The Royal Mail is used in so many scams that it has a specific section on its website to help people detect and report fraudulent messages.
That service has been especially busy recently after people received emails and texts supposedly from the Royal Mail demanding a shipping payment.
We dedicate this month’s phishing round-up to these scams, explaining how you can spot bogus Royal Mail messages and why Brexit has helped attackers.
What do these scams look like?
Scammers’ primary method of attack is emails informing recipients that a package can’t be delivered until a shipping fee is paid.
The messages contain a link that supposedly directs to the Royal Mail website, where payment can be made.
The fake emails contain a variety of details that make the message look genuine, including a parcel number and specific details about the apparent package, such as its weight and location.
Recipients may also assume the URL, which contains ‘adminroyalmail-delivery’, is genuine.
Those who follow the link are directed to a mock-up of the Royal Mail website, where they are instructed to provide their personal and financial details.
It’s therefore not just the £2.95 shipping fee that victims are handing over but complete access to their bank accounts.
A Royal Mail spokesperson urged customers to act cautiously: “Royal Mail will only send email and SMS notifications to customers where the sender has requested this when using our trackable products that offer this service.”
They added that Royal Mail will only request online payments if a customs fee is late, noting that recipients will also receive a grey card in the post that contains details about the package and instructions on how to make the payment.
Despite the precautions the Royal Mail has in place to prevent fraud, customers are still regularly caught out.
Anyone who suspects they have received a scam message should look at the Royal Mail’s dedicated page on phishing. It explains:
Fraudsters often use subjects or greetings that are impersonal and general, like “Attention Royal Mail Customer”. They may use a forged email address in the “from” field like “firstname.lastname@example.org”. They may even use the Royal Mail logo. None of this guarantees the email has come from us. […]
Royal Mail does not handle cash on behalf of third parties. If you are instructed by any third party websites or contacted by email to make a payment via Western Union money transfer to a Royal Mail account or agent, DO NOT make the payment.
The organisation also asks those who suspect they have received a scam message to complete an online form. This helps it keep its list of known scams up to date, which ensures that both the Royal Mail and its customers are aware of fraudsters’ latest techniques.
Text message scams
The Royal Mail also warned customers about similar scams delivered by text. This method of attack is particularly dangerous because it’s less common and people are therefore less likely to be alert to the threat.
Furthermore, both legitimate and fraudulent texts are typically very short – perhaps one or two sentences. As such, recipients have little information to determine the authenticity of the message, and they may be tempted to follow the link to find out more.
Here’s an example of a scam text that a Royal Mail customer recently reported:
Texts also make it easier for scammers to hide their identity. They don’t need to replicate official logos or the sender’s address, and the messages come from a nondescript phone number.
However, in most cases you can find out where the phone number is registered by looking it up online.
If you are ever in any doubt whether a message is genuine, you should contact the Royal Mail by visiting its website (never follow a link from an email or text) or your local delivery office.
Brexit and Northern Ireland delivery scams
It would be an understatement to say that Brexit has come with teething problems, so it shouldn’t come as a surprise that the UK’s exit from the EU has contributed to an increase in Royal Mail scams.
Some customers have been targeted by scams relating to customs tax for packages sent from Great Britain to Northern Ireland.
Customers are currently subject to no such tax, as there is a grace period for parcels that lasts until at least April.
Unfortunately, that announcement came just hours before the end of the transition period, and some British organisations and their delivery firms had already decided to add customs labels to parcels going to Northern Ireland.
Confusion over the new rules has added fuel to an already successful scam, making it more dangerous than ever.
You can find out more about Royal Mail scams and report a suspicious message on its website.
Can you spot a scam?
Make sure your staff know how to identify and avoid scams with our Phishing Staff Awareness Training Programme.
This 45-minute course uses examples like the ones above to explain how phishing works, what to look out for and the steps you should take to avoid falling victim.