this complaint.

It is largely as a result of your failure to protect customers from harm that I am making this complaint. Under the Payforit rules, customers are supposed to be able to “escalate” Payforit disputes to you in the event that they are unable to get a satisfactory resolution for the “service provider”. This method of redress is being routinely denied by your Customer Services staff.

Payforit is a method of charge to mobile. The words of reassurance on your website ring rather hollow.

Rogue code embedded in a web page can result in a consumers phone number being passed to a third party, via the Payforit API without them even being aware that this has happened. I believe that the disclosure of consumers phone numbers to third parties by the Payforit API does not fall under the legitimate interest basis for lawful processing. This disclosure is causing considerable consumer harm and is unnecessary. Indeed, I can see no valid reason for not allowing consumers to opt out of this disclosure. The effect would not be noticed by the vast majority of consumers but Payforit fraud could be virtually eliminated.

Please ensure that your response is specific to the Payforit API. I’m not making a general enquiry about disclosure to third parties or seeking to dispute your right to pass my phone number for other legitimate reasons.

The ICO says the following about the legitimate interests basis: (my comments in italics)

·  It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

I do not believe that consumers would expect their phone number to be passed to a third party when they click a link on a website. Even when the Payforit mechanism is used legitimately it is not made clear that this is what will happen. Indeed there have been instances where your customer services staff don’t even realise that this is happening!

There is a clear privacy impact which results in consumers receiving unexpected charges which are almost impossible to get refunded.

·  If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

I would like to see evidence that you have properly balanced the interests of consumers against your business interests in your consideration of this particular mechanism. Note that I am talking solely about disclosure of phone numbers via the Payforit API and not any other mechanism.

·  There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:

  • identify a legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms.

I would like to see evidence that this three part test has been applied to the disclosure of phone numbers via the Payforit API.

·  The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

·  The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

I do not believe that this processing is necessary. The Payforit API provides for an alternative processing stream to be used when the consumer’s phone number is not provided by the network. Ceasing to compromise consumers phone numbers in this way would not prevent consumers from subscribing to legitimate services, but would dramatically reduce Payforit fraud.

·  You must balance your commercial interests against those of the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Consumers DO NOT expect their phone numbers to be compromised in this way. There IS evidence of considerable consumer harm resulting from this processing. The consumer harm is exacerbated by your company’s refusal to assist victims of Payforit fraud, leaving them to try to obtain refunds from companies often based in jurisdictions where legal action for small claims is almost impossible. I’d like some reassurance that in balancing individual interests against those of the company the widespread incidence of Payforit fraud was considered.

·  Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.

I would like to see a copy of your legitimate interests assessment of the disclosures involved in the operation of the Payforit API.

·  You must include details of your legitimate interests in your privacy

I can find no specific mention of this processing in your privacy policy.  It is disingenuous to lump this in with other disclosures to third parties, as the circumstances of the disclosure, and the harm resulting from it are entirely different.

In addition asking you to consider this complaint and answer the points contained within it, I am objecting to you making my phone number available through the Payforit API and asking that you cease doing so.

I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.

If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.

You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me on the following number [Your Phone No.].

I’d appreciate confirmation that this email has been received, together with the name of the current Data Protection Officer.

Yours sincerely

Paul XXXXXXX

paul@payforitsucks.co.uk

GDPR Template Letter for GiffGaff


Data Protection Officer
Giffgaff Ltd
Belmont House
Belmont Road
Uxbridge
UB8 1HE

Dear Sir or Madam

Information rights concern – Payforit API


I am concerned that you are not handling my personal information properly.

My concerns relate to the operation of the Payforit payment mechanism on your network. I have been helping numerous consumers who have been the victim of WAP Billing fraud through the Payforit mechanism which you operate. The system has a serious vulnerability which means that clickjacking and iFraming exploits embedded in a malicious webpage can result in consumers becoming unknowingly subscribed to Payforit subscription services. This vulnerability only applies when the consumer is accessing the internet via mobile data and results directly from the fact that GiffGaff supply the consumer’s phone number to the API.

In case you are unfamiliar with this, here is a link to the Payforit rules. If you refer to page 10 you will see that the processing includes a step where “At the same time, the mobile number of the consumer is transferred to the API by the consumer’s mobile network. “. This cannot happen if I access the same website using a WiFi connection.

I would like to know the basis on which this specific processing (the passing of my phone number to a third party via the Payforit API) is being carried out. I have never given explicit consent for this, so assume that it is being processed on a “legitimate interests” basis. I understand that this processing reduces the “friction” in purchasing certain phone paid services and that GiffGaff may seek to claim this is a “legitimate interest”. However it is not necessary, as it is quite possible for me to purchase those same services via a WiFi connection without GiffGaff compromising my phone number in this way.

We are not dealing with a few isolated cases here. If we were I would be less concerned. However it would appear that this mechanism is subject to widespread abuse and is being used as a method of defrauding consumers. To see the extent of the problem on the GiffGaff network, follow this link: https://community.giffgaff.com/t5/forums/searchpage/tab/message?q=payforit&sort_by=-topicPostDate&collapse_discussion=true

I think you’ll agree that the scale of the problem, on GiffGaff’s network  at least, is quite shocking!

I’m sure that the regulator, the Phone-paid Services Authority will have logged many similar cases.

It might also be worth mentioning to you that EE had a problem with WAP billing fraud (including, but not limited to Payforit) prior to February 2018, when they introduced a requirement for additional verification of the consumer’s consent to charge. This has virtually eliminated Payforit fraud on the EE network. A request for GiffGaff to take similar measures has fallen on deaf ears! https://labs.giffgaff.com/idea/16712363/require-2-factor-authentication-to-sign-up-for-payforit-texts?c=1#c86719 It is largely as a result of your failure to protect members from harm that I am making this complaint.

Rogue code embedded in a web page can result in a consumers phone number being passed to a third party, via the Payforit API without them even being aware that this has happened. I believe that the disclosure of consumers phone numbers to third parties by the Payforit API does not fall under the legitimate interest basis for lawful processing. This disclosure is causing considerable consumer harm and is unnecessary. Indeed, I can see no valid reason for not allowing consumers to opt out of this disclosure. The effect would not be noticed by the vast majority of consumers but Payforit fraud could be virtually eliminated.

