Are you a victim of ‘smishing’? 3 in 5 people received a scam delivery text in last year according to new research

Three in five people have received fake delivery company texts over the last year as fraudsters exploit the pandemic, according to new research from consumer organisation, Which?.

Text scams have boomed as Covid confined millions of people to their homes and consumers became increasingly reliant on deliveries, with fraudsters posing as couriers and delivery companies and attempting to trick people into handing over their bank details via text.

A Which? survey of over 2,000 people in May revealed that three in five people (61%) had received a fake delivery company text in the past year.

Of those who received the scam text messages claiming to be from a delivery company, four in five (79%) said they realised it was fake straight away but 3 per cent said they lost money to the scam.

For those caught out, the financial and emotional impact can be devastating.

Which? also conducted its own experiment, setting up four new SIM cards on the UK’s big four network providers – EE, O2, Three and Vodafone. The numbers were never shared with anyone but two out of the four received at least one scam text message in just a two-week period.

Scammers use computers to generate combinations of numbers and send messages in bulk using ‘SIM farms’ – devices that operate several SIM cards at a time. The equipment and software is available online, and anyone can pick up cheap pay-as-you-go SIMs with unlimited free texts.

Numbers are often masked or ‘spoofed’ to avoid detection – so your phone might say you have received a text from a delivery company, when it’s actually a scammer.

The scam most often reported to Which? in the past three months has been fake text messages – also known as ‘smishing’ (SMS phishing) – pretending to be from Royal Mail. Of those surveyed who said they received one or more scam texts, seven in ten (70%) received the Royal Mail scam text.

The message usually requests a small payment for a parcel to be delivered, with a link to a copycat Royal Mail website, and victims who fell for it told us they were then called by scammers to try to trick them into sending large sums of money.

DHL, DPD and Hermes were the other most commonly impersonated companies in our survey. Of those who received a scam text message claiming to be from a delivery company, roughly one in three said the scam text pretended to be from DHL, DPD or Hermes (32% for DHL and DPD and 31% for Hermes).

One in eight scam texts (12%) impersonated  UPS over text.

Text messages claiming to be from couriers can also spread harmful malware. Spyware known as FluBot has been circulating through a message claiming to be from the delivery service DHL, which once downloaded could access sensitive information on your device.

Although companies being impersonated have no legal responsibility to deal with these scams, Which? believes they could find better ways to communicate with customers using text messages and do more to help raise awareness of scams.

Companies can register a recognisable sender ID to protect it against spoofing – although some spoofed messages can still slip through due to limitations of these protections and other weaknesses in SMS processes. Consumers would be better protected if it became standard practice for certain types of companies, such as banks, not to include links or payment requests in text messages – although this may not be possible in all cases.

While the telecoms industry is taking steps to address the explosion in text scams, there are clearly limits to how effective existing prevention measures are, as consumers continue to receive regular scam texts. The telecoms sector should continue to work to find solutions to protect consumers against scam texts.

Companies likely to be impersonated by scammers must be careful how they use SMS, and communicate clearly to their customers how and in what circumstances they will use SMS.

Consumers can sign up to Which?’s scam alert service in order to familiarise themselves with some of the latest tactics used by fraudsters. The consumer champion has also launched a Scam Sharer tool to help it gather evidence in its work to protect consumers from fraud. More than 5,000 scams have been shared with Which? via the Scam Sharer tool since it went live on 17 March 2021.

Adam French, Which? Consumer Rights Expert, said: “Our research shows how fraudsters have bombarded Britain with scam delivery texts on an industrial scale as they try to exploit the unprecedented conditions of the pandemic.

“Couriers and the telecoms industry must take further steps to protect consumers, by making it harder for fraudsters to exploit systemic weaknesses to reach potential victims, and by making people more aware of how to spot such scams.

“In the meantime, people can sign up to Which?’s scam alert service to keep themselves, their friends and family informed about the latest tactics used by fraudsters.”

