SALLY HAMILTON: I defend readers who’ve been badly treated by companies – but I lost £4,000 to fraudsters myself. Here’s how YOU can avoid making same the mistakes

I may be the Daily Mail’s consumer champion and spend my days helping readers who have been mistreated by companies and organisations – but I am also a consumer and learned some tough financial lessons last year.

I want to share them with you in case it helps you to avoid falling into the same traps. I am more than happy to wave goodbye to 2024 – the year that was bookended by two big personal financial calamities.

It began with a flood in our house that led to disruption for nearly nine months, including a four-month spell in rented accommodation, and a six-figure repair bill. It ended with a fraudster going on a £4,000 spending spree on my credit card.

But I step into 2025 an optimist as it could have been a lot worse. While both incidents were stressful and consumed much of my spare time resolving, I’m happy I ended up not a penny out of pocket – apart from a £500 policy excess to pay on the claim and an insurance premium that doubled at renewal.

Our home insurer – Zurich – met our water damage claim in full and Amex reversed the fraudulent spending charged to my credit card. The companies were not told what I do for a job – so a pat on the back to them for providing top customer service.

But I did learn important lessons which I hope will serve readers, too.

Four pipe leak lessons

1. Locate your stop valve

To avoid a serious post-holiday dampener, I urge householders to tell anyone looking after their home how to turn off the water. We were on a trip to Australia when a pipe burst in our first-floor bathroom, with water cascading into the kitchen, hall, sitting room and cellar for four days.

The flooding only ended when my son-in-law happened to come to stay overnight. He had to wake us in the middle of the night for instructions on how to turn off the water.

2. Check for policy exclusions

Most insurers put a limit on how long you can keep a home empty without invalidating cover. We didn’t think about this when we booked our 35-day trip, since our youngest daughter was still living with us.

She was there almost all the time, apart from one long weekend, which as luck would have it, coincided with the pipe bursting. Our cover says we may leave our home unoccupied only 30 days, or a claim may be denied. Fortunately, our daughter was able prove she was also living there via receipts for online deliveries.

3. Claim back water bills

We only know how long the water had been escaping for because we later checked our Thames Water account online. We have a smart water meter measuring how much we consume and a graph on the account showed a massive leap starting on a Thursday afternoon, only falling again the following Monday, the moment our son-in-law found the stop cock.

The total that drained away was a shocking 90,000 litres. Wording on our account suggested they thought we ‘may’ have had a leak. Really? A phone call or text alert would have been more useful for both us and the environment.

I put this to the firm. A Thames Water spokesman says: ‘Our smart meters play a critical role in locating customer side leaks, which account for around a third of leakage on our network. Smart metered customers can view their latest water usage by logging in to their customer account.

‘Should water usage indicate a leak, we’ll share a warning message when they log in. However, we’re always looking at ways to improve our communications, and continue to look at new ways to better communicate suspected leaks to our customers.’

On the plus side, in cases like ours, Thames Water reimburses the cost of the lost water, for the first time, at least. Our claim saved us £250.

4. Keep calm and soldier on

When a flood strikes, a home needs to be dried out before repairs can begin. But first there must be safety checks, including for damaged electrics and dangers such as asbestos. This takes time and can be stressful. When the drying started we had 11 heaters and dehumidifiers humming constantly for three weeks. I had to learn it takes as long as it takes.

Two fraud lessons

1. You’ve not got mail

I learnt that it pays to be suspicious if your email goes silent for a long period. When on a Saturday in November I stopped receiving personal emails, I wasn’t initially alarmed. I just thought my provider’s server was down.

But a few hours later – when still no emails came – I got anxious. I normally receive at least 50 a day from friends, family, news outlets and retailers (confirming orders and deliveries as well as promotions – which were burgeoning in the run up to Christmas).

I tried to log on but my password wasn’t recognised despite several attempts. I contacted customer service to see what was up. After 45 minutes on hold, they did not explain why my account had been locked, but simply advised me to change my password and try again. This seemed to work. But the next day the same thing happened, and my emails stopped arriving. The account had been locked again.

I changed my password once more. When I was shut out a third time, I got seriously concerned.

Then a neighbour who had sent an email to our group chat dropped in. He said he’d received a strange bounce-back after emailing me as part of a joint missive. The message said a person called Eric Manny could not be reached – his own internet search suggested the mystery emailer shared a name with a famous Nigerian singer. I certainly don’t know anyone of that name. 

This set alarm bells ringing. I realised it wasn’t just some technical problem with my email but that I had been hacked and somehow the scoundrel had stopped me accessing my mailbox.

Instead of waiting on the helpline again, I looked for guidance on the provider’s website. Signs of a hacked email include weird names appearing on a contacts list and the setting up of automatic forwarding to an unrecognised email. Sure enough, I found several gobbledegook contacts had been inserted into my address list, and my emails were being forwarded to ‘Eric Manny’.

As instructed by the guidelines, I deleted the rogue names and changed my password yet again. This finally seemed to work and my email went back to normal.

2. Soaring credit card bills

No harm had been done from the email hack, other than to my frazzled nerves. Or so it seemed. Then, about a week later I was checking my credit card account for an anticipated reimbursement from a delayed train journey.

To my horror, I found three transactions I didn’t recognise for John Lewis online amounting to £4,000 – all made on my Amex card from an Apple Pay account. I do shop online at John Lewis, but I do not use Apple Pay, a digital wallet that lets users add their credit cards so they can shop with their smart phone.

When I reported the fraud, Amex was polite and reassuring. The agent then asked if I had given away any One-Time-Passcodes. These are the codes Amex sends to check it is the genuine card holder making an online purchase. Customers receive an OTP via text and/or email.

Each four-digit code is valid for only ten minutes and must be tapped into their device. If it is not used or is input incorrectly, the transaction will not go ahead. A customer can request another code if they mistype it or leave it too long to use.

I had only received one OTP in the preceding weeks – for a genuine purchase of a microwave from John Lewis. I now suspect others sent out had been intercepted by fraudsters via my hacked email. What I couldn’t fathom was how my card details had fallen into their hands. Amex made no comment but cancelled my card and said its fraud team would investigate.

A few days later I checked the account and saw the rogue payments had been reversed. Amex simply described the purchases as ‘fraudulent transactions’ and said nothing further.

Fortunately, Amex offers customers protection against such cheats, guaranteeing to reverse fraudulent transactions so long as customers notify it as soon as they spot them.

Readers, check your bank and credit card accounts regularly for suspicious payments. Also, add two-factor authentication (2FA) to make everything from email to banking more secure from hackers and fraudsters. 2FA could be a password or personal identification number (PIN) first, with a code sent to your phone or email as the second level of security. Additional measures can include facial or fingerprint recognition. And do not tap in OTPs unless you are sure they are for a genuine transaction.

Periodically change your passwords in case your details have fallen victim to a data breach.