Please ensure that your response is specific to the Payforit API. I’m not making a general enquiry about disclosure to third parties or seeking to dispute your right to pass my phone number for other legitimate reasons.

The ICO says the following about the legitimate interests basis: (my comments in italics)

·  It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

I do not believe that consumers would expect their phone number to be passed to a third party when they click a link on a website. Even when the Payforit mechanism is used legitimately it is not made clear that this is what will happen. Indeed there have been instances where your customer services staff don’t even realise that this is happening! There is a clear privacy impact which results in consumers receiving unexpected charges which are almost impossible to get refunded.

·  If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

I would like to see evidence that you have properly balanced the interests of consumers against your business interests in your consideration of this particular mechanism. Note that I am talking solely about disclosure of phone numbers via the Payforit API and not any other mechanism.

·  There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:

  • identify a legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms.

I would like to see evidence that this three part test has been applied to the disclosure of phone numbers via the Payforit API.

·  The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

·  The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

I do not believe that this processing is necessary. The Payforit API provides for an alternative processing stream to be used when the consumers phone number is not provided by the network. Ceasing to compromise consumers phone numbers in this way would not prevent consumers from subscribing to legitimate services, but would dramatically reduce Payforit fraud.

·  You must balance your commercial interests against those of the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Consumers DO NOT expect their phone numbers to be compromised in this way. There IS evidence of considerable consumer harm resulting from this processing. The consumer harm is exacerbated by your company’s refusal to assist victims of Payforit fraud, leaving them to try to obtain refunds from companies often based in jurisdictions where legal action for small claims is almost impossible. I’d like some reassurance that in balancing individual interests against those of the company the widespread incidence of Payforit fraud was considered.

·  Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.

I would like to see a copy of your legitimate interests assessment of the disclosures involved in the operation of the Payforit API.

·  You must include details of your legitimate interests in your privacy

I can find no specific mention of this processing in your privacy policy.  It is disingenuous to lump this in with other disclosures to third parties, as the circumstances of the disclosure, and the harm resulting from it are entirely different.

In addition to asking you to consider this complaint and answer the points contained within it, I am objecting to you making my phone number available through the Payforit API and asking that you cease doing so.

I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.

If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.

You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me on the following number 07803 XXXXXX.

I’d appreciate confirmation that this email has been received, together with the name of the current Data Protection Officer.

Yours sincerely

Paul XXXXXXX

paul@payforitsucks.co.uk

GDPR issues

It has become apparent that the passing of phone numbers via the Payforit API could be considered a breach of GDPR. There is no guarantee that such a challenge will succeed, but I can see no good reason not to try. The regulations around this are complex and are often misunderstood. Victims of Payforit scams are often convinced that a breach of GDPR has occurred because they never gave explicit consent for their phone number to be given to third parties. If only it were so simple!

There are six bases on which personal data may be lawfully processed under GDPR. These are described as follows by the ICO:

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

The two bases most likely to apply are “Consent” and “Legitimate interests”. As explicit consent has not been sought, it seems inevitable that the networks will try to justify their processing using the “legitimate interests” basis.

This is where things get a bit complicated. The networks do have legitimate interests in passing your phone number to third parties when, for example, you use a directory enquiries service, or make a text donation donation to children in need, or even when you make an international call which is handled by a third party. This use is entirely legitimate. Our phone service would cease to function if data wasn’t transferred in this way.

The case of the Payforit API is different. The processing is not necessary, as it is quite possible to sign up for phone-paid service without your number being supplied by your network.

The ICO requires that for use of the “legitimate interests” basis a three part test is applied:

  1. Purpose test: are you pursuing a legitimate interest?
  2. Necessity test: is the processing necessary for that purpose?
  3. Balancing test: do the individual’s interests override the legitimate interest?

The networks are likely to argue that reducing “friction” in the purchase of Phone-paid Services is a legitimate interest, so the Purpose test will be passed.

The Necessity test is more complex. It is NOT necessary for the networks to pass phone numbers to third parties through the API. They do it because it makes things a little simpler for the consumer. However it is not necessary.

The Balancing test is where I believe the networks will loe the argument. There is a great deal of evidence that the disclosure of consumers phone numbers through the Payforit API is causing consumer harm. This harm surely outweighs the minor incovenience of an extra step for consumers who really want to sign up for these services.

Indeed, it is hard to see any reason why consumers should not be allowed to opt-out of having their phone numbers passed to the API.

It is likely that the networks will try to confuse the issue by talking about the more general issue of passing data to third parties. In any complaint it will be necessary to be absolutely clear that we are talking about the Payforit API and nothing else.

GiffGaff Letter

I have drafted a letter which has been sent to GiffGaff’s Data Protection Officer, highlighting my concerns. They are currently considering their position. I expect to be able to post their response by the end of March.

This is a Microsoft Word document which you can download and adapt to your needs. The html version is here.

O2 Letter

This is a letter which you can use to make a GDPR complaint if you have been defrauded via Payforit. You will, of course need to amend it to suit your own situation, but it contains the essential framework to ensure your complaint is taken seriously.


This is a Microsoft Word document which you can download and adapt to your needs. The html version is here.

Phone-paid Services Authority consultation on subscription services

This consultation is now complete. The PSA have published a report based on it. The report is here.

The various responses, including the payforitsucks.co.uk response can be seen here.

The payforitsucks.co.uk response has been redacted. The unredacted version can be seen below.

The report is quite encouraging. It fails to fully recognise the extent of Payforit fraud, maintaining the pretence that most complaints are the result of “inadvertent” subscription rather than fraudulent subscription. However, it does recognise that, the levels of complaints arising from abuse of the Payforit mechanism are unsustainable.

The most important result is that PSA are now consulting on a proposal to amend the rules to require 2 factor authorisation for all Payforit subscriptions.

The proposal is here.

There is a response form for responding to this consultation. I’ll post my advice concerning this within the next few days. Please do respond. The PSA need to understand that they now HAVE to act.

My response

Q1: What are your views on the review objectives set out on page 4? Has the PSA got the right scope or are there areas the PSA should include or exclude?