A Royal Mail spokesperson said: “We remind our customers that Royal Mail will only send email and SMS notifications in cases where the sender has requested this when using our trackable products that offer this service. In cases where customers need to pay a surcharge for an underpaid item, we would let them know by leaving a grey Fee To Pay card. We would not request payment by email or text. The only time we would ask customers to make a payment by email or by text is in some instances where a customs fee is due. In such cases, we would also leave a grey card telling customers that there’s a Fee to Pay before we can release the item.

Royal Mail works hard to prevent and detect fraud. We work with UK law enforcement agencies, Trading Standards and other organisations to share information and support robust proactive action against scams. We report any offending sites and suspicious numbers to the appropriate authorities as soon as we are made aware of them.

As well providing useful help via our customer services channels, customers looking for additional advice on how to spot a fake notification by visiting our website at www.royalmail.com/scamprotection. Here they can view examples of scams, and get advice on taking appropriate action.”

DHL said: “We’re alerting our customers via Social Media and on our public websites that there are fraudulent SMS messages circulating. These messages pretend to be from DHL and ask recipients to click on a link and download an application. All customers are being asked to delete the message and under no circumstances should they download this application.”

DPD said: Our focus has been on providing parcel recipients with a safe alternative to text and email notification and raising awareness of safe links, if they still need to use traditional notifications.

We developed the Your DPD app in 2016 to provide a safe environment for parcel notifications and a better all-round customer experience when managing deliveries.  We now have over 10 million DPD app users who are sent app notifications.

For recipients who haven’t downloaded the app yet, we still use email and text notifications so that they know exactly when we will be delivering and to enable them to manage their delivery.  We continue to stress that only emails sent from one of three DPD email addresses are genuine, these are dpd.co.uk, dpdlocal.co.uk or dpdgroup.co.uk.

We continue to update the DPD.co.uk website with information on scams and examples of fake notifications  https://www.dpd.co.uk/content/about_dpd/phishing.jsp

With texts, we advise consumers to double check the links within the notifications to confirm that they are legitimate.  These links should only be for www.dpd.co.uk/ or www.dpdlocal.co.uk/

Hermes said: We are aware of a text scam pretending to be from Hermes and other parcel companies.  Hermes would never ask for payment for redelivery and we advise customers to remain vigilant. More security advice can be found here: https://www.myhermes.co.uk/help-and-support/cyber-security.

UPS said: “We are a global company with one of the most recognised and admired brands in the world. Occasionally, fraudsters take advantage of our reputation to target personal information. While we are not liable for the actions of third parties, we work to prevent and detect fraud where possible. Details of our efforts are available at our website along with tips for our customers on how to identify and avoid fraudulent text messages and emails.”

https://www.ups.com/gb/en/help-center/legal-terms-conditions/fight-fraud/recognize.page?#contentBlock-14

Mobile UK said: “As an industry, we have been taking action to fight the ever-changing scourge of spam texts and calls for many years and educating customers on how to identify and report suspicious activity.  We’re committed to working with Ofcom, the ICO and law enforcement agencies to reduce the threat that nuisance calls and texts pose to the public. We urge customers to help us act by texting reports of nuisance SMS and calls to 7726 and reporting nuisance calls.

“We recognise that a majority of scam text messages have characteristics that make them distinguishable from legitimate traffic and are working on new measures to better exploit these characteristics and protect customers.

“Additionally, Mobile operators are actively working with handset and handset operating systems companies to further automate the process. Google’s Android system currently incorporates a spam filter system that works in conjunction with the 7726 reporting service, which adds an additional level of security so that operators can block numbers and alert law enforcement agencies.

“We have also invested heavily in solutions to help banks and other organisations ensure that their security processes are not vulnerable to sim swap fraud. We are encouraging all of the banks and other organisations that rely upon one-time SMS codes to consistently use these new tools so that they know immediately when their customer’s phone number has had a recent sim swap. That ensures they have the opportunity to complete extra security checks and far better protect their customers from fraud.”

(Lead image: Anna Shvets / Pexels.com)