/ Scams

Warning: fake texts link to a cloned Post Office website

A new delivery scam impersonating the Post Office is one of the most convincing clone websites we’ve seen. Here’s what you need to watch our for.

We received more than 2,000 reports of delivery text scams via our scam sharer tool last year. Our survey found that three in five of us have been targeted by scam delivery texts, typically using Royal Mail, DPD and Hermes company branding.

This time, the scammers are targeting the Post Office.

Post Office delivery scam exposed

Which? has seen variations of fake texts claiming that a parcel delivery has failed, asking recipients to click the link to ‘book a new date’ or ‘reschedule a delivery’ via two sites that have nothing to do with the Post Office.

Clicking the links takes you to extremely convincing Post Office clones, shown below. The websites were only set up in the last few days, and all other information has been ‘redacted for privacy’ – always treat new sites that hide information with suspicion. 

The first step of the scam is to invite you to enter your postcode before asking for your full name, delivery address, email address, date of birth and mobile number. This information is fed directly to scammers who could use it commit identity fraud. 

But they aren’t done yet. Next, you’re invited to pick a new delivery date and hand over your card details to cover the ‘redelivery charge’ of £1.10.

The scammers can now attempt to steal money directly from your account, as we demonstrate in this exclusive video about what happens if you follow a scam delivery text

Cleverly, the scammers even tell you that your redelivery request has been ‘processed successfully,’ confirming the new date and asking you to press ‘exit’ – this redirects you to the official Post Office website, making this fake even more plausible. 

Action taken against cloned sites

We reported this phishing website to the Post Office and the National Cyber Security Centre (NCSC) using its suspicious website tool. We are pleased to say that action is being taken to remove and block both websites.

A Post Office spokesperson said:

Scammers use our name, but Post Office never delivers letters and parcels. This is the job of Royal Mail.

Once we become aware of a fake Post Office website, we pass this information over to our digital enforcement partner. If there is a live website displaying our brand, we can submit a request for ‘takedown’ with the domain registrar that the URL is registered with.

In a lot of these cases, these websites are only live for a matter of days – mainly because once people start reporting a web URL to 7726, the site becomes untrustworthy. Web browsers will also start flagging whether a site could be a phishing site and start blocking attempts for people to access them.

This combination of reporting and network / device-based checks will intervene. These sites are then usually taken down fairly quickly. However, in our experience, once one site is taken down, another appears. From our data we’re aware of over 1,000 domain names that we suspect or know have been set up to be used in delivery phishing scams in the last nine months alone.

The Post Office has also launched a social media campaign to warn the public of impersonation scams:

What to do if you’ve been scammed

If you give your financial data away to a scammer, you should tell your bank in the first instance. Many banks let you cancel your cards via the mobile app so do this immediately if you can. 

Keep a close eye on your bank statements and credit report – we explain how to do this for free in our guide. You can also sign up for Cifas (£25 for two years) to protect against potential identity fraud.

Banks must refund unauthorised transactions by the end of the next business day – unless it has grounds to believe you authorised the payment or acted fraudulently.

If your bank refuses to refund you, our guide explains how to get your money back.

Have you received these fake Post Office text messages? If so, did you believe they were genuine? Have you lost money to this scam?

If so, please get in touch in the comments and submit the details via our scam sharer tool. Want to share screenshots of a scam with us? Please email them to conversation.comments@which.co.uk

Comments

Hello, I’m sure that this must have been brought up already, but I didn’t see it in the messages above. Do you all agree that these scams constitute a serious crime, yet how often do we hear of convictions in the media? Is it because that police don’t have the resources to tackle it, or are the scammers too clever for them? I understand that a lot of scams are from abroad, but surely that could be overcome. If there is some international cooperation on this, then maybe it could result in less criminal activity. How often is online phishing investigated by the authorities resulting in a conviction? There must be ways of tracking fraudulent online websites and tracing them back to the people responsible. If there was more publicity around this crime then convictions would act as a means of ending it.

I agree. We should not under-estimate how difficult an investigation might be, but it would be comforting to see at least some convictions. If the police and government bodies cannot deal with this, then perhaps there should be some privately-funded investigations where the perpetrators are tracked down and exposed. In the world of cinema drama, these hateful people would be more than ‘exposed’, but, much as I detest them, I would be happy simply to read that they had been brought to justice.

