PLUGS with USB ports feel like a godsend when travelling abroad, as you don’t have to worry with adapters.
But it turns out that they risk doing more harm than good – and could end up costing you a fortune.
Sign up for the Travel newsletter
Thank you!
Travellers have been warned to not use USB ports at airports as it could lead to ‘juice jacking’Credit: Getty
The US Transportation Security Administration (TSA) has warned passengers that using USB ports in airports can potentially make your phone vulnerable to a cyber attack.
In a Facebook post, TSA said: “Hackers can install malware at USB ports (we’ve been told that’s called ‘juice/port jacking’).
“So, when you’re at an airport do not plug your phone directly into a USB port.
“Bring your TSA-compliant power brick or battery pack and plug in there.”
Juice jacking is essentially a form of cyber attack, where public USB ports are used to steal data from or install malware on a device.
The issue isn’t just limited to airports either, as any sockets with USB ports in a public place could be at risk – on board the plane, at train stations, in hotels and in coffee shops.
Through juice jacking, hackers can gain access to sensitive information such as passwords, emails and financial information.
Malware could also be installed, which allows hackers to track online activities – or even fully take over your device.
Firmware could also be impacted, meaning that the security measures on a device could be rendered useless.
The TSA also warned that travellers should not use public Wi-Fi, especially if planning to make online purchases.
So how do you protect your device?
According to cybersecurity company McAfee, “the most straightforward way to avoid juice jacking is to use your own charging cables, plugs and adapters.
They said: “By plugging into a standard electrical outlet rather than a public USB port, you eliminate the risk of data theft or malware installation through compromised USB ports.”
You could also carry a battery pack with you, but make sure to check your airline’s regulations as some do not allow power banks on board planes.
You can also use a USB data blocker, which is a small adapter that attaches to the end of your wire and blocks any transmission for a USB port.
This then only allows power to go through the cable to your phone.
WE all like to think that we’d beat the scammers if they came knocking – but are you really that savvy?
After all, the latest Global Anti-Scam Alliance report warns that people in the UK lost £11.4billion to scams in the last year – up £4billion on the year before.
6
We all think we’d beat the scammers – but even very simple modern cons can catch us outCredit: Getty
And the average loss per victim was £1,400, with just 18% recovering their money.
We spoke to several security experts who revealed five of the most simple-but-effective scams going – they’re all shockingly common AND easy to spot… but repeatedly catch out Brits.
This is a cheap and easy tactic that Brits do fall for.
“Blackmail scams claim to know damaging information about a victim, demanding payment to keep quiet,” said Chris Hauk, of Pixel Privacy, speaking to The Sun.
“Victims are told they have been recorded doing disgusting things while at their computer or using their mobile device, and that the video will be sent to friends, family, and employers if they do not pay up.”
These claims can be scary, and there’s a sinister trick that crooks pull to make them even more convincing.
Deepfakes more ‘sophisticated’ and dangerous than ever as AI expert warns of six upgrades that let them trick your eyes
They’ll use fake email addresses that look like your own account to hoodwink you.
“Email extortion scams claiming to have compromising pictures of end-users in intimate moments are quite common, and remain some of the most prevalent scams on the internet these days,” said Michael Tigges of Huntress.
“An adversary will often spoof the email addresses in the mail and generate an email that appears as if it was sent from the user’s own email account and claim to have access to all accounts.
“They will ask for money, cryptocurrency, etc., to avoid ‘leaking’ these pictures or videos.”
Staying Safe
It’s important to not give in to the scammer’s demands.
6
Email is still a classic way for crooks to reach Brits, and they’re not doing it for a laugh – it really still does catch people out in 2025Credit: Getty
In the first place, even if the material that the crook has is legitimate, paying them won’t help. They might just take your money and share it anyway.
But in most cases, the crooks have simply invented the dodgy material – and won’t show any real proof that they have it.
It’s best to just ignore these scam messages. Interacting with the crook shows that your email is active and that you’re willing to engage.
And that could lead to them targeting you with other scams down the line, or trying a different tactic on you.
SCAM 2 – TECH SUPPORT
Next up is the iconic tech support scam, which still successfully hoodwinks unsuspecting Brits.
“Tech support scams are another classic,” Proton’s Patricia Egger told The Sun.
She described it as “a pop-up or call pretending to be from Microsoft or Apple, pushing you to hand over control of your computer or bank details”.
