Three in five people have received fake delivery company texts over the last year as fraudsters exploit the pandemic, according to new research from Which?.
Text scams have boomed as Covid confined millions of people to their homes and consumers became increasingly reliant on deliveries, with fraudsters posing as couriers and delivery companies and attempting to trick people into handing over their bank details via text.
A Which? survey of over 2,000 people in May revealed that three in five people (61%) had received a fake delivery company text in the past year.
Of those who received the scam text messages claiming to be from a delivery company, four in five (79%) said they realised it was fake straight away but 3 per cent said they lost money to the scam.
For those caught out, the financial and emotional impact can be devastating.
Which? also conducted its own experiment, setting up four new SIM cards on the UK’s big four network providers – EE, O2, Three and Vodafone. The numbers were never shared with anyone but two out of the four received at least one scam text message in just a two-week period.
Scammers use computers to generate combinations of numbers and send messages in bulk using ‘SIM farms’ – devices that operate several SIM cards at a time. The equipment and software is available online, and anyone can pick up cheap pay-as-you-go SIMs with unlimited free texts.
Numbers are often masked or ‘spoofed’ to avoid detection – so your phone might say you have received a text from a delivery company, when it’s actually a scammer.
The scam most often reported to Which? in the past three months has been fake text messages – also known as ‘smishing’ (SMS phishing) – pretending to be from Royal Mail. Of those surveyed who said they received one or more scam texts, seven in ten (70%) received the Royal Mail scam text.
The message usually requests a small payment for a parcel to be delivered, with a link to a copycat Royal Mail website, and victims who fell for it told us they were then called by scammers to try to trick them into sending large sums of money.
DHL, DPD and Hermes were the other most commonly impersonated companies in our survey. Of those who received a scam text message claiming to be from a delivery company, roughly one in three said the scam text pretended to be from DHL, DPD or Hermes (32% for DHL and DPD and 31% for Hermes).
One in eight scam texts (12%) impersonated UPS over text.
Text messages claiming to be from couriers can also spread harmful malware. Spyware known as FluBot has been circulating through a message claiming to be from the delivery service DHL, which once downloaded could access sensitive information on your device.
Although companies being impersonated have no legal responsibility to deal with these scams, Which? believes they could find better ways to communicate with customers using text messages and do more to help raise awareness of scams.
Companies can register a recognisable sender ID to protect it against spoofing – although some spoofed messages can still slip through due to limitations of these protections and other weaknesses in SMS processes. Consumers would be better protected if it became standard practice for certain types of companies, such as banks, not to include links or payment requests in text messages – although this may not be possible in all cases.
While the telecoms industry is taking steps to address the explosion in text scams, there are clearly limits to how effective existing prevention measures are, as consumers continue to receive regular scam texts. The telecoms sector should continue to work to find solutions to protect consumers against scam texts.
Companies likely to be impersonated by scammers must be careful how they use SMS, and communicate clearly to their customers how and in what circumstances they will use SMS.
Consumers can sign up to Which?’s scam alert service in order to familiarise themselves with some of the latest tactics used by fraudsters. The consumer champion has also launched a Scam Sharer tool to help it gather evidence in its work to protect consumers from fraud. More than 5,000 scams have been shared with Which? via the Scam Sharer tool since it went live on 17 March 2021.
Adam French, Which? Consumer Rights Expert, said:
“Our research shows how fraudsters have bombarded Britain with scam delivery texts on an industrial scale as they try to exploit the unprecedented conditions of the pandemic.
“Couriers and the telecoms industry must take further steps to protect consumers, by making it harder for fraudsters to exploit systemic weaknesses to reach potential victims, and by making people more aware of how to spot such scams.
“In the meantime, people can sign up to Which?’s scam alert service to keep themselves, their friends and family informed about the latest tactics used by fraudsters.”
– ENDS –
Notes to editors
Which? surveyed 2,006 adults in the UK between 11 and 16 May 2021. Fieldwork was carried out online by Opinium and data have been weighted to be representative of the UK population (aged 18+).
What to do if you fall victim to a text scam
Report the scam text by forwarding it to your network provider on 7726.
If you have fallen victim to a text scam, you should contact your bank to ensure the scammer cannot take any more money from your account and ask to be reimbursed.
Many banks have promised to reimburse blameless victims of this kind of fraud by signing up to the voluntary authorised payments code. However, banks might challenge customers if they think the customer didn’t take precautions.
If consumers don’t have any luck getting their money back from their bank, the last resort would be to complain to the Financial Ombudsman.
Link to Which?’s scam alert service: https://campaigns.which.co.uk/
Link to Which?’s Scam Sharer tool: https://act.which.co.uk/scam-
Which member Jon Ladd has almost been scammed twice. He received a text claiming to be from the Royal Mail asking him to pay £2.99 for a delivery. He was waiting for an Amazon order and the fee sounded right. He followed the link in the text that took him to a perfect copy of the Royal Mail website, where he was asked for his details.