Here are a couple of emails containing links that I received on 4 December:

I was expecting a delivery from Apple between 7 and 14 December but without any indication of an order number or any other information that might confirm that text was genuine I decided not to open the link in either text and DPD delivered my new laptop during the day.

I have just opened one of the emails and it includes a photo of the box and my feet at the front door. The URL in the text messages looks plausible but that is not a reliable guide since genuine ones can be spoofed.

Come on DPD and get your act together.

Philip says:
23 January 2022

You are always right to treat such communications with suspicion. However, in defense of DPD, they did provide the name of the sender as an additional check. (I have no connection to DPD other than being a regular recipent of parcels delivered by them).

Check details carefully, even if a text looks familiar and is expected, because genuine text/email formats and wording can easily be copied by scammers to make them appear genuine. However, the indication that the text is genuine is the correct URL / domain name for DPD. If you are in any doubt about a URL, you can Google the name of the company to find their website for details. If you need to change the delivery time and still in any doubt, check the status of your order (confirmation of dispatch; name of the courier used; parcel tracking number). If you have a tracking number, use the delivery tracking service on their website instead of the link in the text. Alternatively, contact the courier directly using details from their website.

Thanks Philip. I believe that it would be better if I had been given a tracking number rather than a link. That would have enabled me to look up the DPD website and enter the number. Unfortunately web addresses that look OK can be spoofed.

Many scams make use of links in text messages and Which? has given us enough examples. Perhaps the companies and organisations that use these links should remove the risk by eliminating them.

The Which? Best Practice guide (see end of introduction) recommends not using links unless absolutely necessary. I very much support this, Philip.

I have usually been given a consignment/tracking number by the senders of my orders and the name of the carrier, so I can check delivery details directly if I wish. This is usually followed by a notification from the carrier with delivery details and a link, sometimes, to change the date. As the two are related to a known order they seem quite appropriate.

The communications from financial institutions, particularly if unexpected, need to treated cautiously. I, as others should, access my accounts directly. I see no need for links to be provided and would support moves to have them avoided.

This does not solve the problem as many people will take no notice of advice not to click on links, even when they arrive in fraudulent communications

FARUK says:
20 January 2022

UK INEFFICIENT POLICE/COURTS THEREON

tony greenstein says:
23 January 2022

[This comment has been removed in line with our community guidelines – please do remember to keep comments on topic. Thanks – mods.]

Rescheduled is spelt wrong which is the first thing I noticed !

Angela Terry says:
21 January 2022

Oh, well done, I didn’t spot that. Even if I had, it would have still caught me, as so much reporting these days is filled with poor spelling.

Sharon Hunt says:
21 January 2022

Me too!

Jonathan Posner says:
21 January 2022

Also should be a cap ‘N’ on ‘Not to worry…’
This demonstrates to me the need for genuine sites and communications to have correct grammar and spelling – so that fakes are easier to spot!

I received the weekly list of local scams and rogue traders from Norfolk Trading Standards yesterday. This fake Post Office scam was included but the information provided did not make the crucial point that the Post Office does not deliver post or parcels; that is the Royal Mail’s [and other carriers’] job. Being aware of that is a key part of avoiding being deceived by such a scam. Any message from the Post Office about a postal delivery is definitely a scam and can safely be ignored and deleted. Which? should have made that point as well in the Intro to this Conversation; it is the key indicator of a scam in this instance.

Jeanette says:
21 January 2022

Puzzles me how so many people fall for these scam, everyone should know that all delivery companies leave a card when they are unable to leave a parcel, even when they leave it with a neighbour or in a save place they do put a card though the letter box. If not sure contact your local postal delivery depot. When I have had a genuine text from a delivery company I also get an email as well.

I have had packages that were to be delivered by Royal Mail but no card was left, the sender only gave the tracking from Germany not the one used by RM, by the time I had the local tracking number the packages had been returned to Germany never to be found.