It might sound obvious, but they often come out of the blue and catch you off-guard.
And with years of experience under their belts (and now the power of AI), scammers can generate highly convincing fake alerts.
“Fake tech support scams are also highly common,” Michael Tigges, a security analyst at Huntress, told The Sun.
6
Tech support scams often start with a shocking pop-up, often in bright red and with a serious warning attachedCredit: Getty
“A website will generate a ‘notification’ prompt in modern browsers which mimics an anti-virus/Microsoft notification and asks the end-user to call a number controlled by the adversary.
“That person will then remotely access the computer and either install malware, or remotely fake a number of ‘tech issues’ that must be fixed for a fee.”
Staying Safe
Be extremely sceptical of any mysterious pop-ups.
Look out for typos, bizarre requests (for passwords or money), aggressive wording, and unusual styling (does it fit how your device normally looks?).
And if you’re unsure, check with your device maker to see if it’s legit.
This is extremely simple – and that’s what makes it so effective.
“The scams that catch people out most often are usually the simplest,” Proton’s Patricia Egger told us.
“Fake texts or emails saying you’ve missed a delivery, owe tax, or need to fix a bank problem are still everywhere.
“And they work because they create a sense of urgency that does away with calm and clear thinking.”
REPORTING SCAMS
Here’s the official advice on reporting scams from Action Fraud…
Have you spotted a suspicious email?
If you have received an email which you’re not quite sure about, forward it to the Suspicious Email Reporting Service (SERS):[email protected]
Have you received a suspicious text message?
Suspicious text messages should be forwarded to 7726. This free-of-charge short code enables your provider to investigate the origin of the text and take action, if found to be malicious.
Have you received a suspicious phone call?
If you’ve lost money or have been hacked as a result of responding to a call, you should report it:
In England, Wales or Northern Ireland, report it to us online or by calling 0300 123 2040.
In Scotland, report to Police Scotland by calling 101.
If you have not lost any money or responded to the call, you should report report scam call numbers free of charge to 7726. Your provider can find our where the call came from and block or ban the number.
To report a scam call, simply text 7726 with the word ‘Call’ followed by the scam.
WHAT TO DO IF YOU’RE SCAMMED
Here’s the advice from Citizens Advice:
Contact your bank immediately if:
there’s a payment from your bank account you don’t recognise – this is known as an ‘unauthorised transaction’
you’ve used your debit card and more money was taken than you expected
“Explain what’s happened and ask if you can get a refund,” Citizens Advice said.
“If you’re not happy with how the bank deals with your claim, you can complain to them. Find out how to do this by checking their website.
“If it’s been 8 weeks since you complained, and you haven’t got your money back, contact the Financial Ombudsman.”
You will need to give your bank as much detail about the scam as you can. That includes exactly what info you may have handed over to the scammers – or if you’ve downloaded any dodgy files.
That way, they can prevent more money from being taken from you in the future.
You should then contact the police about the scam.
Crooks can deliver this kind of scam in bulk – hitting hundreds, thousands, or even tens of thousands of targets.
And they just need a fraction of those targets to bite, allowing them scoop up prized info or cash.
It can take many forms, but the style is always the same: you must act quickly, or you’ll be handed a bill.
“A victim is told they have several outstanding fines or payments that must be paid immediately or they’ll face prosecution,” Chris Hauk told us.
6
Scammers will send you official-looking missives that claim you’ve got an unpaid bill, there’s a transaction you need to deal with urgently, or that you’re on the hook for a massive fineCredit: Shane O’Neill, Coalesce
“However, if they just go and buy several gift cards amounting to the outstanding sum and provide the information to the scammer, all will be forgiven.
“Emails and text messages claim that sums of money are owed either for a debt, or a fine, or even a toll road fee.
“They may also provide a link to pay that is actually to a malicious site designed to harvest financial information from the victim.”
Staying Safe
Scammers don’t want you to have time to think things over or to check out their story.
Chris HaukPixel Privacy
If you ever receive an urgent alert, pause – don’t act fast.
Instead, reach out directly to the company that the alert claims to be from.
Use the official phone number or email on the website, and not the one you’ve been sent with the alert.
And if the fine or charge comes from a suspicious company you’ve never heard of, do your research. Is it a real company? Does it have an online presence or reviews? Is it registered on Companies House? Who runs it?
