Three in five (61%) of 2,006 people Which? surveyed in May told us they had received a fake text claiming to be from a delivery company in the past year.
The scam most often reported to Which?’s Scam Sharer tool in the past three months has been fake text messages – also known as ‘smishing’ or SMS phishing – from Royal Mail.
The texts warn that a parcel couldn’t be delivered and that a small fee was due, linking to a convincing copycat Royal Mail website requesting payment details. Victims told us they were later called by scammers trying to trick them into sending large sums of money.
Fortunately, four out of five people surveyed who received a scam delivery text said they realised it was fake straight away. But for those caught out, the financial and emotional impact can be devastating.
There’s a good chance you’ve received a text message recently about a delivery you weren’t expecting. Scam texts aren’t new, but in a year where shopping online and receiving deliveries at home has become the norm, fraudsters have jumped on the chance to fake messages from couriers.
The resurgence in scam texts that could lead to your bank account being cleared out has been fuelled by fraudsters quick to exploit our reliance on online shopping during the pandemic.
These fake text (SMS) messages act as convincing lures into more complex scams designed to wipe out your bank account. With only simple text, a URL, a sender ID and few other clues to work from, can you really tell whether it’s fake?
‘I was almost scammed twice by the same fraudsters’
When Which? member Jon received a text claiming to be from Royal Mail asking him to pay £2.99 for a delivery, it wasn’t totally unexpected. He was waiting for an Amazon order and the fee sounded right.
He followed the link in the text that took him to a perfect copy of the Royal Mail website, where he was asked for his details. ‘I would never normally give my bank details to anyone, but the website was so genuine looking. I did everything you’re supposed to, including checking if the URL was right. The scammers just caught me at the wrong time,’ Jon said.
A couple of days later, Jon received a call to his mobile from Barclays. The friendly sounding caller said that a direct debit had been set up for £500 and asked if it was genuine.
Jon knew he’d been stung by the fake Royal Mail text, but didn’t realise he was talking to the same scammers. They had spoofed their number as ‘Barclays.’ But when they said Jon needed to download the Barclays banking app, alarm bells started to ring.
Jon called Barclays. It confirmed the call he’d received was another attempted scam. If he’d downloaded the app, the caller would have tried to persuade him into handing over access codes to unlock his account.
- Find out what you can do if you’ve been a victim of a scam.
Why text messages are an effective tool for scammers
This resurgence in text scams might seem surprising considering the decline of SMS in favour of alternatives such as WhatsApp. Complaints to Ofcom about nuisance messages peaked around 2015 and saw a steady decline until very recently.
Almost 30 years since the first SMS was sent, it’s still a cost-effective and reliable way for companies to get a direct line to customers. Texts don’t require data or a wi-fi connection, and are simple and accessible – emails are easier to miss and risk being caught by spam filters, and phone calls from unknown numbers can be blocked.
It’s perhaps no surprise that large organisations who use them legitimately, such as banks and delivery companies, have become prime targets for being impersonated by scammers. And during the past year, SMS has been an essential contact method of government and NHS services too.
Being careful about who you hand out your number to is no guarantee of avoiding these scams either. As part of our research, we set up four new Sim cards on the UK’s big four network providers – EE, O2, Three and Vodafone. The numbers were never shared with anyone, yet two out of the four received at least one scam text message in just a two-week period.
Text messages claiming to be from couriers are also spreading harmful malware. Spyware known as FluBot has been circulating through a message claiming to be from the delivery company DHL, which once downloaded could access sensitive information on your device.
- Read our guide on how to spot text message scams.
Sim farms and bulk messages
If being careful about who gets your number doesn’t stop scams, how do they end up on your phone? It’s mostly random. At a basic level, scammers can use computers to generate combinations of numbers and send messages in bulk using ‘Sim farms’ – devices that operate several Sim cards at a time.
The equipment and software is available online, and anyone can pick up cheap pay-as-you-go Sims with unlimited free texts.
Numbers are often masked or ‘spoofed’ with other numbers to avoid detection – so your phone might say you’ve received a text from Royal Mail, when it’s actually a scammer.
Fraudsters can also source numbers leaked in data breaches. Leaked personal details are traded on the dark web, with numbers harvested by web forms often dressed up as surveys and competitions – including those that can be found circulating on social media.