Unfortunately, current consumer experience with Phone-paid subscription services is overwhelmingly negative. It is hard to find any positive reviews of these services online. A look at the Trustpilot reviews of SB7 Mobile Ltd and Lasevia Ltd will show numerous negative reviews from consumers who believe themselves to be defrauded and not a single positive review (at the time of writing). Indeed, SB7 Mobile Ltd have sought to suppress valid criticism, rather than answer it.

This suggests that compliance with the regulatory framework is failing to protect consumers from harm or that compliance is not being properly monitored or enforced.

Q2: Some subscriptions generate high levels of complaints, whereas others with similar numbers of subscribers generate very few. Do you have any views on the regulatory measures that would better support growth and innovation across the subscriptions, whilst ensuring consumers are protected from harm?

Whilst being aware that there are other subscription methods (which generate few complaints), the main source of consumer harm appears to be subscriptions collected via ‘Payforit’ .

Payforit is an archaic and inherently insecure payment mechanism. It has not adapted to reduce the incidence of fraud as other payment mechanisms have. It doesn’t have a centralised service for complaints and disputes. It doesn’t have a refund mechanism. PSA are well aware of these shortcomings, but do nothing to encourage reform. They know that malicious code in a web page, or in a downloaded App can sign users up to these services, without the consumer being aware that it has happened. They have been aware of the use of these exploits for several years, but nothing has been done to prevent them. They sit on their hands instead of being proactive in bringing these frauds to a halt.

Consumers will compare the consumer protection offered by phone paid services with those of other payment methods (Paypal, Contactless Payments, Direct Debits, Credit Cards, Debit Cards etc). The providers of all these payment methods provide clear mechanisms for the resolution of disputed transactions. Payforit and other direct operator billing methods offer no clearly defined or published mechanism for the resolution of disputes.

If I dispute a direct debit with my bank, the burden of proof will rest on the payee to prove that the debit was authorised and not with the payer to prove that it wasn’t! If I report fraudulent transactions to my bank, they will take the matter seriously and put a stop on any further fraudulent payments. The MNOs don’t even offer this minimal level of support. Instead, they ask the consumer to send a message to the fraudster asking them to STOP. To add insult to injury, they are charged for sending this message!

Alternative payment mechanisms also offer a simple refund mechanism.   The  Consumer Rights Act 2015 and the Consumer Contracts Information, Cancellation and Additional Charges) Regulations 2013 both insist that refunds should be made to the account from which the money was originally taken, unless the consumer agrees otherwise. These laws are disregarded by ‘Payforit’ and PSA have indicated that they don’t consider compliance with these laws to be within their remit!

The fact that the ‘Payforit’ mechanism appears to be unable to provide refunds to consumers’ phone accounts makes the receipt of refunds difficult for consumers. I am aware of two methods currently being used for the majority of refunds:

  1. Post Office text based postal order. This has the advantage that the refunding company does not need any additional personal information from the consumer. It is the nearest thing they seem to be able to do to refunding to the consumer’s phone account. However, bearing in mind that the refunds are often for amounts less than £10, the method is disproportionately inconvenient for the consumer. I suspect that a large number of these refunds are never cashed! My wife received  refund by this method and she almost lost the will to live while waiting in the Post Office queue, for a £4.50 refund!
  2. A bank transfer. At the stage at which a refund is agreed, the only piece of personal information the company making the refund has is the phone number involved. Unless it has been willingly given, it doesn’t have any other personal data relating to the person claiming to own the phone number. In order to establish that the phone number which is the subject of the refund actually belongs to the consumer claiming it, it needs to ask for further personal information. Usually a phone bill or some similar document is requested. Some companies omit this step. This omission could be a breach of data protection legislation, as they have no way of being sure that the person they are refunding is the owner of the phone number from which the charges were original taken.

To obtain a refund, the consumer then has to provide bank details to a company which, as they see it, has already defrauded them. Some consumers are dissuaded from claiming a refund because of the amount of (unnecessary) personal data they are asked to supply. If it were possible to simply reverse the original charges, there would be no need for any additional personal information to be supplied.

To illustrate my concerns, I have reproduced below a few recent Social Media comments regarding the refunds issue:

the word stop is the only fix for this and costs 10p as for phoning waste of time and they could ask him for his bank details to give the credit back would you give them your bank details as I wouldn’t.
_______________________________________________________________________________
Lastly, I have just received a text from this scam company saying “We tried to call you back (I did get a missed call). the service has been STOPPED and a Goodwill refund to be issued. ” It goes on to say a refund will be received by SMS within 5 days and I should take it to the Post office who will give me a cash refund. Is this for real?
________________________________________________________________________________
They have now sent me a email agreeing to refund me via a text message that I would have to take into the Post Office to get a refund, they added it can take 10 – 7 days for this to happen, at the moment I have not replied this is clearly not satisfactory in my way thinking, they should return the money direct to my phone balance, I’m in a dilemma do I have to accept a refund this way or not, has anyone else got a refund direct to their phone balance.
________________________________________________________________________________
If someone else was also scammed: I just called the number 02071369911 and then pressed 3 and was connected to a lady that said she is in Belgrade, Serbia. She said she would cancel my subscription. I also gave her my email address, and then I received an email from info (at) jamster (dot) co (dot) uk saying that if I want a refund of my £4.50 I have to write back providing them with:
– Full name of the bank account holder
– Bank name
– IBAN (International Bank Account Number). UK IBANs start with GB and are 22 characters long.
– SWIFT-BIC (Branch Identifier Code) – The SWIFT-BIC code is either 8 or 11 characters long.
Do you think it is safe to give them this information?
______________________________________________________________________________
It is totally illogical that they are able to take money from my giffgaff account, but cannot put it back there, the same place they took it from, and then need my bank details. I decided to take a risk and gave them the information they asked for, since I heard that banks are required by law to refund customers, if unauthorized withdraws are made.
Jamster sent me an email, saying I should see the £4.50 refund on my bank account in 20 days. Let’s see.
_______________________________________________________________________________
They said
“Nevertheless, as the entry was cancelled so soon after being confirmed, as a gesture of goodwill we will refund you £4.50. Your refund will be sent to you in the form of a text message from the Post Office on Friday 15th June 2018 and it will clearly state the Post Office as the sender. Once you receive your text message you can take this to any Post Office branch at your convenience. There’s a unique barcode, which is valid for 30 days, within the message and all you have to do is to present the message over the counter and they will give you your funds there and then in cash.”
Are they serious?
______________________________________________________________________________
I would just like to give an update regarding the scam text I received. Following advice given on here I replied STOP to the short number and called the help number. Left a message stating that the subscription was unsolicited and requested a refund. I also lodged a complaint with the PSA. I received a text today giving a bar code number to be shown at any Post Office to claim back the £3 that was taken from my airtime. I did this and the Post Office gave me my £3 back. Thanks again for your help
______________________________________________________________________________
We did eventually get a refund, it took about six weeks to arrive, and came in the form of a text message which had to be taken to the post office! Unbelievable!