SOCIAL ENGINEERING SCAM – HOW IT HAPPENS
Here’s a tale of how quickly £4,500 can be lost to crooks, as revealed by Action Fraud…
“Sophie, a 25-year-old marketing executive from Manchester, received a convincing email that appeared to be from her bank, alerting her to suspicious activity on her account,” Action Fraud said.
“The email included the bank’s official logo and a link to a website that looked identical to her bank’s online portal. Concerned about her finances,
“Sophie clicked the link and entered her login details, believing she was securing her account.
“Within minutes, she received a phone call from someone claiming to be a bank representative, who referenced the ‘suspicious activity’ and asked her to confirm her identity by providing additional personal information and a one-time passcode sent to her phone.
“Trusting the caller, Sophie complied, only to discover the next day that £4,500 had been withdrawn from her account in several unauthorised transactions.
“The scammers had used her credentials and the passcode to bypass the bank’s security measures. Despite reporting the incident immediately, the funds could not be recovered.”
Ask these questions before handing over any cash.
Chris added: “Scammers don’t want you to have time to think things over or to check out their story.”
SCAM 4 – THE FAKE JOB
The fake job scam is one of the most nefarious cons out there.
It’s almost unimaginable to think that you’d fall for such a wheeze. Surely you’d spot a fake job a mile off?
But it’s easy to forget that when you’re hunting for a new role, you might be feeling particularly desperate.
And as the cost of living goes up, Brits can be tempted by easy money or a more relaxed working environment.
Crooks know this, and capitalise on it.
6
Fake job scams often come via WhatsApp – don’t fall for themCredit: PA
“Fake job offers are also becoming increasingly common, these often sound appealing at first, promising easy money, work-from-home roles, or a big windfall,” Proton’s Patricia Egger told us.
“They hook people with the promise of good news, then demand ‘processing fees’ or bank details.”
She continued: “These tricks work because scammers know how people act in response to emotions, both good and bad.
“And with increasing quantities of data about us online, ‘I’d never fall for that’ is just one data leak away from being untrue.”
Staying Safe
Patricia’s best advice is to watch out for red flags like:
Unexpected links or attachments in a chat about a job
Pressure to act immediately
Being asked to move money for a job or pay fees upfront
Any perk of the job that seems too good to be true
She added that you should always make sure to “slow down and stay sceptical”.
SCAMS IN 2025 – THE EXPERT VIEW
Here’s what Sean Keach, The Sun’s resident tech expert, thinks…
It’s never been easier to carry out scams.
Cybercriminals have the world’s arsenal of tech at their disposal.
And with AI, they can supercharge their efforts by crafting convincing scam materials in seconds – and then dispensing it to victims just as quickly.
It sounds terrifying, and in many ways, it is.
But there is some good news.
Although scammers can carry out scams more convincingly and at greater speed, they’re still the same classic cons at their core.
And that means the age-old rules you need to follow stay the same too.
Avoiding scams really is as simple as being as cautious as you can be.
If something seems too urgent or too good to be true, don’t be afraid to take a step back and give it a good think.
Ask your friends and family for advice. Do research online.
Money can disappear in the blink of an eye, and you’ll struggle to get it back. And the same is true for info, which can be used to defraud you or hoodwink those close to you.
So be extremely careful before you ever hand anything over online.
If something seems off, it probably is.
Picture Credit: Sean Keach
SCAM 5 – FRIEND IN NEED
There are lots of variations of this con, but it’s commonly known as the “friend in need” – or lately, the “hi mum, it’s me” scam.
This is when a crook pretends to be someone you know to hoodwink you.
It works because so often we expect scams to come from people we don’t know – or criminals posing as businesses.
“It’s not just strangers,” said Patricia Egger, of Proton.
“Criminals often pretend to be friends, colleagues or family by hacking accounts or stealing personal details.
“If you get an urgent request from someone you know that feels unusual, check with them through another channel before doing anything.”
These crooks might message you from a strange WhatsApp account, and say, “Hi mum, it’s me your daughter, I’m texting from a friend’s phone.”
And they’ll say that they’re in trouble and need money fast.
They might give the excuse that they’re in legal trouble, need cash for a taxi home, or have some other urgent money worry.
Many parents or pals will dismiss these texts out of hand.
But it only takes a little absent-mindedness and some luck on the part of the crook and you can easily fall for the con.
It’s increasingly common in the UK because so many Brits fall for it.
Worse still, some crooks will actually text you from your own family member’s phone number.
