The EE Points scam is a smishing (SMS phishing) and phishing campaign that impersonates EE — the UK’s largest mobile network — to steal customers’ personal information, account credentials, and payment card details. The scam operates by sending unsolicited messages that appear to come from EE, claiming the recipient has accumulated reward points, earned a loyalty bonus, or won a prize that will expire unless they take immediate action.

The EE Points scam is part of a broader category of telecommunications impersonation fraud that has grown significantly in recent years. According to data published by UK Finance, impersonation fraud — in which criminals pretend to be from trusted organisations including banks, utilities, and telecommunications providers — accounted for hundreds of millions of pounds in losses to UK consumers in recent years. The EE Points scam represents one of the most active and widespread variants within this category.

What makes the EE Points scam particularly dangerous is how technically sophisticated it has become. Fraudsters use sender ID spoofing to make their fake texts appear in the same message thread as genuine EE communications on the victim’s phone. The fake websites they create are near-perfect replicas of EE’s official portal, complete with the correct logo, colour scheme, and navigation structure. At first glance — and even on careful inspection — the EE Points scam is extremely difficult to distinguish from a genuine EE communication. The same brand-impersonation playbook drives our imposter scam warning signs guide.

Almost every EE Points scam follows the same six-stage pattern, from the spoofed text arriving in your real EE thread to the moment your bank and EE accounts are exploited.

Step 1: The Fake Message Arrives

The EE Points scam begins when the victim receives an unsolicited text message, email, or WhatsApp notification. The message is carefully written to mimic the tone, language, and formatting of genuine EE communications. A typical EE Points scam message reads something like: “EE: You have 500 reward points expiring today. Claim your free gift before midnight: [link]” or “Your EE loyalty bonus of £35 is ready to claim. Don’t miss out — offer expires in 24 hours: [link].” The message creates immediate urgency through expiry deadlines and time pressure — classic social engineering tactics that discourage the recipient from pausing to verify the communication before clicking.

Step 2: Sender ID Spoofing Makes It Look Genuine

One of the most technically sophisticated aspects of the EE Points scam is the use of sender ID spoofing. In the UK, SMS sender IDs — the name or number that appears at the top of a text message thread — can be spoofed relatively easily using commercially available messaging services. The EE Points scam operators set the sender ID to “EE” or “EE Network”, which means the fake message appears in exactly the same text thread on the victim’s phone as genuine EE messages about bills, service updates, and plan changes. A victim who looks at their message thread and sees a history of genuine EE texts followed by the fraudulent message has every reason to believe the new message is also genuine. The spoofed sender ID is not a flaw in the victim’s judgement — it is a deliberate technical deception.

Step 3: The Convincing Fake Website

Clicking the link in the EE Points scam message takes the victim to a website that closely replicates EE’s official online portal. The fake site uses EE’s logo, brand colours, and page layout. The URL is designed to look plausible — it might be something like “ee-rewards.co.uk”, “claim-ee-points.com”, or “ee-loyalty-bonus.net” — close enough to the official “ee.co.uk” domain to seem credible at a casual glance, particularly on a small mobile screen where the full URL may not be visible. The fake site presents the visitor with a reward claim form. Depending on the variant of the EE Points scam, this form may ask the visitor to log in with their EE username and password, enter personal details to verify their identity, provide a delivery address for a physical prize, or enter payment card details to cover a small delivery or administration fee.

Step 4: Credentials and Card Details Are Harvested

Every piece of information entered on the fake website is captured by the EE Points scam operators in real time. Login credentials are used immediately to access the victim’s genuine EE account — where the scammer can view personal information, upgrade devices to be sent to a different address, take out new contracts, or accumulate charges. Card details are used to make fraudulent purchases, often at online retailers where card-not-present fraud is easier to commit. In more sophisticated variants of the EE Points scam, the fake website operates a real-time man-in-the-middle attack: it passes the credentials the victim enters directly to the genuine EE login portal, captures the OTP that EE sends to the victim’s phone, asks the victim to enter that OTP on the fake site under the pretext of verification, and then uses it immediately to authorise account changes or transactions on the real EE account.

