/ Scams

How the fake Hermes parcel delivery texts are evolving

There’s been a resurgence in fake Hermes texts trying to lure you into bank transfer scams. Here’s how fraudsters have been changing their tactics to try to catch you out.

Text message scammers ultimately want to get hold of your details, including who you bank with, so they can later call you pretending to be that bank. They usually warn victims that their account has been compromised, persuading them to send their money to a new ‘safe account.’ But this is all a lie.

Scam texts claiming to be from delivery company Hermes have been circulating for a long time, but recently the scammers behind them have been trying to make their attempts to con you more convincing – here’s how:

Fake Hermes text tactics

These scams start out as a text message saying you’ve either missed a delivery or there’s a fee to pay for a parcel. They include a link that takes you through to enter details or make a small payment.

But Hermes never asks for payments via text – it only sends links that let you view parcel tracking.

Customers have wised up to this, so scammers are now including other details in the message to mimic real Hermes texts, and offer links to ‘track’ a parcel.

Some now include an estimated time of delivery and the names of big retailers, sometimes followed up shortly after with a fake missed delivery notification from the same number.

The links included take you through to copycat Hermes websites.

The masked SenderID

Scam texts can often be spotted because they’re usually sent by an unknown mobile number, rather than a named SenderID (such as ‘Hermes’).

In theory, these names should be protected by the phone network so they can’t be used fraudulently, but fraudsters have found a way to mask or ‘spoof’ Hermes’ name. We’ve seen fake texts drop into the same conversation thread as real text alerts from Hermes, making them more believable.

The first and third texts are genuinely from Hermes. The middle one (highlighted) is fake.

The cloned websites

Fake messages are linking to increasingly sophisticated copycat websites that look just like the real thing. Instead of asking for payment upfront, this clone site cleverly takes details from you, piece by piece, to ‘locate’ your parcel:

Only after you’ve handed over your address, number, and other personal information, the site warns there’s an outstanding fee to pay. By this time, a lot of victims have told us they’ve realised something’s not right, but have already given away sensitive details.

Scammers can still use these details to target people with more scams, possibly with phone spoofing scams where they pretend to be calling from your bank.

If you think you’ve given away your bank details, contact your bank immediately via its official channels and tell it what’s happened.

Staying safe from evolving scams

The number one piece of advice for avoiding being scammed: avoid following any links you’re sent in text messages. Even if:

🔹 The SenderID appears to be real

🔹 It’s asking you to update payment information urgently

🔹 It threatens a service or order will be cancelled

🔹 You’re curious about having had something delivered

Contact the organisation or company the message claims to be from directly to check the details if you’re not sure.

Hermes says it’s keen to protect customers from these scams. It’s put warnings across its website and offers advice on avoiding phishing attempts using its brand.  Its Chief Information Security Officer said:

“We take this very seriously and want to play our part in protecting the UK public as well as our customers, as we’ve seen that this issue has increased significantly since the start of the COVID-19 pandemic. Hermes has implemented and invested in multiple detect and response measures that we continuously monitor”

Forward scam texts you receive to 7726

You can share suspicious texts with your network provider by forwarding them to 7726 (spells SPAM on the keyboard). Cloned sites should be reported to the National Cyber Security Centre on report@phishing.gov.uk

You can also report these sites to the domain host, who can take steps to shut it down. You can find out which company hosts a website by putting the site’s URL into a Whois search.

Guide: how to spot a scam

Guide: how to get your money back after a scam

Have you received these fake Hermes text messages? Were you sent on to a cloned website? Let us know in the comments, and do help warn your friends and family.


Comments

Always assume that ANY message, be it Text, or a Phone call, to be a Scam. Start with that assumption, not end with it. Let them prove that they are genuine. Having failed to do that, one can sit back and safely ignore it. And 99% of all messages will turn out to be fake. The one per cent that are genuine, will try and deliver the parcel again. Failing that, they will have to return the parcel to the sender, at further cost, to themselves! Which they do not want, so they’ll really try harder to deliver. Simples. The whizzy Investment site, can send any amazing Investment opportunities, by post, for me to compare and read. Of course, they don’t have any such bumph, they are Scammers. Treat them all with contempt. The messages will self delete after 6 months untouched. How we laugh at their poor feeble attempts over the phone, it is a great source of entertainment to hear such stories that they come up with. When told, that they are crooks they get so annoyed, that we have seen through their little ploy so easily! Actually asking us how we spotted that it was Fake? They want, us to help them become better crooks! They have phoned us back shouting as to how they have a “right” to continue with their chosen profession, and-and-and, we put the phone down. It is laughable, and if one only treats them as crooks, as children, to begin with, then 99% will show up as a Scam. Try it, the next call you get. Treat it as a Scam, to begin with. They do make us smile.

Martin says:
16 August 2021

DPD are doing it as well

It doesn’t help identify fake texts when companies are not consistent with sender and links details.

The intro shows //myherm.es/ as genuine, my Hermes texts are from //goherm.es/.

For Amazon, texts are usually from //amazon.co.uk/ but I recently had one from //amzn.eu/ to inform me a delivery would be delayed.