“Accounts can be taken over, and regularly are, by bad actors,” said Erich Kron, of KnowBe4.
“It can email, social media, or any number of other mediums, and attackers know that communications from known associates carry a lot of inherent trust.
“They can even hijack previous conversations, making it look even more legitimate.”
HOW THE ‘IN NEED’ SCAM REALLY HAPPENS
Here’s a case study from the Chartered Trading Standards Institute of a woman who tried to send £2,600 to criminals posing as her son…
“A member of the public named Alison received a message on the popular messaging platform WhatsApp: ‘Hi mum, I’ve dropped my phone down the loo (sad emoji) this is my new number’,” the CTSI said.
“Alison replied to the message and asked if it was her son, Will, to which the scammer replied in the affirmative.
“The very next day, Alison’s ‘son’ messaged her asking for £2,600 and explained that he had got mixed up with loan sharks and needed to pay up. Alison didn’t doubt the message for a moment.
“Alison tried to call her ‘son’ back, but the person on the other end kept saying they couldn’t take the call and continually put pressure on her to make the payment quickly.
“This worried Alison, who agreed to make the payment. The person gave the bank details of the alleged loan shark to pay.
“Fortunately for Alison, she forgot to click the final payment confirmation and, after some time, the scammer messaged asking for a picture to prove the payment had been made.
“This caused a wave of scepticism in Alison’s mind, and then it was confirmed that the message was indeed a scam.”
6
Crooks will send messages pretending to be a loved one – be very wary if you ever receive a text like thisCredit: Alamy
Staying Safe
With this scam, your best defence is communication.
Be cautious whenever anyone asks you for money urgently – even a family member.
If they do, reach out to them by some other method, like calling them on the phone, to verify that it’s actually them asking for money.
Another good trick is to create a safe word or phrase that your family uses to verify that they’re really asking for cash.
“It’s important to establish an understanding between peers and family,” said Huntress’s Michael Tigges.
“Consider establishing ‘safe words’ or phrases that can be utilised when calling family members or peers from an untrusted number to confirm identity.
“And encourage family members, especially the elderly, to be highly sceptical of phone calls from untrusted numbers.”
Your safe word could be anything – even a silly phrase like “purple banana”.
It just needs to be something that you and your loved ones can remember, but that a criminal could never guess.
Don’t save it anywhere on your phone. Keep it as secret as possible.
It could mean the difference between avoiding a scam or losing thousands to a criminal – and then never getting it back.
FORMER One Direction star Louis Tomlinson was duped by fraudsters in a £4million footie plot.
The Bigger Than Me singer became the face of Doncaster Rovers in the hope he could boost the profile of his childhood team and take them to the Premier League.
6
The singer with former Doncaster chairman John RyanCredit: Rex
6
Louis Tomlinson was duped by fraudsters in a £4million footie plot
6
The pop star making his Doncaster Rovers football debut in 2014Credit: Alamy
But the 33-year-old had the wool pulled over his eyes by a gang who stole millions from people’s retirement nest eggs.
Over two years £3.7million had been funnelled from hard-earned pension pots belonging more than 200 victims.
Prosecutors said the proposed Doncaster deal was used by the thugs to cover upthe missing cash to cops.
As reported by the Mirror, criminal gang Kevin Phelan, Daniel Giles and Adrian Bashforth were all convicted last month and face jail time.
The trial at Leeds Crown Court heard Louis unwittingly became involved with the scammers in 2014.
At the gang’s trial, prosecutor Timothy Hannam KC said: “These defendants nicked money from people’s life savings.”
Former club chairman John Ryan enlisted Louis’ help to bolster support for Doncaster at the time.
The club was insolvent and staying afloat by Ryan’s loans and other investors.
Seqentia Captial SA tried to buy it twice, but deals fell through on both occasions.
Ryan also asked crook Phelan, 62, if he wanted to buy the club in 2013.
Louis Tomlinson admits feeling nervous ahead of Soccer Aid as Zara’s ex Sam Thompson awkwardly hovers behind him
Louis later met with the gang at his Cheshire pad at the height of 1D’s fame in 2014.
Ryan transferred his 30 per cent shareholding to Sequentia and resigned as Doncaster chairman.
The proposed deal stated 70 per cent of Doncaster would be given to Belize-based Sequentia Capital SA if the takeover was successful.
Louis and Ryan would become the club’s public face while Sequentia would be a “silent participant”.