It’s also relatively straightforward to set up a convincing clone of a courier’s website to trick you into believing the link in the text is real. Similar looking domain names can be bought and set up cheaply and there are little to no checks on who is behind them and how they’re being used.
Although it’s thought most of these scams are carried out by a small number of organised groups, lone fraudsters operating from home have been increasingly busted recently.
- Find out how to spot a copycat or fake website and stay one step ahead.
Tackling the problem
We spoke to Royal Mail about the issue, and it said it’s working with the police, Trading Standards and other organisations to share information and support action against scams. It confirmed that it never requests payments via text or email. If there is a charge, you should expect to receive a grey ‘Fee to pay’ card delivered to your address, with details of how to collect the package.
DPD said it increasingly uses its ‘Your DPD’ app to communicate with parcel recipients. It said: ‘We advise consumers to double check the links within the notifications to confirm that they are legitimate. These links should only be for www.dpd.co.uk/ or www.dpdlocal.co.uk/.
Hermes told us it never asks for payment for redelivery and advises customers to be vigilant. DHL didn’t respond to our questions.
We think couriers could do more to raise awareness of these scams, and find better ways to communicate with customers using text messages. Registering a recognisable sender ID would be a start – although new spoofing techniques are able to disguise texts as being from genuine IDs on smartphones.
More effective still would be making it standard practice not to include external links or payment requests in text messages.
The recent smishing explosion shows that little progress has been made to deal with the issue by the telecoms industry. The UK is lagging behind other countries in adopting a modern and more secure telephony system, and while infrastructure upgrades might improve things, more needs to be done to reduce risks for customers in the meantime.
Networks say this is a challenge, but cybersecurity firm Red Maple Technologies believes it’s possible to identify and block harmful messages with the tech available today. It was able to create a simple app in just a few days that screens text messages based on a number of factors, including whether an included URL matched the company’s real website.
With further testing, the experts were confident these measures could be brought in at network level to stop malicious texts reaching customers.
On behalf of the UK’s network providers, trade body Mobile UK told us: ‘As an industry, we’ve been taking action to fight the scourge of spam texts for many years. We’re committed to working with Ofcom, the Information Commissioner’s Office and law enforcement agencies to reduce the threat that nuisance texts pose to the public.’
Currently, it’s falling to fraud and intelligence agencies to tackle the problem, although we found it hard to get answers on how. In May, eight arrests were made in connection with fake Royal Mail texts – a positive step, but the scale of this issue suggests far more needs to be done.
Last year the National Cyber Security Centre (NCSC) launched its Cyber Aware campaign, which promises to tackle malware traps and phishing attempts.
Your money at risk
As bank security tightens, fraudsters are increasingly manipulating victims into transferring money directly to them. When it comes to recovering this money, things can become complicated. When an account holder makes a transaction, it’s considered ‘authorised.’
Although many banks promise to reimburse blameless victims of this kind of fraud by signing up to the voluntary authorised payments code, banks might challenge customers if they think you didn’t take precautions.
Payment platforms such as PayPal have different policies and your money may not be protected at all. A last resort would be to complain to the Financial Ombudsman. The lack of innovation in the industry as well as the passing of responsibility means people need to take matters into their own hands.
Staying informed about the ever-changing ways that scammers operate, and being wary of texts you receive are the best ways to protect yourself. Get updates on the latest scams by signing up for our free Scam Alerts service.
Sharing experiences with friends and family is also important. You can report scam texts to your network provider by forwarding it to 7726. Your reports may be shared with intelligence agencies and police.
How can I protect myself from text scams?
- Don’t click on links in text messages. If a text asks you to take immediate action, take a moment to think. Delivery companies usually only text you to share tracking information and don’t ask for upfront payments.
- Don’t reply to suspicious texts, or call the number. This only confirms to the scammers that your number belongs to someone. As a result you might get targeted by more text and cold call scams.
- Contact the sender if you’re concerned. Call your bank directly through its customer service line, or
- Use messaging apps to talk to friends and family. If you have a smartphone, consider using a more secure app like Whatsapp for your day to day messaging. Take the text messages you receive with a pinch of salt.
You can also use our Scam Sharer tool to tell us about the fake texts you’ve received.