My partner has just almost fallen for this scam – he was expecting a delivery. He has put his details in but stopped when it got to the part about entering his card number etc and gave it me to look at. (So he could now be a victim of ID fraud) It was extremely convincing.
I was getting cross with the postoffice that they were only giving an option to pay for re-delivery -no option to collect and he shouldn’t have to pay for redelivery (even £1.45!). And I ranted about why the hell they needed his DOB (said something about dangerous items and under 18s)
On their website it said something about no longer leaving failed delivery cards due to Covid 19. I thought this was just outdated info – I know they are currently leaving cards but also we were in when they said they had tried to delivery . In the past we had a rogue delivery person who didn’t even try to deliver, we got a the card in the post a couple of days later telling us to collect…
Agree that the police should do more – this happened yesterday so this scam has been active for a couple of months. My partner suggested we report it -but I don’t really know where to.
Also delivery companies need to think about how many texts etc they send and the information they include. (It is often hard to find the right tracking info from an independent web search – I never click links in emails/texts )
Finally all companies inc gov bodies should have a think about the personal information they ask us for. Is it really necessary? My partner obviously wasn’t surprised to be asked for so much personal data just to get a parcel – and this is because we are asked for so much data on a regular basis, it is normalised and it shouldn’t be!
(I could rant here about why the Scot government need me to give a hd image of my driving licence and a live face scan to a private company so my child can have free bus travel added to a card obtained through the school so they can pay in the school canteen – which is already an id card by stealth – the photo has to meet passport/biometric standards. )

Anura says:
21 January 2022

While my current phone is only about a year old, it’s nowhere near top of the range (I paid around a couple of hundred quid for it). Without any action on my part, it automatically sends all these scam messages to its spam folder and warns me that they’re scam/fraudulent. Does nobody else’s phone do this?

In any event, even if that didn’t happen I wouldn’t follow links in emails/texts as a matter of course and even if I’m 99% sure it’s genuine, I still check it out thoroughly if it absolutely requires a click (think Covid vax invitations).

On the other hand, I have relatives (not elderly) who, despite my warning them every time they tell me they’ve received one of these ‘odd’ messages, still follow the links ‘just in case’. Luckily, I think the site has been taken down by the time they’ve done so as each time they’ve been sent to a blank page but I think you simply can’t help some people no matter what you do.

I have Mr Number app on my Moto android phone it flags most scam phone calls and messages

David Palmer says:
21 January 2022

Could ‘Which?’ please pressure the BBC to produce and televise a regular programme of ‘Scam of the Day’ or ‘Scams of the Week’. This would highlight the problem to a large number of people, and most likely reduce the effect of these scams.

David, the BBC is the biggest scammers, and been doing it for years via the Licence fee currently
£159.00 per annum, Freeview should convince all of this the biggest Scam!

Phil — Freeview is just a multi-channel selection and tuning function. Some of our TV Licence fee goes towards its operational costs.

As well as for access to TV channels the licence fee also pays for BBC radio programmes and the BBC website.

The licence fee is set by the government, not the BBC, and the government has now pledged to freeze it for two years and its policy is to abolish it from 2024. No decisions have yet been made on what will replace it or how the BBC should be funded.

Could you please explain what dissatisfaction you have with the range of channels and programmes that the licence fee enables you to watch for no further cost or subscription? Perhaps you also have some ideas on what should replace the licence fee in terms of providing public service broadcasting, radio and internet content.

Pete says:
22 January 2022

I rather think the licence fee is to enable the BBC to produce all its output without having to insert Adverts into everything they broadcast. To me it is well worth it. not least because it gives them independence from so many pressures. I strongly object to the government trying to abolish the licence fee without putting an (advert free) alternative in place. Particularly as I distrust their motives.

The BBC licence fee also pays for the outrageous salaries of staff (not just Gary Lineker!), and the palatial HQ in the most expensive part of London. Their salaries should be halved and the operation moved to Peterborough. Reporters who need to be in London can stay at the Premier Inn.

I hope it doesn’t come to that, Dylan.

I would hope that a high standard public broadcasting service would survive, and TV needs to invest in its talent — which is more important than hardware and property. The talent will gravitate to where it feels most comfortable, of course, which imposes certain requirements on any broadcaster. In my opinion there are signs that the BBC is struggling to maintain too broad a range of services to do them all justice in terms of the quality of talent employed, so some rationalisation would be beneficial. It still needs to produce content for all segments of the audience and its own standards greatly affect the quality of the competition or alternatives.