To obtain a refund, ‘Payforit’ requires the consumer to negotiate directly with the originator of the charge. What is worse is that, if the recipient of the payment fails to respond, there is no process to follow to resolve the issue. In the absence of a defined process, these uncooperative companies continue to trade for months, until the volume of complaints is such that PSA cannot ignore them.

It is not the role of PSA to adjudicate on individual disputes. However, it could insist on the introduction of a mechanism by which consumers can receive swift refunds when they are defrauded by rogue companies. Much of this could be automated, as it is with other payment mechanisms.

The problem is not that fraud happens. It will happen to some extent with any payment system regardless of the security and authentication measures put in place. Fraudsters are continually refining their methods and finding new ones. Most payment systems respond to attempted fraud by putting effort in to fraud prevention, but this has not happened with ‘Payforit’.

The problem is the lack of any defined process for the consumer to resolve their complaint (within a reasonable timescale) and obtain a refund if one is adjudged to be appropriate. Current arrangements would appear to be in breach of the Consumer Rights Act 2015 as it applies to digital services, in terms of methods and timescales for dealing with consumer complaints, and in terms of the refund process.

Large numbers of consumers have experienced unexpected charges as a result of these ‘Payforit’ subscription services. Although the amounts involved are usually small (£4.50 per week or less), the companies take advantage of the fact that many consumers do not check their bills, and many consumers lose significant amounts.  This ‘cramming’ fraud has been a persistent problem, not just in the UK but in many other countries. In the USA and Australia, there have been a number of high profile cases where MNO’s have been held accountable for fraudulent subscriptions.

https://www.itnews.com.au/news/telstra-hauled-before-court-over-premium-mobile-billing-487699

https://www.consumeraffairs.com/news/verizon-sprint-to-pay-158-million-for-illegal-cramming-of-customers-mobile-phones-051215.html

Many consumers have experienced great difficulty in getting fraudulent subscriptions stopped. The ‘Payforit’ system can be very confusing, particularly for consumers who do not receive an itemised bill. The text containing the subscription is often deleted as spam. The ‘payforit’ receipt text does not say which service it relates to. The number to which STOP is to be sent is often different to the number from which the subscription text was sent. The problem is often made worse for PAYG customers who do not receive an itemised bill.

There is no disputes mechanism. Many consumers have been successful in getting a resolution using the UK Small Claims procedure, but this is not available for companies based outside the UK. Currently the EU Small Claims procedure is an option for companies based in EU countries, but this may not be available after March next year. It is not acceptable that defrauded consumers are unable to seek redress because of the high costs of taking proceedings in a foreign court.

There needs to be an independent ombudsman to consider all cases where consumers claim to have been fraudulently charged. Given the ease with which these frauds can be perpetrated, and the inability of the regulator to recognise them, a refund should be given unless there is clear evidence that the consumer knowingly and intentionally entered into a contract.

Direct carrier billing currently enjoys a limited exemption from the requirements of the Payment Services Directive v2 (PSD2).

In fairness, direct carrier billing services should be subject to the same regulations as the payment services they are competing with. The directive provides additional safeguards to consumers. It reduces their potential losses from fraud, and requires the Service Providers to provide robust, two factor, authentication. The directive also forces Payment Service Providers to provide a proper dispute mechanism. Consumers using ‘Payforit’ are denied the additional protection these safeguards would have afforded them.

In February this year, EE , to their credit, introduced a system requiring a two factor authorisation with PIN for all subscription services. (PSA currently only require this for services charging more than £4.50 per week). There has been a dramatic reduction in complaints of fraudulent subscriptions from EE customers. This suggests that EE’s approach has worked. As a minimum, PSA should introduce a Special Condition requiring this for all networks.

It is notable, that although PSA currently recommend the use of two factor authorisation with PIN for services costing £4.50 or less per week, this is ignored by most, if not all, providers. I do not believe this to be accidental, as two factor authorisation with PIN will defeat most of the exploits currently used to implement fraudulent subscriptions.

Q3: Do you agree that different subscription services may require different regulatory responses? Do you have any thoughts on what this variation could look like?

Unfortunately, Phone-paid Services subscriptions have had a high level of fraud complaints for many years. The move from PSMS to ‘Payforit’ resulted in a temporary drop in these complaints, but these have since increased again. It is probably true to say that as soon as one door is closed, the fraudsters will find another. This means that it is likely that, given time, the fraudsters will find a way of circumventing any protection put in place.

There are two possible solutions:

  • More speedy and robust application and adaptation of the code of practice to protect consumers as soon as a problem is identified. Currently, one service has been causing  a high volume of complaints since the beginning of May. At the beginning of October, it is still operating and generating the same high level of complaints while PSA conduct a lengthy ‘investigation’! A speedy and robust response to problems like this would help protect consumers by removing the fraudulent service before significant damage is done.

or

  • A speedy, impartial and simple method of resolving disputes and providing  refunds to consumers for charges where consent cannot be indisputably proven. This could be funded by a charge to the service for each case referred, so encouraging these companies to behave responsibly. It would not be fair for these costs to be shared evenly between services since, as you have stated, some services generate much larger levels of complaints (and currently lack any concern about this!)

In view of the current inability of the PSA to protect consumers from scam subscriptions, and their failure to robustly apply the code of practice, my preference would be for all services to be required to be members of an independent ADR scheme. Funding for this scheme could be obtained by a charge to the service provider for each case referred to the scheme.

An alternative approach might be to raise the bar for entry in to this ‘industry’.