He said: “I would never normally give my bank details to anyone, but the website was so genuine looking. I did everything you’re supposed to, including checking if the URL was right. The scammers just caught me at the wrong time.”
A couple of days later, Jon received a call to his mobile from Barclays. The friendly sounding caller said that a direct debit had been set up for £500 and asked if it was genuine.
However, it was the same scammers who had spoofed their number as ‘Barclays.’ When they said Jon needed to download the Barclays banking app, alarm bells started to ring. Jon called Barclays who confirmed the call he’d received was another attempted scam.
Sharon Dickson inadvertently downloaded ‘FluBot’ spyware to her phone after clicking the link in a text. Sharon thought the text she’d received, claiming to be from DHL, was genuine because she was expecting a parcel, and was worried she might miss it while she was at work. Afterwards, she noticed a strange-looking DHL app on her phone.
Sharon tried to uninstall the app, but couldn’t. Concerned, she called EE and Samsung – Samsung guided her through resetting her phone and she hoped that was the end of it.
However, the scammers had started using her number to spoof other messages containing the spyware to more people. Sharon was inundated with calls, voicemails and messages from other victims – some abusive. She also received a deluge of other scam texts claiming to be from banks and supermarkets. She had no option other than to change her number.
She said: “It’s been such a hassle. I’ve had to reset all my apps, change my contact details for all my accounts and let everyone know. I suppose I’m lucky the scammers weren’t able to access my accounts.”
Rights of replies
A Royal Mail spokesperson said: “We remind our customers that Royal Mail will only send email and SMS notifications in cases where the sender has requested this when using our trackable products that offer this service. In cases where customers need to pay a surcharge for an underpaid item, we would let them know by leaving a grey Fee To Pay card. We would not request payment by email or text. The only time we would ask customers to make a payment by email or by text is in some instances where a customs fee is due. In such cases, we would also leave a grey card telling customers that there’s a Fee to Pay before we can release the item.
Royal Mail works hard to prevent and detect fraud. We work with UK law enforcement agencies, Trading Standards and other organisations to share information and support robust proactive action against scams. We report any offending sites and suspicious numbers to the appropriate authorities as soon as we are made aware of them.
As well providing useful help via our customer services channels, customers looking for additional advice on how to spot a fake notification by visiting our website at www.royalmail.com/
DHL said: “We’re alerting our customers via Social Media and on our public websites that there are fraudulent SMS messages circulating. These messages pretend to be from DHL and ask recipients to click on a link and download an application. All customers are being asked to delete the message and under no circumstances should they download this application.”
DPD said: Our focus has been on providing parcel recipients with a safe alternative to text and email notification and raising awareness of safe links, if they still need to use traditional notifications.
We developed the Your DPD app in 2016 to provide a safe environment for parcel notifications and a better all-round customer experience when managing deliveries. We now have over 10 million DPD app users who are sent app notifications.
For recipients who haven’t downloaded the app yet, we still use email and text notifications so that they know exactly when we will be delivering and to enable them to manage their delivery. We continue to stress that only emails sent from one of three DPD email addresses are genuine, these are dpd.co.uk, dpdlocal.co.uk or dpdgroup.co.uk.
We continue to update the DPD.co.uk website with information on scams and examples of fake notifications https://www.dpd.co.uk/content/
Hermes said: We are aware of a text scam pretending to be from Hermes and other parcel companies. Hermes would never ask for payment for redelivery and we advise customers to remain vigilant. More security advice can be found here: https://www.myhermes.co.uk/
UPS said: “We are a global company with one of the most recognised and admired brands in the world. Occasionally, fraudsters take advantage of our reputation to target personal information. While we are not liable for the actions of third parties, we work to prevent and detect fraud where possible. Details of our efforts are available at our website along with tips for our customers on how to identify and avoid fraudulent text messages and emails.”
Mobile UK said: “As an industry, we have been taking action to fight the ever-changing scourge of spam texts and calls for many years and educating customers on how to identify and report suspicious activity. We’re committed to working with Ofcom, the ICO and law enforcement agencies to reduce the threat that nuisance calls and texts pose to the public. We urge customers to help us act by texting reports of nuisance SMS and calls to 7726 and reporting nuisance calls.
“We recognise that a majority of scam text messages have characteristics that make them distinguishable from legitimate traffic and are working on new measures to better exploit these characteristics and protect customers.
“Additionally, Mobile operators are actively working with handset and handset operating systems companies to further automate the process. Google’s Android system currently incorporates a spam filter system that works in conjunction with the 7726 reporting service, which adds an additional level of security so that operators can block numbers and alert law enforcement agencies.
“We have also invested heavily in solutions to help banks and other organisations ensure that their security processes are not vulnerable to sim swap fraud. We are encouraging all of the banks and other organisations that rely upon one-time SMS codes to consistently use these new tools so that they know immediately when their customer’s phone number has had a recent sim swap. That ensures they have the opportunity to complete extra security checks and far better protect their customers from fraud.”
Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful.
The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at firstname.lastname@example.org