The One Direction singer started a fundraiser and aimed to rake in an eyewatering £6million from his fans and followers.
But the crowdfunder only raised £600,000 in the end, and £500,000 of that was from one of the fraudulent gang members.
The source of the offshore firm’s funds was “stolen pension money”, the court heard.
Phelan met Louis at his home in January 2014 and Daniel Giles texted the same day: “I’ve been interrogated for the last few hours over 1D boy. Kids want to come to the next meeting mate.
“I’m thinking 16 million brainwashed followers. Very very interesting.
“Let’s crack on now together and build a nice fighting fund.”
The deal would also see Louis take a 10 per cent stake in the club with the hopes they would reach the Premier League.
The singer would show his support at games and behind the scenes.
He met with Phelan and Giles, 51, at a One Direction concert in Dublin’ to sign the deal, however it didn’t go through due to the lack of funds raised.
Louis said at the time: “I’m gutted the Doncaster deal is not going ahead. I am desperate for the club to be given the recognition it deserves.
“I was told the deal to buy the club was not dependent on the money raised by Crowdfunding. Unfortunately I was misled.”
There is no suggestion Louis or Ryan knew about the pension fraud.
The defendants will be sentenced in January.
6
Louis supported at matches and behind the scenesCredit: PA
6
The former 1D star became the face of the clubCredit: PA:Press Association
6
Neither Louis nor John Ryan knew about the dodgy dealingsCredit: Nigel Bennett
KEYLESS cars are becoming increasingly vulnerable to theft as criminals turn to sophisticated tools like Game Boy-style emulators, experts warn.
Alarmingly, most mechanics now consider traditional car alarms ineffective as deterrents.
4
Keyless cars are being targeted by thieves – as smarter security solutions are needed
4
Game Boy style gadgets are being used to steal vehicles in secondsCredit: Getty
4
Experts have revealed their top tips to keep your car safe from sophisticated thievesCredit: SWNS
4
Despite advances in vehicle security tech, steering wheel locks are still recommendedCredit: Getty
The Royal United Services Institute (RUSI) says vehicle theft in the UK has surged by 75% over the past decade, with 130,000 cars stolen annually.
This trend has sparked calls for smarter, tech-based solutions to deter car thieves.
According to Fix My Car, car owners should adopt multiple layered security strategies and modern tools to help protect their motors – including engine immobilisers and GPS trackers.
Indeed, only 5% of mechanics trust traditional car alarms as effective deterrents, although everyday precautions, such as keeping keys hidden, parking in well-lit areas and checking on vehicles regularly remain essential habits.
Matt Wrankmore, Head of Garage Network at FixMyCar, said: “Car theft is no longer just about smashing windows or hot-wiring ignitions.
“Criminals are more cyber-savvy than ever, so drivers need to respond with a balanced approach using both smart technology and visible deterrents.”
And he added: “There are definite benefits to using traditional deterrents in your car, and many manufacturers still recommend steering wheel locks despite advances in vehicle security tech.
“I believe drivers returning to these methods are on the right track but we need to use all the tools available.
“That means combining mechanical immobilisers and telematics trackers with visual deterrents like steering wheel locks and alarm stickers.
“And let’s not forget the cheapest and most overlooked measure of common sense.
Channel 4 Dispatches discovers organised criminal gangs at the heart of car thefts
“Keeping your keys hidden, parking in well-lit areas with CCTV, and checking on your car regularly are all simple habits that still go a long way.”
The rise in car thefts has also exposed vulnerabilities in high-end vehicles, such as Hyundai’s electric Ioniq 5.
A furious driver, Adam Metselaar, threatened to sue the firm last year after his £47,000 keyless car was stolen in just 31 seconds using a gadget disguised as a Nintendo Game Boy.
Despite keeping his car keys in a protective box to prevent cloning, the thieves bypassed the system using a hi-tech “emulator” hidden inside the casing of the gaming device.
The grey Ioniq 5 was traced four miles away using an Apple AirTag, but it had sustained £10,000 worth of damage.
Hyundai admitted that similar thefts have affected at least 26 cars in London, as per September last year.
They later updated their Bluelink software to introduce additional anti-theft features.
As summer holidays prompt many motorists to leave their cars unattended, FixMyCar is encouraging drivers to take proactive measures to protect their vehicles.
A combination of modern tracking devices, visible deterrents and simple precautions can go a long way in safeguarding cars from increasingly sophisticated thieves.