Where a subscription service carefully monitors usage of the service, and offers speedy refunds  when the service has not been used (or has been used only once at the time of subscription), then the current levels of regulation might be appropriate. If service providers have a reputation to protect, they are unlikely to indulge in the practices that are currently bringing phone-paid services into disrepute.

In Australia, where most third party subscriptions can no longer use direct carrier billing, some services, such as Google Play and Netflix, have been allowed to continue. By only allowing authorised, reputable companies to access the payment mechanism, the risk of consumer harm is much reduced.

Q4: Is there any other information or evidence that you would like to provide to PSA to assist it to undertake more detailed analysis of the existing framework, including around where you see subscriptions heading?

It is clear from the numbers of recent cases that the current ‘Payforit’ system is highly vulnerable to fraud. Furthermore, PSA are, on their own admission,  unable to tell the difference between a legitimate signup and one caused by malicious code.

OFCOM, in 2012, wrote:

Internet diallers

6.77 During 2004 PP+ received 57,743 complaints about services using internet dialler software. These included consumers being misled into clicking on an icon or banner, or accessing a website, which, without their knowledge, would trigger the download of software to their PC. That software then used their internet dial-up account to call premium rate numbers operated by the dialler software’s owner.

6.78 This scam demonstrates how a fragmented supply chain, with separation between the service provider and the billing party, can be exploited in an (unlawfully) opportunistic way. The greater transparency of PFI services would not prevent this harm. Rogue software can be embedded in such a way as to circumvent any verifiable method of consumer consent to charges (like a PFI checkout).

It follows that any supposed ‘consent’ from a consumer has to be viewed with suspicion, especially when that consumer is adamant that they did not consent. PSA seem too willing to accept such ‘proof’ of consent unquestioningly, and place the burden of proof on the defrauded consumer rather than the service provider. The system needs to be reformed so that automatic refunds are provided unless the service provider can prove consent indisputably. (currently not possible for the reasons above).

Some ‘services’ for example those operated by SB7 Mobile Ltd and Lasevia Ltd appear to have been created solely to exploit this vulnerability. Trustpilot reviews of these service are enlightening.

https://uk.trustpilot.com/review/sb7mobile.com

https://uk.trustpilot.com/review/lasevia.com

There is no evidence that these services have any genuine subscribers, and a great deal of evidence that they are causing consumer harm (despite the efforts of SB7 Mobile Ltd to suppress valid criticism on Trustpilot). Services like these damage the reputation of the entire industry.

The vulnerability of ‘Payforit’ makes it a target for fraudsters. A look at some of the services will show that many of them are ridiculously poor value for money.

Take Lasevia’s Books4You service. You can read 50 ‘Classic books’ (for Classic read out of copyright) for £4.50 per week (equivalent to nearly £20 per calendar month) They don’t even tell you what the books are before you sign up! Compare this with Amazon’s Kindle Unlimited offering at £7.99 per month,

‘Services’ like this are not set up to provide a ‘service’ to consumers. They are set up to exploit the vulnerabilities of the Payforit system. I’m sure there are a few legitimate services which consumers find useful, but I can’t find them, nor any consumers extolling their virtues.

Companies that genuinely wish to provide a service to consumers should be putting pressure on the PSA to put an end to the fraud and clean up the industry.

The Phone-paid Services industry needs to modernise and provide the levels of consumer support and fraud prevention that are expected of modern payment mechanisms. Consumers should be able to report problems with these subscriptions to their networks and have them dealt with in one phone call, not be passed from pillar to post in an effort to get a resolution. The fact that the networks process these, often fraudulent, transactions and then claim to be unable to refund or even stop them does not sit well with consumers.

Consumers should be able to opt out of the ‘Payforit’ system and not have their numbers passed automatically to third parties when they click a link on a website. The only way this can be achieved currently is by the consumer using a VPN or by restricting internet access to WiFi connections. There is no need for consumers numbers to passed to third parties in this way. It is quite possible to sign up to a phone-paid subscription on a wifi connection, but because the process is more transparent fewof the complaints I receive relate to signups over WiFi. Some may wish to avail themselves of the ability to sign up for subscription services without ‘friction’. Those people should have to opt in.

Consumer should also be able to opt out of third party charges to their account. Currently this is not offered by all UK networks, but is a legal requirement in many other juristictions such as Germany. MNO’s should not be allowed to offer access to these subscription services without also offering an ability to bar access to them. Charge caps on mobile phone contracts should also be required to apply to these charges.

I would go a stage further and suggest that consumers should have to opt in to the ability to subscribe to these third party services (in the same way as currently happens for adult services). There would be two major advantages to this:

  1. By having to opt in, consumers would be made more aware of the fact that clicking links on websites could result in unwanted subscriptions.
  2. Children and other vulnerable groups could be protected from harm. Many complaints relate to children or vulnerable adults becoming subscribed to Phone-paid services. Parents want to be able to give their children a phone without the worry of them running up unexpected bills. Many consumers believe that by blocking premium calls/texts, or by putting a spending limit on an account they can protect themselves but, as PSA are well aware, that  is not the case.

In Australia, where there have been ongoing problems with ‘charge to bill’ or ‘cramming’ fraud, the networks were eventually forced by public opinion (and potentially expensive law suits) to limit the use of ‘charge to bill’ to large companies with good customer service.

https://yescrowd.optus.com.au/t5/Blog/Third-Party-content-closure-for-Optus-Postpaid-and-Prepaid/ba-p/447448

https://www.telstra.com.au/mobile-phones/moreonyourmobile/premium-direct-billing-exit

The same could happen here if the industry does not put its house in order! There are many other, more secure, payment methods which could be used to pay for such services. There is no evidence that the benefits of the simplicity of ‘Payforit’ justify the high levels of consumer harm caused by the exploitation of its vulnerabilities.

If consumers are not to be properly protected, I would prefer to see legitimate services moving to these other payment mechanisms, and Phone-paid subscriptions abandoned as they have been in Australia.

Recent Nuyoo Complaints

 

SB7 Threatened Legal Action

I learnt today that SB7 Mobile have reported several of my tweets to Twitter as being illegal.

Hello:

We are writing to inform you that Twitter has received official correspondence regarding your Twitter account, @Payforit_Sucks.

