Expecting a delivery? Watch out for phishing attempts warning of held packages and bogus shipping fees. This Royal Mail delivery scam begins with a text message out of the blue, claiming:
Your Royal Mail parcel is waiting for delivery. Please confirm the settlement amount of 2.99 GBP via:
Uk(dot)royalmail-bill(dot)com
Lots of folks may assume this text message is genuine, along with the URL. This would be a mistake. What we have is a simple but effective phish. It takes advantage of several real-world factors to ensure it’s possibly a bit more believable than other missives landing in mailboxes.
What are they up to? Let’s find out.
“If you do not pay this your package will be returned”
The link leads to a fake Royal Mail page which as good as repeats the message from the text, with one important addition:
If you do not pay this your package will be returned to sender
It doesn’t mention how long is left until the package is returned. (There’s nothing like a bit of sudden pressure to make people jump through some hoops.)
The phishing page has two sections. The first asks for a lot of personal details like name, address, phone number, and email address. Clicking the continue button leads to a request for payment information, in order to pay the non-existent fee.
If the victim continues, the phisher has both their personal information and their credit card.
Why this phishing attack works
This is a smart scam, for a number of reasons.
- The phish carries the usual markers of urgency and a request for information. It also doesn’t provide any clue about what’s in the non-existent package or who it’s from, tweaking victims’ fear of missing out, while promising to make that information available for a reasonably small and realistic fee.
- The endless pandemic ensures huge numbers of people are buying everything online. It’s not uncommon for households to have a steady army of delivery people at the door. A week’s shopping, clothes, entertainment items, schoolbooks for the kids, and more besides are all conveyor-belting their way into homes daily. It’s quite easy to forget which parcels have been ordered and which have already arrived.
- Text messages being sent from an “official” delivery company number is a practice long since abandoned, and numbers are easy to spoof anyway. If you’re waiting on a parcel, you could get a message from pretty much any number at all including the personal mobile of the driver themselves so checking if the number is official or not is no help.
- In the UK, Brexit is causing no end of confusion over delivery charges. People and organisations simply don’t seem to know what to expect, and this kind of phishing scam plays off that confusion to the max. If you’re waiting on something from outside the UK and find out a parcel is almost within reach? It’s likely you may be tempted to fill in the payment information request so as not to risk having the package returned to sender.
Next steps
If you or anyone you know has been caught by this, contacting banks or credit card companies is a priority. This would also be a good time to explore our in-depth look at phishing tactics. It’s a particularly unpleasant scam to be caught out by, when a majority of people are reliant on postal services. If you’re in doubt over the status of a parcel, go directly to your delivery service’s website. What you’ll lose in time, you’ll more than make back in terms of your bank account remaining safe and sound.