Five effective ways to protect your vehicle from theft
Use engine immobilisers and GPS trackers
These tech-based solutions are highly recommended by mechanics. Engine immobilisers prevent the car from starting without the correct key, while GPS trackers help locate the vehicle quickly if stolen.
Install visible deterrents
Devices like steering wheel locks, wheel clamps and alarm stickers act as visual signals to deter thieves, making your car a less appealing target.
Adopt everyday precautions
Simple habits such as keeping your keys hidden, parking in well-lit areas with CCTV and ensuring your car is locked at all times are effective and inexpensive ways to reduce theft risk.
Secure keyless fobs
Store keyless fobs in Faraday pouches or protective boxes to prevent criminals from cloning the signal. Regularly check for software updates for your car’s keyless system to enhance security.
Blend traditional and modern security measures
Combining old-school deterrents like steering locks with advanced technology, such as telematics trackers, provides a multi-layered defence against increasingly sophisticated theft tactics.
SHOPPERS who use Apple Pay or Google Pay may be at higher risk of fraud, consumer group Which? has warned.
It said the use of one-time passcodes by banks could be making people with digital wallets an easy target for scammers.
1
Shoppers who use Apple Pay or Google Pay may be at higher risk of fraud, Which? has warnedCredit: Getty
A survey by the consumer champions found that the majority of banks are still using these security features, putting consumers at risk.
Unlike contactless cards, there is no £100 spending cap on cards added to Apple and Google Pay, so fraudsters can quickly drain victims’ accounts once they gain access to it.
Scammers normally trick people into divulging their card details by setting up a fake transaction, Which? said.
People will think they’re paying for a bargain product advertised online, or they might fall victim to a phishing message.
A common example is parcel delivery scams, where you’re asked to pay a nominal amount for re-delivery.
Scammers monitor the transaction in real time, inputting the victim’s card details into a digital wallet on their own phone.
Many banks will then ask for a one time passcode (OTP) to verify the cardholder, which the scammer then asks the victim for to complete the “transaction”.
The fraudsters are then able to drain the victim’s bank account.
Which? surveyed 15 banks and card providers about their digital wallet setup process between April and May this year, and found the majority still use OTPs sent through text message as one of the options for adding cards to a digital wallet.
Of the 14 providers that allow cards to be added to wallets (Capital One is the exception), just two banks confirmed they do not use OTPs, while a third appeared not to when Which? researchers tested the process.
New ‘property tax’ will PUNISH hard-working Brits and torpedo house market, blasts Kirstie Allsopp
Barclays, Co-op, HSBC (with its sister banks First Direct and M&S Bank), Santander and Virgin Money said they currently use SMS OTPs, though they are not the only verification option.
Starling said it still uses OTPs for setting up Apple Pay alongside other options, but it removed them from Google Pay in 2022.
TSB said it is working to set up in-app verification, but is using OTPs in the meantime.
American Express, Lloyds Banking Group and NewDay (which operates the John Lewis Partnership Credit Card) – did not outline which verification methods they use.
When Which? tested the set up processes for cards, Amex did use SMS and email OTPs, while Halifax did not and instead offered several “more robust methods” including in-app approval.
Chase and Monzo said they have never used OTPs for setting up digital wallets.
It comes after Cifas, UK Finance and the Cyber Defence Alliance previously warned about the link between OTP use and digital wallet fraud.
Providers can also limit how many wallets a card can be added to overall, or within a certain time period, but most banks do not implement these restrictions.
Virgin Money allows an individual card to be added to a maximum of five devices.
Starling with a total limit of 15 devices, while Monzo customers can only add their Monzo cards to a digital wallet twice in a 24-hour period and three times every 30 days.
However, Which? said that even with these limits in place, consumers can still fall victim to scammers as they only need to add one card to a digital wallet to start spending.
Which? Money deputy editor Sam Richardson said: “For millions of us, digital wallets are a quick, easy and secure way to make payments, but weaknesses in card providers’ security means they can also be a gift to scammers.
“Banks have known for years that using one time passcodes (OTPs) to verify account holders is leaving consumers vulnerable.
“It’s clear further investment is needed to make the digital wallet set-up process fit for the threats consumers face in 2025.
“In the meantime, we’d caution shoppers to always think twice before sharing their payment details – or OTPs – online.
“If you think you’ve been a victim of a scam, contact Action Fraud and your bank immediately.”