The correspondence claims that the following Tweets are illegal:

https://twitter.com/Payforit_Sucks/status/1001810694164099077

https://twitter.com/Payforit_Sucks/status/1001886151228182528

https://twitter.com/Payforit_Sucks/status/1001887291378368514

https://twitter.com/Payforit_Sucks/status/1004075931277889536

https://twitter.com/Payforit_Sucks/status/1007288491015901185

https://twitter.com/Payforit_Sucks/status/1008430324613877760

https://twitter.com/Payforit_Sucks/status/1009167746813382657

Twitter has not taken any action on the reported content at this time. We are only writing to inform you of content posted to your account which has been mentioned in a complaint.

We may be obligated to take action regarding the content identified in the complaint in the future. Please let us know by replying to this email as soon as possible if you decide to voluntarily remove the content identified on your account.

If you believe we have contacted you in error, please let us know by replying to this email.

This notice is not legal advice. You may wish to consult legal counsel about this matter.

For more general information on legal requests, please refer to the following Help Center article: https://t.co/lrfaq.

Sincerely,

Twitter

I have now responded to Twitter, as follows:

Hi

Thank you for informing me about this complaint. I have reviewed the tweets in question and cannot see that they break any UK or EU laws. They do serve to highlight widespread legitimate complaints about the company (SB7 Mobile) which I assume made the complaint. This company has been seeking to stifle valid and justified criticism both on Twitter and on Trustpilot. It is the nature of a platform like Twitter that such criticism will be made, and the normal response is for the company to answer the criticism, not to try to get the criticism removed by claiming it is illegal. I would be interested to know the reasons supplied by the complainant for these tweets being illegal.

I therefore do not propose to voluntarily remove these tweets, or to desist from posting further tweets of a similar nature.

However, I have no wish to cause problems for Twitter or to be in any way unreasonable. I understand that you have to protect Twitter’s interests, and if, after review, you hold these tweets to be illegal I will voluntarily remove these and a number of similar tweets which have not yet been reported.

Best regards

Paul

Update 6th October 2018

Tonight I received a solicitors letter from SB7 Mobile Ltd. I think they took exception to me identifying that the home addresses of the directors could be found on a document at Companies House.

Let me clear, I would not condone harassing the directors, but consumers may wish to send them copies of correspondence  sent to the company, in particular, letters before action in the Small Claims court.

There is much legitimate criticism, and I would much prefer SB7 Mobile Ltd to answer these criticisms rather that try to stifle them.

My problem is not just with the industry-mandated payment mechanic. It is to do with the way that certain companies are exploiting the vulnerabilities of this mechanic to take money from vulnerable consumers.

SB7 Limited and Trustpilot

SB7 Limited (the company behind the Nuyoo ‘Payforit’ scam) are currently trying to get negative reviews removed by Trustpilot, for breaching Truspilot’s guidelines.
To be fair to Trustpilot, some of these reviews, posted by angry consumers in the heat of the moment did use bad language and terminology which might be hard to justify legally. I can understand consumers calling SB7 mobile thieves, but it is probably better to say that they took money without consent!

One reviewer whose review is reproduced below has repeatedly amended his review, to comply with Trustpilot’s guidelines, only to have it objected to again. This is now getting ridiculous.

The post, produced below, is a potentially valuable resource for consumers, which Trustpilot are now denying access to.

Whilst the accusation that a phone number was obtained ‘illicitly’ might be regarded as a serious accusation, it is substantiated by the fact that the company paid the full amount taken plus court fees in order to avoid having to defend their position in court. I can see little else in the review that justifies its removal. I certainly don’t see any ‘offensive remarks’. I invite Trustpilot to identify what the problem is, but am beginning to wonder how much they have been paid by SB7 Mobile to silence justified criticism.

An Update I hope this post helps someone regarding SB7.
I have suffered the shock of this company debiting my account to the tune of £300. I did manage to fix it though, here’s how.
Bit of history.
I first noticed this company had been debiting my bank account in March 2018, on closer inspection of my O2 invoices it became clear that this company had been debiting my account since 2016.
I had given my wife my old iPhone 4 after an upgrade to the then newer iPhone 7 sometime around 2015-16. My wife only wanted the phone for emergencies as she is a technophobe. I purchased her a simple sim with free text small amount data etc. she was very happy with it. Being a technophobe, I always advised my wife to simply delete any messages or text she didn’t recognize for security. I never felt the need to check my account with O2 as she rarely used it to phone many friends, it was only my phone I kept an eye on online. Until by chance I viewed my account for her number in March 2018. Ouch.
On viewing invoice history, it became apparent SB7 mobile Ltd had been debiting for texts sent to her number since 2016 @£4.50 per text? Sometimes 5 texts a month. Grrr. I was very angry.
The Fix (Tip: stay calm stay civil)
I composed a letter to this company demanding a refund for the monies debited from my account. I complained that they had obtained her mobile number illicitly and underhandedly.
I advised that if I had no reply within 7 days to my complaint I would pursue a claim through county courts. I had no reply from this company to the request sent.
I made a claim to the county court regarding this matter around 16th March 2018. On the 23rd March 2018, I received via post confirmation of my claim through the post from the County court.
The same day I also received the first answer from SB7 regarding my complaint with an offer of £180 as compensation without excepting responsibility. I refused stating that I had already started a court summons and that it was my intention to pursue full settlement of my account debits plus the expense of the court £325.27.
SB7 subsequently revised their offer to compensate for the full amount £325.27 to be paid via the post office message system. I agreed to this on the proviso that I would only close my claim with the courts on receipt of cash owed.
So, I now await the post office text message from SB7 mobile Ltd for a full refund.
Advice for you if you want to recover monies owed by unscrupulous companies.
Be polite but firm, state your complaint by e-mail, request a resolution, give 7 days’ notice. If you get no answer take out a court summons, you can do this online (£25).
Do a search google (for company info Directors etc) Glean a home address for a director or Directors and include this address within your county court claim.
Hope this info helps someone, if I can do it so can you!