Step 5: The Victim Receives a Thank You Page

After submitting their details, the victim of the EE Points scam typically receives a thank you page confirming their reward claim has been submitted. They may be told to expect their gift within 5 to 7 working days. This delay gives the scammer time to exploit the stolen information before the victim becomes suspicious. When no reward arrives, many victims assume there was an administrative delay rather than immediately recognising they have been defrauded.

Step 6: The Damage Emerges

The full impact of the EE Points scam typically becomes apparent when the victim notices unauthorised charges on their bank statement, receives an EE bill for services they did not authorise, is told by EE that their account password has been changed, or discovers that a new device has been ordered on their account at a different delivery address. By this point, significant damage has already been done — and reversing it requires urgent action across multiple fronts. The same delayed-discovery pattern is documented in our bank impersonation phone scam guide.

The EE Points scam adapts to whichever channel can reach the customer — SMS smishing with sender ID spoofing, email phishing, WhatsApp notification, OTP man-in-the-middle, or a fake customer service line. These are the five most reported variants.

The Spoofed Thread Victim

The EE Points scam succeeds against careful customers because the fake text drops into the real message thread. A woman in her forties received what appeared to be an EE text in her existing EE message thread — the same thread where she received her monthly bill reminders and service notifications. The message told her she had 750 reward points expiring at midnight and directed her to click a link to claim a free smartwatch. Because the message appeared alongside genuine EE texts she had received over two years, she had no reason to doubt its authenticity. She clicked the link, was taken to a page that looked exactly like EE’s website, and entered her EE login details and the delivery address for her prize. Within two hours, her EE account had been accessed and a new iPhone had been ordered under a device upgrade, set for delivery to an address she did not recognise. The EE Points scam had cost her months of dispute with EE and significant personal stress before the fraudulent contract was reversed.

The Card Details Theft

The EE Points scam reaches younger, digitally fluent customers through email. A young professional received an email claiming to be from EE telling him his loyalty bonus of £40 was ready to redeem. The email looked genuine — it used EE’s logo, the correct font, and familiar email layout. It asked him to click a link and enter his card details to cover a £1.99 delivery fee for his gift. He entered his card details, received a confirmation page, and thought nothing more of it. That evening he received bank alerts for three unauthorised transactions totalling £847 from online retailers he had never used. He reported the fraud to his bank and had the transactions disputed, but the process took over three weeks during which his card was frozen. He described the EE Points scam as “the most convincing fake email I have ever seen — I had no idea it wasn’t real.”

The Elderly Grandfather

The EE Points scam exacts its greatest harm on older customers who may be less familiar with sender ID spoofing. A grandfather in his mid-seventies received a text message about expiring EE Points. His grandson — who helped him with technology — was not available, so he followed the instructions in the message independently, entering his EE login details and personal information on the fake website. He also entered his bank card details when the site asked for them to verify his identity for the prize delivery. Over the following week, his bank card was used for a series of online purchases and his EE account was used to take out a tablet contract at a different address. The total financial damage exceeded £1,400 before his family discovered what had happened and reported the EE Points scam to both EE and his bank. His bank recovered some of the funds under the Contingent Reimbursement Model code, but not all. The experience left him deeply shaken and reluctant to use his phone for online activity.

The EE Points scam has been the subject of repeated warnings from EE itself, from Action Fraud, from the National Cyber Security Centre, and from Ofcom — all of whom have published guidance specifically aimed at helping consumers recognise and avoid this type of telecommunications impersonation fraud.

