Three in five people have received at least one fake delivery text during the last pandemic year – when online orders peaked in lockdown, new research suggests.
Which? questioned more than 2,000 people in May and found that 61% had been on the receiving end of a text from a fraudster at a time when many were relying on ecommerce deliveries. Of those, 79% said they realised it was fake, but 3% lost money to the scam.
Fraudsters have posed as couriers and delivery companies as they try to trick people into handing over their bank details via text.
The scam most often reported to Which? over the past three months has been fake text messages – also known as ‘smishing’ (SMS phishing) – pretending to be from Royal Mail. Of those surveyed who said they received one or more scam texts, seven in ten (70%) received the Royal Mail scam text.
Those who click on the message see a request for a small payment for a parcel to be delivered, linking to a copycat Royal Mail website. Those who fell for it were then called by scammers who tried to trick them into sending large sums of money. DHL, DPD (both 32%) and Hermes (31%) were the other most commonly impersonated companies.
Text messages claiming to be from couriers can also spread harmful malware. Spyware known as FluBot has been circulating through a message claiming to be from the delivery service DHL, which once downloaded could access sensitive information on your device.
Which? also conducted its own experiment, setting up four new SIM cards on the UK’s big four network providers – EE, O2, Three and Vodafone. The numbers were never shared with anyone but two out of the four received at least one scam text message in just a two-week period.
Which? says that scammers use computers to generate combinations of numbers and send messages in bulk using ‘SIM farms’ – devices that operate several SIM cards at a time. The equipment and software is available online, and anyone can pick up cheap pay-as-you-go SIMs with unlimited free texts.
Numbers are often masked or ‘spoofed’ to avoid detection – so your phone might say you have received a text from a delivery company, when it’s actually a scammer.
Which? believes the onus is now on delivery companies to find better ways to communicate with customers using text messages and do more to help raise awareness of scams and says that consumers would be better protected if it became standard practice for certain types of companies, such as banks, not to include links or payment requests in text messages – although this may not be possible in all cases.
Adam French, Which? consumer rights expert, says: “Our research shows how fraudsters have bombarded Britain with scam delivery texts on an industrial scale as they try to exploit the unprecedented conditions of the pandemic.
“Couriers and the telecoms industry must take further steps to protect consumers, by making it harder for fraudsters to exploit systemic weaknesses to reach potential victims, and by making people more aware of how to spot such scams. In the meantime, people can sign up to Which?’s scam alert service to keep themselves, their friends and family informed about the latest tactics used by fraudsters.”
A Royal Mail spokesperson says: “We remind our customers that Royal Mail will only send email and SMS notifications in cases where the sender has requested this when using our trackable products that offer this service. In cases where customers need to pay a surcharge for an underpaid item, we would let them know by leaving a grey Fee To Pay card. We would not request payment by email or text. The only time we would ask customers to make a payment by email or by text is in some instances where a customs fee is due. In such cases, we would also leave a grey card telling customers that there’s a Fee to Pay before we can release the item.”
DHL said: “We’re alerting our customers via Social Media and on our public websites that there are fraudulent SMS messages circulating. These messages pretend to be from DHL and ask recipients to click on a link and download an application. All customers are being asked to delete the message and under no circumstances should they download this application.”
DPD said: “Our focus has been on providing parcel recipients with a safe alternative to text and email notification and raising awareness of safe links, if they still need to use traditional notifications.
“We developed the Your DPD app in 2016 to provide a safe environment for parcel notifications and a better all-round customer experience when managing deliveries. We now have over 10 million DPD app users who are sent app notifications.
"For recipients who haven’t downloaded the app yet, we still use email and text notifications so that they know exactly when we will be delivering and to enable them to manage their delivery. We continue to stress that only emails sent from one of three DPD email addresses are genuine, these are dpd.co.uk, dpdlocal.co.uk or dpdgroup.co.uk."
Mobile network operators group Mobile UK says: “As an industry, we have been taking action to fight the ever-changing scourge of spam texts and calls for many years and educating customers on how to identify and report suspicious activity. We’re committed to working with Ofcom, the ICO and law enforcement agencies to reduce the threat that nuisance calls and texts pose to the public. We urge customers to help us act by texting reports of nuisance SMS and calls to 7726 and reporting nuisance calls.
“We recognise that a majority of scam text messages have characteristics that make them distinguishable from legitimate traffic and are working on new measures to better exploit these characteristics and protect customers. Additionally, Mobile operators are actively working with handset and handset operating systems companies to further automate the process. Google’s Android system currently incorporates a spam filter system that works in conjunction with the 7726 reporting service, which adds an additional level of security so that operators can block numbers and alert law enforcement agencies.”