Apple told Which? it is not responsible for approving or rejecting the addition of a card to Apple Pay, or for approving or rejecting transactions.
It said that it takes users’ security seriously and Apple Pay has been designed in a way to protect users’ personal information.
A Google spokesperson said: “Security is core to the Google Wallet experience and we work closely with card issuers to prevent fraud.
“For example, banks notify customers when their card has been added to a new digital wallet, and we provide signals to help issuers detect fraudulent behaviour so they can decide whether to approve added cards.”
An American Express spokesperson said: “Privacy and security are a priority for American Express.
“We have controls designed to protect customer accounts and guard against unauthorised fraudulent activity, and if we identify activity that may be fraud, we will take protective actions.”
Barclays said that the verification method used for adding a card to a digital wallet will depend on the user journey. It said it does not currently have plans to phase out use of OTPs.
Co-Op Bank said it monitors for fraudulent registrations through its fraud detection systems and has multiple strategies in place to detect digital wallet fraud. It does not currently have plans to phase out use of OTPs.
HSBC said it has no immediate plans to phase out OTP delivery for adding cards to digital wallets, however, it keeps its digital wallet provisioning process under review.
Lloyds said it has invested millions of pounds in multi-layered fraud defences, and continues to regularly review its authentication methods.
Nationwide said that it has multiple layers of protection in place to keep its customers safe from fraud including warning messaging, AI models and sophisticated internal analytics. It is currently exploring alternatives to OTPs.
Natwest said it regularly reviews its customer experience and authentication to ensure security, and said it is reviewing how it uses OTPs.
NewDay declined to comment.
Santander said it is looking at other forms of authentication, and other security measures, which may be less visible to a user than the mechanism used for two-factor authentication.
Starling said it currently only uses OTPs for Apple Pay, and removed this option from Android phones in 2022.
TSB told Which? that it is working closely with card and wallet providers to implement approval via the TSB Mobile App. In the interim, OTP verification is accompanied by the necessary risk verification, alongside fraud controls to keep customer details safe.
Virgin Money said its fraud team has heightened monitoring and controls around digital wallet fraud. It also said that it is looking at in-app verification as an option but has no current plans to phase out use of OTPs.
Do you have a money problem that needs sorting? Get in touch by emailing [email protected].
MARKS and Spencer has issued an update for customers with gift vouchers after its cyber attack.
Customers have taken to social media to share their dissatisfaction with the retailer’s latest update.
1
M&S have issued an update on its gift vouchersCredit: Getty
It comes as the ongoing chaos has left scores of M&S shoppers unable to use their gift vouchers.
Yet the retail giant initially told customers they won’t get extensions of the expiry dates on vouchers due to expire.
One customer took to X, pleading: “My vouchers expire at the end of this month but I can’t use them. Can I have them extended?”
But M&S responded: “Unfortunately we’re unable to extend vouchers.”
They later appeared to soften, agreeing to “double check” on the customers behalf.
Last month, shoppers also said they’d hit a brick wall.
One couple revealed on the MoneySavingExpert forum that they’ve been saving up vouchers from their M&S credit card for months, only to be told they’d have to use them now or lose them entirely.
The customer posted: “We contacted M&S Customer Support which bluntly said that if we didn’t use the vouchers by their expiry date then that was tough.
“The only option we have is to spend them on something we don’t really need.”
They added that M&S stores aren’t even able to place orders, meaning customers can’t just pop in and buy bigger items either.
Victoria’s Secret forced to take down website over ‘security incident’ leaving shoppers in the dark
Even staff are reportedly unable to order stock, with fears some branches could start running out of essentials altogether.
An MSE forum ambassador said: “Given the number of people this may affect, perhaps thousands as you suggest, I would expect M&S to extend the end date for these.”
While another shopper fumed: “The least they could do is extend the date.”
M&S credit card reward vouchers are valid for 17 months, while shoppers with gift cards have 24 months from the last transaction to spend them.
When The Sun contacted M&S, it advised affected customers to get in touch – but didn’t confirm whether it would offer extensions on a case-by-case basis after all.
A M&S spokesperson said: “The majority of M&S credit card customers redeem their reward vouchers in stores, and they can continue to do so.
“If for any reason customers aren’t able to redeem in store, and their vouchers are due to expire soon, we would ask them to get in touch with us so we can support them.”
Meanwhile, the attack is still causing carnage across the business.
M&S was forced to pull online orders, birthday perks were suspended, and Sparks offers were frozen.