Many of the channels available in the UK feature good quality programmes from the archives made by the BBC and the ITV companies some years ago when there was little threat from foreign broadcasters and from streaming. I don’t think we will or should go back to those days but I should like to think we can maintain our capability to produce good shows, documentaries and other programmes without the time-wasting commercial breaks with their inevitable recapitulations of the preceding material.

Early TV programmes were not always good quality by any stretch of the imagination and it is good that most of it has not survived to be broadcast again. The huge improvement in technical standards in the recent decades has made the most significant difference but in my view the quality of the content has usually not kept pace, although there have been some notable exceptions because we can still produce good writing and acting when we try.

This kind of scam is inevitable when so many legitimate companies are insisting on being given information that can lead them to ignoring or side-stepping the GDPR laws on marketing; it is impossible to buy anything from them without giving them the information they want, such as a mobile phone number etc. This stinks, and it gives the green light to scammers because the public are increasingly used to being groomed to give more and more information by unscupulous but legitimate companies.

The public are being increasingly but surreptitiously groomed by legitimate companies to give valuable information to them because so many on-line purchases can’t be made without uncessesarily giving a mobile phone number etc., and all because these companies want to ignore or side-step the GDPR laws on direct marketing. It’s no wonder scammers are taking advantage of this.

Thankfully many companies do respect GDPR. When no-one trusts unsolicited callers those involved in telephone sales will need to find another job.

At least it is easy to change a mobile number (don’t forget to let your contacts know) if you are harassed with calls but it’s not so easy with a landline number.

Even Sky side steps GDPR rules by sending direct marketing to addresses where all residents are registered not to receive direct marketing. They do this by addressing it to ‘the tv lover’ or ‘to the home owner’ or similar then print at the bottom of the marketing “No personally identifiable information about the recipients has been used in the creation of this mailing” clearly the GDPR rules are not strong enough or have loopholes that businesses can use. With all this is it any wonder criminals can use the smoke screen put up by the likes of Sky to operate the scams.

Sky is far from alone in this and while such mail might be unwelcome it is not a contravention of any regulations since it contains no content personalised to any individual’s particular circumstances. It has always been possible to pay to send anything to any address. I don’t have any objection to receiving such material if it helps keep down the cost of the postal service and, once in a while, I find something of possible interest. It is usually easy to decide at a glance whether to open or discard the mailshot.

I’ve an email today from Which? Connect with a link to an online survey about my investments and SIPPS. I haven’t done the survey but this will no doubt ask for some financial information that I may not want to divulge to just anyone. I am happy to help Which? with surveys of any kind but, in the climate being created of sophisticated frauds using fake communications, I am made probably too wary.

I would be much happier if Which? invited me to log in to my account and access the survey that way.

Which? News today :
https://www.which.co.uk/news/2022/01/warning-fake-investment-scam-emails-pretending-to-be-from-which/
It reinforces my view that Which? (Connect) should ask us to log in if they want us to provide potentially sensitive information, rather than provide a link.

Jill Cantor says:
21 January 2022

Don’t Royal Mail leave a hand-written card if you are not at home when they deliver? It should be made clear that unless you receive this card, the message is fake.

Yes, Jill — The benefit of a card left by Royal Mail and other carriers is that it is a direct connection to the delivery address. A mobile phone message could be going anywhere and does not establish that the sender is in possession of the parcel. A Royal Mail card also contains the address and contact details for the local delivery office should the recipient prefer to collect the item.

I wonder how efficient Royal Mail is. Over the years I have had letters marked as having insufficient postage yet have never been asked to pay. I have even had several letters delivered without any postage or franking mark. The only time I have been asked to pay I handed back the letter to the postman and pointed out that the corner had been folded over in transit, concealing the stamp. We had a good laugh and I received a book of First Class stamps.

John – Do you know if there is a current list indicating which carriers leave cards and which do not? Maybe it would be good practice to do so.

Overall I think Royal Mail is very efficient given the volumes it handles and the universal coverage it provides — and which no other carrier attempts to match. Bear in mind that it has lost a lot of business because other companies are now allowed to process bulk mail and merely hand it over to Royal Mail for the final delivery section of its journey. This is over and above the volume of correspondence it has lost to the internet, of course.

