A COUPLE of days before I went on holiday I woke up to a text message from my bank. They’d spotted an unusual payment on my account – someone had taken 83p at 2am – and wanted to know if it was me. Given I’d been fast asleep, the answer was clearly no. I texted back and found myself put through their fraud department.

It turned out the payment was via a company I have an account with in California. They checked out, though I hadn’t made any such payment. The fraud officer explained what sounded like an increasingly familiar problem – legitimate companies testing that payment details are working by charging and reimbursing a small amount.

However, this is the same pattern as when someone has got access to your bank details – taking a small amount to see if you notice and clearing the account out if you don’t. Given the time difference, there was no way I could check in with the Californian company for at least another ten hours. So on the bank’s advice I cancelled my card. Thankfully, the replacement came on the morning I was going away: by which point, I’d contacted the company in question, who apologetically confirmed the payment was theirs.

A couple of days before the end of my holiday, I started getting messages on my phone. I try to have a break from social media when I’m away, so was surprised to be getting messages from Facebook and Instagram, telling me that I’d updated my passwords. Not only that, but on Instagram they were happy to confirm I’d changed my name to Izabella. No, I didn’t think it quite suited me either, so got in touch with Instagram to change everything back.

As the next few days continued, it was clear that someone had got access to some of my internet account details: eBay, Microsoft and EA Games, as well as other gaming sites I don’t even have accounts with were some of the others to check I really wanted to change my password and username. Slowly, painfully, laboriously, I updated my passwords again and again, setting up two-step verifications and authenticator apps to try and shut her out. Whoever Izabella is – and the only thing I know about ‘her’ is that (unsurprisingly?) she has a Russian email address – she’s persistent. Over the last three days, she has attempted to get into my Facebook account a dozen times.

At the time of writing, nothing has been taken and no messages have been posted: quite what Izabella is up to, who knows. But it’s been an unsettling, salutary experience – and instructive, too, in terms of how far your personal details are protected (or not) online.