in an ideal world I would we would all be checking our accounts regularly.
Unfortunately, most of us live in the real world where we are just trying to earn a living and get on with our daily lives. I, for example, have a joint account with my wife? There is no way I’m going to start challenging her for any expenses she makes? Lol
This isn’t about debiting large amounts of cash from individuals although this can happen as I have proved!
This is about understanding modern lifestyle and Volume? By these companies.
How they glean our phone numbers is irrelevant, but they have them? They have probably purchased them via a data exchange. Who knows.
I am betting nobody here with a complaint will bother to peruse a claim if it is of small amount let’s say £10 or even £20? Most people will text STOP to the relevant number and that will be that. A few of us will contact the company directly to complain and may receive compensation. But not many? These companies know that.
It’s the sheer volume of customers who have had this type of attack that matters? You can prove this searching google for company information and viewing the turnover? Unbelievable!
What’s needed is proper regulation by government and accountability by this type of company.
Update 22nd June 2018
I have today received an email from customer support at Trustpilot after a complaint from SB7 mobile regarding specific wording within my post. I have edited my post to comply with Trustpilot’s terms and conditions as requested.
Thank you Trustpilot your service is excellent I can’t praise you enough.
I can also advise that SB7 Mobile (or associated companies) Paid the debt in full after my complaint. Thank You.
Update
7th July 2018
Received another email from the Trustpilot compliance team advising my post contained offensive remarks?. Begining to see a trend here where these companies take offense at our postings and complain? they then raise a compliance issue in the hope Trustpilot remove the post?

I shall try to retrieve other reviews when they are posted and will repost them on here when they are removed from Trustpilot, so that readers can decide for themselves whether the removal was justified.

If your review is one of those that has been removed, please amend and resubmit it. Don’t use bad language and avoid calling the company thieves or crooks. Just state the facts and let them speak for themselves.

Bodyin8 scam June 2018

In June 2018 there were a large number of reports about Bodyin8. The flow of complaints has abated somewhat, but the company is still the subject of complaints in February 2019.

They operate through a Level 1 provider called Tap2Bill who are responsible for the 83463 shortcode which is associated with quite a few of these scams.

At the time of writing they are not showing on the PSA Number checker. However the customer service number given in the sign up text is 03300538661. This number appears to belong to Mobile Payment Support, a company to which Bodyin8 have contracted out their customer service. MPS appear to be near impossible to deal with, so the advice is to deal directly with the company, using the Small Claims procedure.

The company behind Bodyin8 is Well Fitness Ltd (Company number 09994445). The registered address is : Onega House, 112 Main Road, Sidcup, Kent, United Kingdom, DA14 6NE.

I am not currently aware of any email address which can be used for Bodyin8, so it may be necessary to send correspondence by post to their registered address.

Update January 2020 – Please Read First

Communication with Well Fitness over the past year has yielded some interesting information, which I’ hope shortly to be in a position to reveal. Do not take legal action against Well Fitness Ltd at this time. The company is in severe financial difficulty, and although you will win your case and get judgement, you are unlikely to ever be paid. We suggest that instead, you take action against the Level 1 provider, Tap2Bill Ltd, and against your network.

A search for CCJs shows the following results for Well Fitness Ltd:

Advice if you’ve been affected by the Bodyin8 scam.

Unfortunately, the way that this works is that you have to contact Bodyin8 and get them to stop the subscription. You should also ask for a full refund of any money they have taken. You are entitled, under Section 45(3) of the Consumer Rights Act 2015 to insist that this refund is made back to the account from which it was taken. Under section 45(4) of the same act, any refund needs to be made within 14 days of it being offered and accepted.

If Bodyin8 do not co-operate or do not refund in full, you can then revert to your own network, and ask them to take action under the Mobile Operators Code Of Practice for the management and operation of PFI (Payforit).  O2, EE, Three and Vodafone also have their own procedures for handling ‘Payforit’  and these are linked on this page which gives more detailed advice on how to proceed if you are refused a full refund.

Ultimately if a full refund is refused Bodyin8 have paid out when faced with the possibility of a claim in the small claims court.  Legal action, through the small claims court, is likely to be the fastest and most successful approach to resolving a dispute with Bodyin8. They don’t dispute that they have taken your money. Ultimately they have to prove that you knowingly consented to the payments or make a full refund.

You should also complain to the Phone-paid Services Authority  (PSA) about the unauthorised charges. The regulator will not handle individual cases, but will take action if specific companies generate a disproportionate number of complaints. PSA have informed us that they are already investigating this company.

Sample reports of the Bodyin8 ‘Payforit’ scam

I hate these scams – what can I do to help?

What can I do to help?

So you’ve done all you can to sort out your own case, but feel a sense of burning injustice about the ease with which scam companies can help themselves to consumers money. What else can you do?

Reviews of Companies

These companies are supposedly ‘trusted partners’ of the mobile networks. A read of their reviews on Trustpilot and on Facebook will tell you that these companies are anything other than trustworthy. Adding to these negative reviews can help reinforce this impression. No need to write an essay (unless you want to), just a one star review and a comment that says they tried to took your money without consent.

Reviews of the Regulator

If the regulator has failed to properly investigate your case,  has come to a perverse decision or has just been generally obstrutive or unhelpful, you can add to their reviews on Facebook. The regulator seems to believe it is doing a good job. It plainly isn’t.

Formal Complaints about the Regulator

The regulator enjoys a rather too cosy relationship with many of the companies it is supposed to be regulating. You can’t complain just because you don’t like the outcome of their investigation. You can complain if you don’t believe they have investigated properly, or if after their investigation they come to a conclusion which couldn’t be justified on the basis of the evidence. If they have found that ‘on the balance of probabilities’ the service provider has done nothing wrong, then they are saying ‘on the balance of probablities’ you are a liar. Make them justify this view!

Details of the complaints mechanism are here. https://psauthority.org.uk/about-us/complaints-about-us

Complain to your MP

MP’s have so far not shown much interest in this issue, but if there are sufficient complaints they may do so.

Respond to Public Consultations

The regulator regularly consults on it’s priorities and to changes to its Code of Practice. It rarely gets any responses other than those from the ‘industry’. In December 2017 PSA launched a consultation on its priorities for the next financial year and I submitted a response. I believe that it is partly as a result of this response that the are now going to review the rules for subscription services.

It is likely that these changes will go out for public consultation. It would be good for them to receive a large number of public responses demanding radical reform, including making ‘Payforit’ opt-in rather that opt-out. I’ll put an outline response on the website when the consultation is announced.