Like any big organisation it does suffer occasional lapses in performance and process management. Occasionally we get letters where the stamp has not been franked, but just as often we find the postal delivery worker has cancelled the stamp manually. Most postal sorting is now a digital/mechanical process and glitches presumably occur from time to time whereby the franking misses the stamp for whatever reason. We have also had a small number of letters with insufficient postage where we had to pay the postage due plus a £1 surcharge to have them delivered [to my utter shame and embarrassment one of these was a St. Valentine’s card I sent in 2006 and could not be delivered until after I had sent back the notification card bearing stamps to the value of the requisite fee].

In the overall scheme of things, and bearing in mind that the vast bulk of post is pre-paid or franked by the sender, I don’t suppose it pays Royal Mail to worry too much about the odd unfranked delivery. Or perhaps your posties are of a benevolent inclination and choose not to obliterate unfranked stamps.

I am not aware of a list of which carriers leave cards and which do not. From my own experience the following carriers do leave a card: Royal Mail, DPD, DHL, UPS, Hermes, Yodel, and Amazon. In most cases except Royal Mail the carriers say on their card that the item has been left somewhere else [e.g. with a neighbour or in a safe (?) place]; Royal Mail routinely take undelivered mail back to the delivery office unless the recipient has nominated a safe place on their property or with a neighbour. I doubt there is much room in the market now for any more carrier companies to spring up and there could be some more amalgamations in the interests of efficiency. There are one or two I wouldn’t miss.

So far as I know carriers do not have to be licensed or regulated and I am not aware of a code of practice. I am not convinced at present that moves in that direction are necessary.

Thanks for the list, John. Hermes left a large parcel outside my neighbour’s door. I have taken it for safe keeping.

The letters I referred to have been marked as having insufficient postage and what I am expected to pay but it has never been collected.

Hermes delivered a parcel of raspberry canes to me yesterday. The sender had notified me two days before that the parcel was in transit, the carrier and a tracking number. Hermes then sent me an email with a 2 hour delivery slot. It arrived on time.

If I order something online I think it is reasonable to be available to receive it if notified properly, as I was. I have had carriers ask me if I would take in a parcel for a neighbour. Often senders will ask where a parcel should be left if I am out; seems a sensible system.

Wavechange — It’s a long time since I have seen a letter asking for the payment of postage due. The arrangement that I am familiar with for over a decade is for the Royal Mail to leave a card to which you can either affix stamps to the value required or use the reference details to go on-line and make a card payment.

Malcolm — Hermes has got much better recently but it is only as good as the companies that employ them and some of those do not notify their customers of impending deliveries. I find that is particularly the case with horticultural suppliers. Sometimes plants are ordered weeks or even months before delivery and then they suddenly turn up unexpectedly and require attention. This is no longer much of a problem because we hardly go anywhere else these days and spend much more time in the garden.

One thing I have found over recent months, however, is that Hermes can take four or five days between notifying me that they have a parcel on the way and delivering it, and a couple of weeks ago a parcel arrived before the timeslot notification. Compared to other carriers, I find Hermes somewhat inconsistent; their local deliverer is a woman with a small car who always gives the impression of being run off her feet so I have some sympathy and do not complain.

I had two items without postage around Christmas and they came through the letterbox with stamped mail. They came without a card or any comment on the letters.

The letter asking for payment was years ago but that was the only time I have been asked to pay for postage. I came across it when I was moving house in 2016.

The postage had obviously been paid for so I trust you cancelled the unfranked postage stamps yourself, Wavechange, to ensure the Royal Mail was not diddled by someone steaming off the unfranked stamps and reusing them. I think that would count as an act of larceny.

The letters I am referring to had no stamps and were unfranked, and they were not pushed through the letterbox by a neighbour.

It could have been a delivery by one of the casual recruits that Royal Mail employed to deal with the seasonal workload and who had forgotten their training [if any].

Perhaps they contained Christmas cards but no sender details. If you had been requested to pay the postage due plus the surcharge and refused I suppose Royal Mail would have been unable to deal with them so would have destroyed them. Putting them through your letter box [as the addressee] was probably the best means of disposal.

I get more stamped mail at Christmas than during the rest of the year now. There is a fair chance that temporary staff are delivering mail at that time.