Online shopping is still out of action and is expected to remain patchy until at least July, with fashion, home and beauty sales taking a battering.
Timeline of the attack
Saturday, April 19: Initial reports emerge on social media of problems with contactless payments and click-and-collect services at M&S stores across the UK. Customers experience difficulties collecting online purchases and returning items due to system issues.
Monday, April 21: Problems with contactless payments and click-and-collect persist. M&S officially acknowledges the “cyber incident” in a statement to the London Stock Exchange. CEO Stuart Machin apologises for the disruption and confirms “minor, temporary changes” to store operations. M&S notifies the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) and engages external cybersecurity experts.
Wednesday, April 23: Despite earlier claims of customer-facing systems returning to normal, M&S continues to adjust operations to maintain security. Contactless payments are initially restored, but other services, including click-and-collect, remain affected.
Thursday, April 24: Contactless payments and click-and-collect services are still unavailable. Reports surface suggesting the attackers possibly gained access to data in February.
Friday, April 25: M&S suspends all online and app orders in the UK and Ireland for clothing and food, although customers can still browse products. This decision leads to a 5% drop in M&S’s share price.
Monday, April 28: M&S is still unable to process online orders. Around 200 agency workers at the main distribution centre are told to stay home.
Tuesday, April 29: Information suggests that the hacker group Scattered Spider is likely behind the attack. Shoppers spot empty shelves in selected stores.
Access to passwords within the app will be completely blocked by AugustCredit: Alamy
While many use the platform to verify their identity there is also a useful password autofill capability.
The feature allows users to securely store all their passwords in one place and summon them from any mobile device or computer you’re logged into.
But it’s being phased out, with the first stage commencing in days.
From June, you’ll be blocked from saving any new passwords on the app.
Then in July, the autofill function that automatically adds your login details onto webpage will stop working.
Finally, the entire saved passwords tool will cease in August with any login data stored on the app deleted.
Microsoft has ramped up warnings to users, with a banner now appearing in the app.
“Autofill via Authenticator ends in July 2025,” the app says.
“You can export your saved info (passwords only) from Authenticator until Autofill ends.
“Access your passwords and addresses via Microsoft Edge at any time.
Change Gmail and Outlook password using ‘phrase rule’ right now as experts warn most log-ins can be guessed in an hour
“To keep autofilling your info, turn on Edge or other provider.”
The popular passkeys and two-factor authentication features on Microsoft Authenticator will continue to work as normal.
It all comes as tech firms shift away from the dreaded password which are easily hacked, due to common mistakes like re-used passwords or easily guessed terms.
By comparison, passkeys can’t be guessed and they’re impossible to re-use too.
A number of tech companies such asGoogleare shifting people from passwords to passkeys.
SHOULD I SWITCH TO PASSKEYS?
Here’s what security expert Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, told The Sun…
“Passwords are both hard to remember and in most cases, easy to guess.
“I would venture to say that most users (especially older users) will reuse passwords, simply because of all of the websites and apps that require sign-ins.
“While password managers do help, they are at best, a stopgap measure and do not offer full-ranging security for your login information.
“Passkeys offer the advantage of eliminating the need to enter an email address and password to log in.
“This is especially handy when users are logging in on an iPhone or Android device.
“Passkeys have multiple advantages over passwords. Passkeys cannot be shared or guessed.
“Passkeys are unique to the website or app they are created for, so they cannot be used to login elsewhere like a reused password can.
“Plus, passkeys cannot be stolen in a data breach, as the passkeys are not stored on the company’s servers.
“But are instead are a private key stored only on your device, where biometric authentication (like face ID or Touch ID) is required to use the passkey.”
M&S has issued a major cyber attack update revealing that customers information has been stolen.
The retail chain is still scrambling to keep stores running as the fallout continues.
1
In a statement posted on Instagram, M&S said: “As we continue to manage the current cyber incident, we have written to customers today to let them know that unfortunately, some personal customer information has been taken.
“Importantly, there is no evidence that the information has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action.
“To give customers extra peace of mind, they will be prompted to reset their password the next time they visit or log on to their M&S account and we have shared information on how to stay safe online.
“Everyone at M&S is working around the clock to get things back to normal for our customers as quickly as possible, and we are very sorry for any inconvenience they have experienced. Our stores remain open as they have throughout.
“Thank you for shopping with us and for your continued support, we are incredibly grateful.”