Royal mail texts are from //ryml.me/.

Senders also need to use naming conventions that don’t look like gobbledegook:
Asda: r/wal.co/o/123123123123123/false (the numbers are in the same format)

Waitrose promotion //bit.ly/2TOy…

And just to round off, I placed an order with IKEA on 8th May that was delivered yesterday 17th June. I have had a text from //www.surveygizmo.eu//…. hoping I am happy with my recent service from IKEA and to complete a short service. 🙄

Can you give us examples of delivery companies that operate without the need for links, Lauren?

I would be happier to log into an account and look for a message rather than click on a potentially malicious link.

You might remember we had problems with DPD last year.

I now have their app on my mobile that works extremely well. I never have to log in but just go to the app.

Sometimes it will tell you they have been notified of a parcel but it is not yet been collected so now you might know if the sender is lying when they say it has been sent.

You can also manually enter the parcel number if you can’t see it.

The app tracks the delivery, tells you your delivery is number x of y and shows you what number the driver is on and exactly where he/she is. It is remarkably accurate.

We leave a self-isolating note with delivery details on the door and the driver takes a photo that then appears on the app.

And, we now get a wave from the driver who gave us so much grief a year ago. 🙂

I do remember, Alfa. I’m very happy to use apps, but what do we do about those who don’t have smartphones?

I would have thought if you don’t have a smartphone, you are less likely to get caught by these fake texts.

Hermes also has an app, so it might be worth encouraging people to use it.
https://www.myhermes.co.uk/our-services/mobile-app

Marcus says:
18 June 2021

Cancel and send back! IKEA is woke.

kate ferguson says:
18 June 2021

Hi there. I think I have just received one from Royal Mail
I haven’t opened the email I received today but it has a track and trace number & says I must pay the delivery charge within 48 hours or I will not the delivery and this is my final chance to pay .? I am not waiting on a parcel.

Do you t,hink this is a scam email. Thanks

Kate – It is almost certainly a scam attempt.

Royal Mail collects the postage charge from the sender and rarely has to collect a supplementary charge from the recipient unless the postage paid is insufficient. In those cases they always leave a card which enables either secure payment to be made on-line or, by affixing postage stamps to the surcharge value and returning the card to the local delivery office, releases the item for delivery. Royal Mail does not know the e-mail addresses [or the phone numbers] of the addressees of items in the postal system.

I cannot recall having to pay when postage has been insufficient, even when there has been no stamp, though the items in question have been identified and marked.

We have occasionally received a red card demanding a payment for postage due. There is a £1 surcharge as well as the amount of the shortfall. I have made the payment on-line because I don’t carry a stock of odd postage stamps to make up the variable amounts required. I am sure some people end up paying more than is necessary. It likely depends on the diligence or friendliness of your local postal workers whether or not you are caught. Our local postal staff are especially diligent and even go to the trouble before delivering of cancelling with their pen any stamps that have not been franked at the sorting office.

In years gone by the GPO was most insistent that all postage due was collected [special stamps were affixed to the envelopes] and that any unfranked stamps were cancelled to prevent them being steamed off and used again. Instructional posters were displayed at sorting offices for the attention of the staff.

The most common offenders in our experience are members of the family who do not seem to appreciate that great big greetings cards require much higher postage. I haven’t had the heart to make an issue of it – I could save that for my Will!

The only time I was asked to pay was for a letter which had gone through the machine with the corner bearing the stamp folded over. I did not have to pay and received a book of first class stamps, despite having lost nothing. It’s this compensation culture…

I get 2 or 3 messages every day purporting to be from FED EX. How can they even begin to believe that we are fooled by them. [Edited]

[Moderator: we’ve edited out part of this comment which did not adhere to Community Guidelines. Remember, comments which single out people of specific ethnicities, nationalities, or minority groups as the subject of ridicule or abuse are not welcome on Which? Conversation. ].

Liz Brewis says:
18 June 2021

We have had two of these Hermes scams. JUST DELETE THEM!!!!!

Nigel Dodd says:
18 June 2021

There is technology to shield the subscriber from the malevolent links, with a direction to a “safety page” It’s on offer to the mobile operators world-wide.
Ask your service provider what positive action they are taking, besides collaboration and conference calls.
While you’re there, ask them what they’re doing to stop your location being tracked, your calls being eavesdropped and your text messages being intercepted.

I am also getting these fake non-delivery messages on my phone, purporting to be from DPD. The number showing is 07306242890

Angela Penfound says:
18 June 2021

I had one a couple of weeks ago purporting to be from Royal Mail. Fortunately I live near the Sorting Office where they told me it was a scam and pointed out that they wouldn’t know my phone number anyway. Thank you WHICH for this service.

I notice the scammers are no good at % ages. £1.04 + 20% VAT does not equal £1.45!

Since the sender of a parcel is responsible for paying the shipping costs [and recovering them from their customer through the inclusive price or a separate charge] this whole scam is a racket that people should be able to dismiss at a glance.