Help with this website

Running payforitsucks.co.uk is time consuming. Picking up consumer complaints on the forums of the networks and on Twitter and providing responses pointing to relevant help is time consuming, and I have to take holidays sometimes. We could always use additional content on the site. I’m happy to provide access to the site to consumers who wish to contribute their own unique perspective on ‘Payforit’. Please help build public awareness of ‘Payforit’ scams, as this is the best tool we have to get reform.

Legal Action

Tom (mailto:tom@payforitsucks.co.uk ) is keen to see legal action taken to force a judicial review of the law governing ‘Payforit’. Aspects of ‘Payforit’ are clearly dubious, but challenging the legality in court is an expensive and complex process. Decisions made in the Small Claims court do not set a legal precedent, so it is necessary to go to a higher court, where, no doubt, the other side will field a team of skillful barristers to ensure that the current gravy train continues.

Scammers – Nuyoo

In May 2018 there have been a large number of complaints about Nuyoo fitness. This is a service operated by a company called SB7 Mobile, which has has previously been fined for breaking the PSA Code of practice. The previous adjudication can be seen here.

UPDATE: This scam is continuing in to August 2018. Here are a few recent complaints, which could be referred to in a letter before action to show that, in all likelihood, Nuyoo is a signing up consumers without consent,

UPDATE: October 2019

There have been few recent complaints about Nuyoo and it currently appears to be impossible to sign up for a new Phone-paid subscriptions. They appear to have “gone legit” and now allow you to set up subscriptions via more conventional methods. This doesnt mean that eisting subscriptions have been cancelled though, and some consumers have racked up charges in three figures over the months!

They operate through a Level 1 provider called Tap2Bill who are responsible for the 83463 shortcode which is associated with quite a few of these scams.

It also seems that a large number of affected consumers are with the Three network, so I wonder whether there may be a network specific problem here.

Please leave a review of SB7 Mobile Ltd on Trustpilot. https://uk.trustpilot.com/review/sb7mobile.com

Advice if you’ve been affected by the Nuyoo scam.

Unfortunately, the way that this works is that you have to contact SB7 and get them to stop the subscription. You should also ask for a full refund of any money they have taken. You are entitled, under Section 45(3) of the Consumer Rights Act 2015 to insist that this refund is made back to the account from which it was taken. Under section 45(4) of the same act, any refund needs to be made within 14 days of it being offered and accepted.

If SB7 claim you consented to their charges, ask them for:

  • Screenshots of the subscription workflow where you were alleged to have signed up for this service.
  • A description of what the service you are supposed to have subscribed to provides? Is this a newsletter, access to a web portal?
  • Any evidence that after supposedly signing up for the service, you actually used it
  • The complete web server log of the subscription, including the User Agent strings containing all device details (browser, device type, device IP address) together with dates and times.
  • If the subscription started after 11th May 2019 and your network is O2 or GiffGaff,, auditable proof of the additional authentication used (as required to comply with O2/GiffGaff rules)
  • Full company details of the company operating the service, country of registration, full name of company, company number and registered company address.
  • Details of the Accredited Payment Intermediary(API) which handled the payment
  • Details of the company’s disputes procedure, including any ADR scheme you can refer the matter to if they fail to provide a full refund.

Remember that under UK law, where the existence of a contract is disputed, the burden of proof rests with the vendor to provide evidence of that contract. If they can’t provide that proof, the charges are unlawful and should be refunded IN FULL.

In the unlikely event that you are provided with proof, refer back to this website for advice on refuting it.

If SB7do not co-operate or do not refund in full, you can then revert to your own network, and ask them to take action under the Mobile Operators Code Of Practice for the management and operation of PFI (Payforit).  O2, EE, Three and Vodafone also have their own procedures for handling ‘Payforit’  and these are linked on this page which gives more detailed advice on how to proceed if you are refused a full refund.

Ultimately if a full refund is refused I have evidence that these companies will pay out when faced with the possibility of a claim in the small claims court. Ultimately they have to prove that you knowingly consented to the payments or make a full refund. Look here for advice on how to use the Small Claims procedure to force them to refund.

You should also complain to the Phone-paid Services Authority about the unauthorised charges. The regulator will not handle individual cases, but will take action if specific companies generate a disproportionate number of complaints. SB7 have been the subject of a number of other recent complaints.

Sample reports of the Nuyoo ‘Payforit’ scam

On GiffGaff Forum

Nuyoo spam text
by aaronmc97 in Help & Support
‎12-04-2018 00:29
Hi, I’ve been hit with a spam message, said ive apparently joined “Nuyoo.co” and received a text telling me that I’ll pay £3 a week or I can text STOP to a number, I texted STOP and it wouldn’t go…
Show results in replies (3)

oscarmr has a question about Hello I am receiving …
by oscarmr in Help & Support
‎10-04-2018 20:32
…and I don’t even understand how it came to my phone. They are charging every time they send me a message at least 3 pounds. I have cancel premium calls and I am going to try to block the number with…
Show results in replies (5)

drpetermezes has a question about I recieved scam …
by drpetermezes in Help & Support
‎02-04-2018 22:21
I recieved the following text: FreeMsg: U have joined to get fit @ http://nuyoo.co for £3.00 a week. Ur first 24 hours are free. To cancel text stop to 83463. Help? 03300535869″ Please advise

spam text

by pharmaroxxx in Help & Support
‎24-03-2018 02:27
hi, i have received a text message from an online gym company (nuyoo.com) which wants to charge me £3 a week to recieve text messages from them. it says i have already signed up but i haven’t. what…
Hide results in replies

Been charged £3 for unknown text
by missbarron90 in Help & Support
‎12-01-2018 17:48
Hello i received a text message the other day from 3009007 the text said paid for it charge and it took £3 off my credit i have no idea what this is and have blocked the number has anyone else had…
Show results in replies (1)

 

 

With the demise of Payforit, and a PSA consultation on a new Code of Practice for Phone-paid Services, we have decided to launch the Phone-paid Services Consumer Group (PSCG). You can visit the new website by clicking here. IF you need help, please contact us via the contact link on the new website.
Follow by Email
WordPress Appliance - Powered by TurnKey Linux