/ Scams

Scam watch: a case of ‘mistaken’ delivery

Fraudsters can use stolen personal details to open credit accounts with a retailer, then intercept the delivery. Here’s how it works and what to do if you’re affected.

An unnamed parcel from an online retailer was delivered to Phil’s home address, containing a games console that he’d never ordered. Shortly after, a man in a high-vis jacket, featuring a courier logo, knocked at the door, with a van idling at the end of the drive.

He asked if Phil had just received something that wasn’t his, saying that there’d been a mistake. Because Phil had just admitted that he hadn’t ordered it, he reluctantly handed the parcel over. He then contacted the retailer, only to be told that a store account had been opened in his name and had been used to make the order.

Identity fraud

By using stolen personal details to open a credit account with a retailer, fraudsters can order high-value goods, intercept the delivery and get away with little trace, leaving you to pick up the bill.

The scammers probably received delivery updates to their phone or email, letting them know when it was likely to be delivered, while waiting nearby in the van that Phil spotted. On the upside, Phil told us that the retailer has been helpful and did everything right to get the situation resolved for him. It quickly investigated, confirmed that this was a case of identity fraud and fully reimbursed him, with an apology.

It also signed Phil up to the Cifas Protective Registration service, which usually costs £25 for two years. Being signed up to the service means any future credit applications made in his name will go through extra checks to make sure they’re not fraudulent before they’re approved.

Protective Registration

Unfortunately, if you’ve been ‘successfully’ targeted once, there’s a higher chance it could happen again. More and more banks, lenders and retailers are automatically offering to cover the cost of Protective Registration for victims affected by failings in their security checks.

If you fall victim to identity theft, ask the company involved to register you with the service. It’s also important that it removes any fraudulent lines of credit opened in your name from your credit file, so it doesn’t affect your credit score.

Have you been affected by this type of fraud? If so, how did the retailer deal with the situation? Let us know in the comments.


We have not been victims – fortunately. But thank you so much Which? for the heads up on this.

The key features here are the data which the scammers got hold of and their ability to use it to open an account. The retailer is out of pocket. He has made a refund and has lost the sale and his merchandise. Phil has had a nasty experience and stress recovering from it. My last on line parcel was left by the door. The bell was rung and the delivery man had departed before I opened it. He didn’t know whether I was in. If this fraud had been committed then, I would only have discovered the fact when the card statement arrived.
No doubt Phil has changed his on line details, which is a nuisance for him. Who knows how his account was hacked? What clues can be followed to find out when it happened? There must be some sort of trail: a previous order, sloppy procedures somewhere, a dishonest employee. I would have thought that the supplier would be angry enough to look into this failure.
On line shopping is convenient, but if fraud becomes widespread it will kill itself off.

Yes, quite right about the paper/financial trail. Unless the order involved a large amount of money and had happened too often in similar circumstances I doubt anyone would bother, for the police or the retailer to spend any time on this is, it is, unfortunately, a non-starter. For the retailer, it’s just another cost of doing business.

I had a text this morning saying “Our driver John tried to deliver to you today but unfortunately did not get an answer. To set a new date visit
https://driver-attempt.com. this was at 10..am.
Before Christmas I had a similar text supposedly from Hermes saying they couldn’t deliver but will be back tomorrow. Schedule again here:
https://depot-local-6751.com sent at 4.00am. Even delivery drivers don’t try & deliver at 4 o’clock in the orning.

[Moderator: this website appears to be a scam website. We’ve retained the URL to help you identify it, but we’ve redirected the link to our guidance on how to spot fraudulent website. ]

Linda says:
13 January 2022

Hi, had a text msg on 3.1.22 at 6.20am
Hermes: Sorry our driver couldn’t deliver today. We will be back tomorrow cover the £1.45 (followed by a website which I did Not click into.
I was not expecting any parcel from Hermes! Scam?!