EE has published official fraud awareness guidance on its website, explicitly stating that it will never ask customers to click a link in a text message to claim reward points, and that it will never request payment card details or passwords through unsolicited messages. EE encourages customers who receive suspicious messages to forward them to 7726 — the UK’s free SMS spam reporting service — and to contact EE directly on 150 to verify any communication they are unsure about. EE’s official fraud guidance is available at ee.co.uk/help/security.

Action Fraud — the UK’s national reporting centre for fraud and cybercrime — has documented the EE Points scam and similar telecommunications impersonation frauds extensively, noting that smishing attacks of this type are among the fastest-growing categories of consumer fraud in the UK. Action Fraud advises customers to report suspected fraud by calling 0300 123 2040 or online at actionfraud.police.uk.

The National Cyber Security Centre operates a free suspicious email reporting service and has published detailed guidance on recognising SMS phishing attacks. The NCSC specifically warns about sender ID spoofing — the technique that makes EE Points scam messages appear in genuine EE message threads — and advises consumers never to trust the apparent identity of a message sender when it arrives with a link and a request for personal information. Suspicious emails can be reported to the NCSC at report@phishing.gov.uk and suspicious websites at ncsc.gov.uk.

Ofcom — the UK’s communications regulator — has been working with mobile networks including EE to implement technical measures to reduce SMS sender ID spoofing, which is the core technical mechanism behind the EE Points scam. While progress is being made, the regulatory and technical solutions are not yet complete, meaning consumers must remain vigilant in the interim. Ofcom’s consumer guidance is at ofcom.org.uk.

Never Click Links in Unsolicited EE Messages

This is the single most effective rule for defeating the EE Points scam. If you receive any text message or email claiming to be from EE about reward points, a loyalty bonus, or a prize — regardless of how genuine it looks and regardless of whether it appears in your existing EE message thread — do not click the link. Go directly to the EE app or type ee.co.uk into your browser manually. If there is a genuine reward waiting for you, it will be visible in your account. If it is not visible in your account, the message was fraudulent.

Check the URL Before Entering Any Information

If you have already clicked a link before reading this guide, check the URL in your browser’s address bar before entering any information. The only legitimate EE web address is ee.co.uk. Any other domain — regardless of how similar it looks — is an EE Points scam phishing site. If the URL is not exactly ee.co.uk, close the browser immediately without entering anything.

Forward Suspicious Texts to 7726

The UK’s free SMS spam reporting service — accessed by forwarding suspicious texts to 7726 — is run by Ofcom and the mobile networks. Forwarding EE Points scam texts to 7726 costs nothing and helps the networks identify and block the fraudulent sender IDs and numbers being used. This takes less than ten seconds and contributes directly to reducing the volume of scam messages being sent to other customers.

Contact EE Directly to Verify

If you receive a message about EE Points or a loyalty reward and you want to verify whether it is genuine, call EE directly on 150 from your EE device. Do not use any number provided in the suspicious message — it may be a fake customer service line staffed by EE Points scam operators. EE’s genuine customer service team will be able to confirm immediately whether any reward is associated with your account.

Never Share OTPs to Claim a Reward

A one-time password sent to your phone is a security measure to protect your account. No legitimate reward claiming process will ever ask you to enter an OTP sent by EE. If a website asks for an OTP that you just received from EE, you are being subjected to a man-in-the-middle EE Points scam attack. Do not enter the OTP. Close the browser and call EE on 150 immediately. The same OTP-trap mechanic underpins our bank impersonation phone scam guide.

Educate Elderly and Vulnerable Family Members

Older adults are disproportionately affected by the EE Points scam because they may be less familiar with the technical deception involved — particularly sender ID spoofing — and more inclined to trust official-looking communications. Take time to explain to elderly parents, grandparents, and less digitally experienced family members that messages appearing in a genuine EE thread are not necessarily genuine, and that EE will never ask them to enter card details or passwords through a text message link.

If you have already clicked a link, entered information on a fake website, or discovered evidence that your account or card has been compromised through the EE Points scam, act immediately. Speed is critical in minimising the damage.