Hotel staff bust Hermes SMS scammer with suspiciously large number of cables

Hotel staff bust Hermes SMS scammer with suspiciously large number of cables

If you’re in the UK, you’ve likely received a fake delivery SMS at this point. The original big driver for this over the pandemic was a non-stop wave of Royal Mail phishing scams. As that article mentions, most if not all of our interactions with organisations is done by mobile. I receive medical appointment updates by phone. Notifications from school? Phone. A reminder about my upcoming dental appointment? You better believe it’s arriving by phone.

The pandemic has exacerbated this, because nobody really wants to be handling mail and licking envelopes when you could just fire out bulk texts instead.

Unfortunately, scammers thought this was a very good idea and leapt aboard the hype train.

Choo choo, as they say.

Of lists and spamming

It seems no matter how careful you are with your number, eventually it’ll end up on a list. At that point, you’re subjected to a heady mix of real and fake messages. I myself have occasionally missed important notifications buried in a mix of spam and nonsense and it’s really quite aggravating.

When scammers realised the Royal Mail scams were now attracting mainstream levels of press attention, some changed their tactics. They made it much harder to analyse and explore the scams on offer.

Others decided to diversify. Different brands quickly started being thrown into the mix. It was no longer fake Royal Mail messages you had to worry about. It was now bogus Hermes, or DHL texts too.

It’s very difficult to find the perpetrators of these scams. With a small amount of digital know-how, culprits can make use of anonymous bulk mailers and almost never get caught.


When real world incognito mode goes horribly wrong

The continued success of these SMS attacks rely on the criminal pulling the strings lurking in the background. There’s no reason for them to make themselves visible to the long arm of the law. It might go wrong, for example, if someone were to turn up somewhere public and do something suspicious.

A hotel, say. While carrying a bag stuffed full of wires and some electrical devices.

Step up, “man arrested in Manchester hotel on suspicion of fraud by misrepresentation”.

Now, I have occasionally wandered into a hotel with a bunch of tech stuff. I don’t know how I’d end up looking suspicious to staff though, short of my bag spilling all over the lobby while I yell “OH NO, MY DUBIOUS ELECTRONICS”. The article also doesn’t mention if staff became suspicious based on something they saw in the hotel room itself.

Either way, the police were called in. They took everything away. This person is now being questioned to establish what, exactly, has been going on. This is the opposite of how Carmen Sandiego or, to a lesser extent, Where’s Waldo, operates.

Counting up the cost

Law enforcement have been doing some early digging. So far, the results are as follows:

  • Around 26,000 texts were sent from the devices, claiming to be from delivery company Hermes. The gimmick is the old faithful “You missed a delivery, please pay us” routine so beloved of Royal Mail scammers.
  • Up to 44,000 mobile phone contacts are believed to be stored on the devices.

This seems quite novel, in terms of potential busts for dubious antics online. Perhaps the person under suspicion felt they would be more anonymous if they did this away from home. Things haven’t really gone to plan on that front.

No, fake SMS delivery scams haven’t gone away

The report mentions the investigation is in very early stages, so who knows what direction it might take. No matter how it ends up, it doesn’t mean the threat is over. There are plenty more SMS phish in the sea. Fake parcel delivery messages are still rife, and you can expect to see them for some time to come. Let’s not forget the life-changing impact falling for just one of these text-based missives can have.

Please subject all texts asking for logins and / or payment to scrutiny, and if in doubt, always contact the purported sender directly via official channels. It’s not worth having your life ruined over one bogus SMS with bad intentions.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.