This is why we must have complex passwords on everything on a computer, or whatever device you use for online accounts and ordering etc. and of course NEVER use the same password twice or more. And with some sites you need 2FA, ( that’s two factor authentication, not two fingered arrogance ). You need to have a complex password on your boot up, on your email account, on your security program, which should be top of the range maximum security, and on your ISP account, and on your various other accounts etc. and of course NEVER click the “remember me” or “stay logged in” button, and if it’s already ticked as some are then untick it each time you log in. And of course never store any passwords on any device or sites. But of course even if we do take all these precautions there’s still the problem of inadequate site security where the encryption is not up to a high enough standard and has “back doors” where hackers can get in and steal details, like someone did with tesco’s customer database which ended up being offered for sale on the dark web. And we shouldn’t have to store too many private personal details on sites either, as so many of them insist, like the supermarket sites do. But of course with some sites like payment services like paypal it’s essential, and this is why top of the range fully secure end to end encryption needs making compulsory for all online transaction pages. I think this is something Which? should be campaigning for.

Crusader – I agree with what you are saying but a lot of the scams are based on fairly elementary techniques which rely on nothing more than human nature for their success.

In the examples that Adrian was quoting above, there was no complicated hackery or invasion of anyone’s bank details or shopping account. It was likely a random telephone message, not addressed to anyone in particular, not identifying the sender, just landing wherever it falls in the hope that some of its recipients will act on it, make contact, and authorise a payment in order to have a parcel delivered. That, of course, is only Act 1 of the scam and would probably be followed up with more serious fraudulent actions resulting in a major loss of funds.

Alongside your advice on password protection and other authentication requirements, an important message we must get across is not to respond in any way to telephone calls and text messages from unknown parties. It takes a degree of self-training and discipline not to revert to basic human nature and do the scammer’s dirty work for them by cooperating with them in reaction to an unidentifiable or unspecific message.

Any genuine contact about a delivery will come through proper channels, give enough information to authenticate it, and provide a secure means of making further enquiries.

Anura says:
8 January 2022

Can anybody suggest what you should say to the bloke that comes to collect the “misdelivery” – being a lone female I’d obviously prefer some reason not to hand over the scam parcel (should one arrive) that isn’t going to cause me problems.

The scammer collecting the parcel is very unlikely to know their victim so . . .
The parcel is addressed to my husband/wife/friend who is not here at the moment. I don’t know anything about it and I am certainly not handing it over to you until that person has seen it. I can’t contact them at the moment as they are in a meeting/in hospital/driving/a policeman/woman just gone on duty.

Then contact the police really emphasising you are alone and scared after reading stories about this sort of thing happening. In an ideal world, you could arrange for the scammer to pick up the parcel later when a policeman would be ready to arrest them.

This could be one good reason to install a smart doorbell so you can deal with the caller remotely and capture a video image of them.

I think [hope] I would say something like “it was addressed to me so I have taken possession of it. If the company wants it back then I shall wait for them to contact me about returning it.”

Keith says:
13 January 2022

Go Away

Do NOT tell them you are home alone. Politely but firmly tell the person to leave your property.

“it has my name on it, so if better hang on to it. Leave it with me, I’ll sort it out. Thanks!

Laraine Feldman says:
13 January 2022

Don’t open the door. Just talk to them through it or not at all.

Trevor says:
13 January 2022

Make sure you get registration number of the van so that the police can find them.

Robert says:
10 January 2022

In addition, pedestrians should be protected by an aversion to motorists to park on designated footpaths. As a regular walker, I have seen mothers with toddlers/ buggies being forced onto busy roads due to this practice being adopted by, but not exclusively, Royal Mail, other Couriers and even police vehicles. ‘Visually limited’ sufferers can also be affected by these inconsiderate drivers

I have received a letter from Giffgaff addressed to RYU YOKOTA.
I have never communicated with Giffgaff. I don’t know RYU. He has never lived at this address.
What should I do? Return to sender, inform the police and/or Post Office ?

I normally put that sort of letter back in the post with the envelope clearly marked ‘Not known at this address’. If there is anything to indicate that this might be a bill it might be useful to contact Giffgaff to avoid future communication.

Fifi says:
13 January 2022

I would report it to Giffgaff’s official phishing-reporting email or web page. Most reputable companies have them.

Jamie Jamieson says:
10 January 2022

Lauren, you penned an excellent article it’s a shame that banks and building societies aren’t offering a more robust system than CIFAS Protective Registration to us, their customers.

Can I suggest you Google identity theft the anti social engineer. Or http://www.theantisocialengineer.com go to the drop down menu for the blog and scroll down to identity theft solution.

