Trust in text messages is worryingly low, with seven in 10 of us not always trusting texts that claim to be from companies or organisations, Which? has found.*
Regulator Ofcom also reported a sharp rise in reports of suspected scam texts in 2020.
Delivery scams are the most common smishing attempts according to data released by UK Finance, provided by cybersecurity firm Proofpoint. Proofpoint operates the 7726 service fake text messages can be forwarded on to.
Over a 90-day period from May to July 2021, 53% of texts reported to the 7726 service were fake parcel delivery messages and 37% impersonated banks.
Which? is urging banks, delivery companies and other organisations to review the way they use texts to communicate with customers to reduce the risk of impersonation by scammers.
Here, we explain how text scams work, how you can spot them and what the industry can do to stop these scams from spiralling further out of control.
How delivery text scams work
Which? recently found that three in five of us have received a fake text from a parcel delivery company in the past year.
These scam texts falsely claim to be from couriers such as DPD, Hermes and Royal Mail. The message often warns the recipient that they’ve missed a parcel or that there’s an outstanding fee to pay.
Typically, it will include a link taking you to a copycat website that looks just like a company’s official website, where you’ll be asked to enter personal information and bank details, seemingly in order to retrieve your package.
But the details can then be used to lure you into further scams.
Many people caught out by scam delivery text messages have been then called by a fraudster pretending to be from their bank’s fraud department in an attempt to manipulate them into transferring their money into a ‘safe’ account, when really it’s being stolen.
With most of us relying heavily on delivery services in the past 18 months, it’s no surprise that these schemes have proven to be lucrative for criminals exploiting the situation.
We’ve heard from thousands of people who’ve received these messages, many believing them to be real, and some who have been consequently conned out of thousands of pounds.
Scammers have been increasingly targeting victims through text messages and number spoofing, impersonating banks, courier companies, and government departments such as DVLA and HMRC.
Number spoofing and text scams
Most of us carry our phones wherever we go, and more and more businesses are turning to text messages as a reliable and efficient direct line to get in touch with customers
A direct line to victims is also top of a scammer’s wish list.
Many scam texts are cleverly worded to make you think you need to take urgent action to secure your account or reschedule a missed parcel.
Fraudsters can even use specialised software to mask their generic number with the name of a company, which is called ‘spoofing’.
It allows the fake message to drop into a real message thread, for example in image below a fraudulent text is in the same thread as legitimate texts from Hermes.
This makes it extremely difficult to tell if it’s fake.
Alarm bells should ring when a message asks you to hand over bank details or to make a small payment.
Industry slow to respond
These are old problems and despite networks taking steps to address them in recent years, it’s still one step behind the criminals.
Scammers are now so cleverly crafting their messages that they don’t even need to use an organisation’s name or number.
Mobile UK said that it’s ‘committed to working with Ofcom, the ICO and law enforcement agencies to reduce the threat that nuisance calls and texts pose to the public.’
Regulator Ofcom told us that it’s taking the problem ‘very seriously’ and is in constant communication with mobile networks to check they’re taking action to protect customers from scammers abusing their services.
It assured us that work is ongoing, but technically difficult, and there’s no quick fix. It said it’s difficult to share details because of the risk of scammers learning how to outwit new methods.
Texts reported to 7726 are analysed by the National Cyber Security Centre (NCSC), which is working to remove malicious websites associated with scam texts, and gathering intelligence that could prevent this kind of fraud.
- If you’ve received a text message you suspect is a scam, tell us about it using our Scam Sharer tool.
Staying safe from text scams
Be suspicious if a text comes from a mobile number and doesn’t have named sender ID. It’s a red flag if a text message makes an unexpected, urgent request– for example, warning you to update personal or payment details.
The best way to avoid text scams is to not to click on links sent in text messages. If you’re worried about a warning you’ve received, approach the organisation that sent it directly and ask if the message is real.
Text message best practice
The way that some organisations and businesses communicate using texts makes it easy for scammers to impersonate them.
Which? has released a best practice guide to help businesses better protect their customers, including:
- Protect SMS sender ID; the sender name displayed on the text
Don’t ask for personal information via text and partially hide any personal information necessary to include
- Don’t include numbers for customers to call back
Avoid links and generic URL shorteners.
Organisations that have signed up so far include Barclays, DPD, Hermes and TSB.
*A survey of 2,006 people in May 2021.