Which? raises the alarm over a convincing SMS phishing – or ‘smishing’ – scam text claiming to be from DPD.
The text appears to be from DPD, informing the recipient that a delivery attempt was made and asking them to follow a link to arrange redelivery. The link takes you to a convincing DPD copycat website asking for personal details and a small fee for ‘redelivery’.
It was so convincing that the only giveaways were the layouts of the dates and the fact we were blocked from taking screenshots of the copycat website.
DPD parcel delivery scams
Dodgy dates and blocked security
The date format on the copycat website was the main giveaway. The apparent ‘parcel’ was in the depot on ‘-1 August’ and ‘0 August’. The order of the delivery descriptions also didn’t make sense.
We also noticed something was wrong when we couldn’t take a screenshot on the device we were using. Some security measures on the copycat website were blocking us from doing so.
If you’ve received a suspicious text, don’t follow any links. We followed the link only to learn about the scam and to report it.
Why text scams are so prevalent
Three in five of us have received a fake text claiming to be from a delivery company in the past year, according to Which? research carried out in June. The scam most reported to our Scam Sharer tool were fake Royal Mail delivery texts.
Text messages are frequently used by scammers because sending them doesn’t rely on an internet connection, like a WhatsApp message does, and they don’t have to pass a spam filter like an email. Texts are also less likely to be missed, and many legitimate organisations use text message to contact customers.
As part of our research into scam texts, we set up four new phones with fresh Sim cards to see if they would receive scam messages. Out of the four phones, two received a scam text in the first two weeks.
When we reported the scam text to DPD, it told us that notifications on its ‘Your DPD’ app acts as a safe alternative to text and email notifications, but for recipients who haven’t downloaded the app they still use email and text notifications.
DPD said: ‘We continue to stress that only emails sent from one of three DPD email addresses are genuine, these are dpd.co.uk, dpdlocal.co.uk and dpdgroup.co.uk.
‘With texts, we advise consumers to double check the links within the notifications to confirm that they are legitimate. These links should only be for www.dpd.co.uk/ or www.dpdlocal.co.uk/. We have worked with Action Fraud and regional police focus in the last couple of years on awareness campaigns and will continue to do so.’
How to protect yourself from text scams
- Don’t follow any links The most effective way to avoid text scams is to ignore links. Clicking on links could lead you to download malware and malicious software.
- Don’t share personal information Treat all messages requesting sensitive information with suspicion. Legitimate organisations will never text you to ask for your personal or banking details.
- Contact the organisation directly If you’re unsure, contact the company that claims to have sent it. Use the official contact details listed on their website.
- Don’t reply Replying to a fake text, calling the number or clicking suspicious links only lets scammers know your number is being used.
- Report it You can report fake texts by forwarding the message to 7726, which is a free reporting service provided by phone operators. This information is then shared with police and intelligence agencies.
If you’ve recently encountered a scam, you can help our scams research and our work to prevent them by using the Which? scam sharer tool.
Which? scam alerts
You can get regular updates on the scams doing the rounds by signing up to the Which? scam alert service.
These are free weekly emails full of practical advice to help you stay one step ahead of the scammers.