Compare both systems and maybe Which? would like to investigate and comnent.

Have not been a victim of scams i do get phone calls regular from Amazon prime and other banks asking you to confirm your updates by pressing 1.

Maggie says:
13 January 2022

We just end the call without interacting with the caller.

Alicia Coumbe says:
13 January 2022

Thank you very much Which for sharing this, I really appreciate it.

Philip Shepherd says:
13 January 2022

It’s very useful to have warning about types of scams. Forewarned is forearmed. Now I know about this trick I think I will ask the “delivery man” if I can take a picture of his delivery tablet or other advice “to show your company that you have tried to retrieve the parcel” – hoping to get a picture of the individual’s face so I can pass it on to the community police.

Steve E says:
13 January 2022

I to have had an ” our driver John ” text, ( pretending to be Royal Mail)

It wasn’t me, I assure you.

Roger Cutler says:
13 January 2022

I was a victim of identity fraud ( over 5 years ago) with a mobile ‘phone which I refused as unordered & sent back with the delivery driver. I received a contract from Vodafone which I returned with the information that I hadn’t ordered the ‘phone, it was a scam & I had refused to accept the delivery. I was advised that Vodafone had noted this. Nevertheless I continually received bills from their accounts dept. which I returned telling them that I had already notified them it was a scam. They ignored my replies & simply re-billed me. I was ultimately threatened with bailiffs & a mark on my credit rating. Following Which’s advice I threatened them with legal action for harassment & any reputational damage. I told them many times that I had refused delivery of the ‘phone which I had not ordered. Although no bailiffs arrived & the bills stopped coming, they did amend my credit reference. I managed to get this removed later. I notified “Action Fraud” online but received no acknowledgment

IanLancaster says:
13 January 2022

6 months ago or more my credit card account showed a number of purchases from Amazon, all made within a few hours of each other; none of them mine. Amazon was v helpful; accepted that these were not my purchases, identified who had made the purchases and refunded the money – but would not tell me who the purchaser was, nor how they had got hold of my cc details (maybe they didn’t know). So I registered the case on the ActionFraud website, only to get a response saying that as I was not out of pocket they would take no further action. This seemed stupid to me. Amazon could identify the perpetrator and would have told an appropriate authority (i.e. the police), so the person could have been arrested. As it is, they were allowed to go on and do it again using someone else’s stolen CC details.
To add insult to stupidity, yesterday I had a call from a relationship person at ActionFraud making a follow-up/check-up call! So I told him what I thought of not following up on my report…

Patricia Hamilton says:
13 January 2022

I had a driving license delivered to my address with my address on it not my photo tried to contact. DVLA impossible to talk to a real person. Had to use chat one of the pull down menus said return it to DVLA but concerned since could it be identity theft

Robbo says:
13 January 2022

Am I missing something here? Someone’s personal customer details are stolen from a retailer who does not have a secure enough system to prevent this and then the victim pays to have an insurance to be compensated should it happen again. How about the retailers paying to have their systems secure enough in the first place?

Maria Popovic says:
13 January 2022

I personally have not had any scams and I do a lot of online shopping so I am really glad for Which letting me know about this latest scam it is appalling that these sort of things happen and I also agree the companies should have better security to stop these scams from happening.

Judy says:
13 January 2022

Well if someone comes for a parcel I have not ordered they probably will be able to pick up easily from my yard where my couriers just leave by the gate regardless whether I am home or not! Although I am in a country lane I always have a concern whether my genuine parcels will still be there. Having seem Not going out last night and the parcel confusion we are all at risk!

Jamie Jamieson says:
13 January 2022

Oh so easy to prevent.

Which? something that deters this sort of crime, and is more robust than a password and more effective than Protective Registration. What do you say Which?

Hamish Macdougall says:
15 January 2022

Sorry, the idea of requiring to fix your fingerprint to a credit application is fine except that a crook can lift your fingerprint off anything you’ve used and use it in a bogus application. In the same way people have used a photo to scam iris recognition technology. There’s actually no way to prevent a person representing someone else except by embedding a chip in their flesh. And even that could be reprogrammed to give you multiple personalities. So it is an intractable problem (one that cannot be solved). Sorry.

I do NOT buy easter eggs, they are a legitimate scam.