We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

News.

When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

21 Dec 2021

Royal Mail delivery text scam exposed: how a scammer tried to take £4,000

Watch our exclusive video to see what happens if you follow a scam delivery text

Scammers impersonating Royal Mail have been targeting unsuspecting shoppers with phoney delivery text messages.

This year Which? has been inundated with reports of delivery text scams. More than 2,000 delivery text scams have been logged in our scam sharer tool this year, and over a quarter of them are fake Royal Mail delivery texts.

Our research also found earlier this year that three in five of us have been targeted by scam delivery texts.

Now that we're in the full throes of delivery season, it's no surprise that scammers are taking every opportunity to catch victims out.

While we would never recommend engaging with a scam text message, we went along with one of these Royal Mail delivery text scams to show you what happens.


Sign up to free Which? Scam Alerts and outsmart the scammers.


Royal Mail text scam

The scam text message was from an unknown sender, it asked for payment of a delivery fee and included a link to a website to make that payment.

The website had a very similar look and feel to that of Royal Mail's, it even included links to Royal Mail's social media feeds.

Our reporter, Lucia Ariano, entered in some false details on the website and used a pre-paid card we'd set up with HyperJar, a prepaid card and money App.

Nothing immediately happened. But two weeks later, Lucia received notifications for multiple attempted payments, totalling more than £4,000.

The scammer attempted another barrage of payments over the next few days.

Unauthorised transactions

We spoke to HyperJar about these dodgy unauthorised transactions and what it's doing to prevent them.

HyperJar explained that it has a number of controls in place to monitor suspicious activity and prevent unauthorised transactions. In this instance, its systems did stop the scammers from moving any money from this HyperJar account.

It added that its push notifications to customers for any transaction helps prevent money from being taken and that no payment will go through without sufficient funds - there is no way to go into an overdraft, or spend money that isn't in the account.

HyperJar advised that its should customers should freeze their card the moment they see a notification about a spend they don't recognise, adding that it's easy to unfreeze the card if it turns out to be legitimate.

When we looked at HyperJar's website, we found insufficient information advising its customers on what action to take if they spot an unauthorised transaction. Although we did find information related to the Terms and Conditions that HyperJar would reimburse under for unauthorised transactions.

HyperJar acknowledged the need to improve the information on fraud and unrecognised transactions on its website and in its FAQs. It is working on adding this information to its website.

How to avoid a text scam

  • Don't follow any links - the most effective way to avoid text scams is to ignore links. Clicking on links could lead you to download malware and malicious software.
  • Don't share information - treat all messages requesting sensitive information with suspicion. Legitimate organisations will never text you to ask for your personal or banking details.
  • Only use official contacts - if you're unsure, contact the company that claims to have sent it. Use the official contact details listed on their website. Don't reply Replying to a fake text, calling the number or clicking suspicious links only lets scammers know your number is being used.
  • Report it - you can report scam texts by forwarding the message to 7726, which is a free reporting service provided by phone operators. This information is then shared with police and intelligence agencies.

Stopping text message scams

We reported this scam to Action Fraud, but scammers will continue to find ways to con people out of money, and sadly these scam delivery text messages can be fruitful. The way that legitimate companies use text messages to communicate with customers makes it far too easy for scammers to impersonate them.

We reported this particular scam to Royal Mail, and it said:

'We remind our customers that Royal Mail will only send email and SMS notifications in cases where the sender has requested this when using our trackable products that offer this service. In cases where customers need to pay a surcharge for an underpaid item, we would let them know by leaving a grey Fee To Pay card.

'We would not request payment by email or text. The only time we would ask customers to make a payment by email or by text is in some instances where a customs fee is due. In such cases, we would also leave a grey card telling customers that there's a Fee to Pay before we can release the item.

'Royal Mail works hard to prevent and detect fraud. We work with UK law enforcement agencies, Trading Standards and other organisations to share information and support robust proactive action against scams. We report any offending sites and suspicious numbers to the appropriate authorities as soon as we are made aware of them.

As well as providing useful help via our customer services channels, customers looking for additional advice on how to spot a fake notification by visiting our website at www.royalmail.com/scamprotection. Here they can view examples of scams, and get advice on taking appropriate action.'

Which? is urging banks, delivery companies and other organisations to review the way they use texts to reduce the risk of impersonation by scammers. Our guide for best practice text message communication includes calls on businesses to:

  • Protect SMS sender ID; the sender name displayed on the text
  • Don't ask for personal information via text and partially hide any personal information necessary to include
  • Don't include numbers for customers to call back
  • Avoid links and generic URL shorteners