Klaus says:
20 June 2021

Why do you keep this article specific to Hermes? I think it should be more about the type of the message and stressing all the different possible messages. I just received one this Friday which was supposed to be from ParcelForce and a while back one labelled to be from RoyalMail. These scammers switch the company names, text and links around. So warn for general missed delivery text not just the specific company, please.

Klaus – There are many other Which? Conversations either specifically on individual scam attempts [where Which? is trying to build up a dossier of personal experiences] or on these forms of contact generally and covering the many different ruses used by criminals to exploit people including domestic appliance cover, mail delivery charges, computer technical problems, false card payments, TV licence enforcement, driving licence renewal deception, and many other frauds.

If you go to the banner at the top of the page and click-on Topics you will see that Scams is listed as a sub-group in view of its current prominence. The numerous articles, both general and specific, are shown there.

I very rarely buy goods online but I ordered an item from Monsoon 2 days ago Express delivery. The next day I received a missed delivery text supposedly from Hermes. Because I was expecting a delivery I clicked on it and entered the details asked for. Only when it asked me for a payment did I realise it was a scam. It seems more than coincidence that I received the text right after the order. How secure are these online shopping sites?

Anne – Good job you didn’t proceed. Hermes always leave a card if they cannot deliver.

I am convinced there is an inside track on information with many firms. Hermes would probably not know your mobile phone number in order to send a text but Monsoon might. Are all their personnel totally trustworthy? It might be worth asking.

Chris Murray says:
24 June 2021

I,an 85 year old O A P am now eceiving fake deliveries from Hermes. Low cost plastic items that I have not ordered are arriving regularly. I am uncertain as to why? Or what to do?

Chris — I suspect that Hermes are just the carriers. I expect the goods you receive are being sent to you by a trader using what is called the “brushing scam”. It is more usually connected with Amazon and is about getting good reviews for products by setting up a false proof of delivery to authenticate the review.

You can read about it in this Which? Conversation which explains how it works. Click on this link and it will take you to the article –
https://conversation.which.co.uk/money/amazon-prime-brushing-scam-explained/

You will not be charged for the items you have received and you can do whatever you like with them. The problem is stopping them unless you can track down the sender. I don’t know whether Hermes can help you with that but it might be worth a try.

I’m sorry to see Which pushing this unproven theory about what’s behind the delivery of unordered items from Amazon as though it’s an undisputed fact.

I’ve seen no proof that it’s due to a so-called “brushing scam”, though of course neither have I seen proof that it isn’t.

But a bit of thought would suggest it’s unlikely. There will be much easier ways of inserting fake good reviews than spending money on non-ordered items, it just can’t be cost-effective.

Searching through Snopes.com, usually the best place for checking suspected fake news, we find in an article about unsolicited seed package deliveries “Better Business Bureau’s Jane Rupp has another theory. She thinks it could simply be a scam relating to customer reviews, in which companies post low-cost items so they can write fake reviews for their business in a resident’s name.”

So I suspect people, including the BBC and Consumers Association, have just been picking up Ms Rupp’s unproven theory and pushing it out as fact without thinking it through.

I understand some of the packages have the sender’s Chinese address on them, so if anyone were interested in doing some proper investigation it shouldn’t be too difficult to get someone to visit them and unearth the true reason for these deliveries. Perhaps Which could cooperate with the BBC and get a journalist to visit them and ask questions.

Graham – It would indeed be good if knowledge of the sender’s address in China would lead foreign media investigators to establishing what was going on, so best of luck with that one.

Linda says:
2 July 2021

I got the Hermes one two days ago. When I read that they wanted my date of birth I asked myself “why”? And then deleted the message . I’ve also had the one re non payment of an HMRC debt- the man has a deep stern voice. Funnily enough I got him again the other day ( recognised his voice immediately!) . This time I was accused of several serious crimes to do with my Nat Ins No. !!! I mean – idiotic to use the same voice!!

Just had similar text claiming to be from Fedex, went direct to fedex site and checked tracking number as I am expecting a parcel, No tracking information for that number. Address in text – ‘fedex-delivery.co‘, which when googled shows up on scan detector as scam site.

[Moderator: this website appears to be a scam website. We’ve retained the URL to help you identify it, but we’ve redirected the link to our guidance on how to spot fraudulent website. ]

John Trotter says:
30 September 2021

Yesterday had fake Hermes email about an order not made and reported this via 7726. Today a phone call from someone who could not speak English telling me there is a £2 cost to pay for some servcie. Again reported this and also blocked . I write a Scam Action Service column for Champion Newspaper in Merseyside, and these attempts are being highlighted in the next issue and on Facebook.

I got the hermes text and stupidly clicked on the link and put in my details (email dob postcode). When It took me to the payment screen I realised it was a scam. I’ve done an avg scan but am worried about opening things such as banking apps etc. An I safe to carry on?

I did the same today. Rarely shop online, had a Hermes text to say item out for delivery while I was out. Later had a text purporting to be DPD Local unable to deliver as I was out. I’d forgotten it was Hermes, embarrassingly entered my name DOB and address to ‘prove who I am’ to arrange redelivery. It did not go to payment just looped round on ‘Continue’ button. How are these phishers spying on delivery texts and emails to co-incide with genuine texts and emails?