Pete says:
22 January 2022

A couple of years ago I posted a letter containing a flat metal piece to a friend. It was heavy but not overweight. It was not delivered but he got a note stating it was overweight and asking him to go to a delivery office some 20 miles away. He was understandably miffed but blamed me! I had already re-made the items (an hours work). Eventually I got an apology from the post office and a book of stamps but for the delay, his time and fuel and my time it really was a bit of an insult.

Depends on your postman/postwoman

This Conversation warns that “fake texts link to a cloned Post Office website”.

It would be interesting to know which genuine Post Office website Which? thinks is being cloned.

We should rightly check for spelling mistakes and awkward grammar when defending ourselves against spam attacks, but first and foremost we should be sure that the message is at all plausible, and this one isn’t. The Post Office does not deliver post and parcels, and Royal Mail is not part of the Post Office. The scammers’ biggest blunder is copy-catting the Royal Mail’s house-style under the guise of the Post Office.

People say that scams are clever and sophisticated. I disagree; this one is dumb and should fool no one. In the Intro Which? says it is “one of the most convincing clone websites we’ve seen”! Really? !

Whether they are clever and sophisticated or not, many people are taken in by scams. The techniques used by sales staff and those used in marketing are an insult to our intelligence but they encourage sales.

I suspect that there are many people who still regard the Royal Mail and the Post Office as related and as someone pointed out they still share red branding that will continue to foster this confusion.

I do not know how many have or will be taken in by this scam so reserve judgement on whether it has been worth publicising but other unsophisticated scams have been very successful.

Wavechange — I pointed out earlier today that the Post Office and Royal Mail have completely different branding – see comment https://conversation.which.co.uk/scams/post-office-fake-delivery-text-message-scam-website/#comment-1644306.

I agree that the official name for the colour of Royal Mail’s post boxes and mail vans is Post Office Red, but that colour is also shared with telephone kiosks operated by BT.

I have no desire to be uncomplimentary about the general intelligence of the population but it is an unfortunate fact that dumb and unsophisticated scams clearly generate a good return, and, as others commenting here have noted, are virtually immune from detection and prosecution which thoroughly sickens us all.

That was in response to a contributor who suggested a change of colour. That could have helped the public better understand more about the roles of the companies even if many of us already have a reasonable understanding.

We can and should help people to be aware of scams, the risks and how to avoid them but as you have pointed out scams have a good rate of return. Since it is not possible to be aware of all of them the best approach is – in my view – to understand the principles. This is a way that anti-malware software can afford protection from novel viruses.

There seems to be a frequent failure to adopt best practice. Would it be difficult for DPD to include an order or tracking number in their text messages, as other companies manage? They and other companies could get rid of the ‘convenient’ links that are not essential but can be exploited by scammers.

I am still waiting to be convinced that links in text messages (rather than emails) are vital. I don’t click on them and you don’t look at them, John.

I agree it would be helpful if DPD, and any other carriers who don’t already do so, would include a unique reference to the delivery in their messages. We don’t normally have more than one delivery expected from the same supplier at the same time so when DPD inform us that they have a parcel from John Lewis for us it ties together. What would be even more useful wold be for John Lewis to confirm which carrier they are using before dispatch; after placing an order, the next thing we hear is from the carrier telling us that they have the goods and will be delivering them shortly. That would narrow down the opportunities for any criminal activity.

Absolutely. By sharing best practice we could cut down crime.

The Which? report on this scam has found its way into today’s Daily Mirror which has obtained comments from the Post Office.

A Post Office spokesperson explained: “Scammers use our name, but Post Office never delivers letters and parcels. This is the job of Royal Mail.”

The Post Office went on to explain: “Once we become aware of a fake Post Office website, we pass this information over to our digital enforcement partner.

“If there is a live website displaying our brand, we can submit a request for ‘takedown’ with the domain registrar that the URL is registered with.

“In a lot of these cases, these websites are only live for a matter of days – mainly because once people start reporting a web URL to 7726, the site becomes untrustworthy. Web browsers will also start flagging whether a site could be a phishing site and start blocking attempts for people to access them.”

7726 is the number for forwarding scam texts and mobile phone messages, not website URLs.

Maybe the Daily Mirror has mixed up what to do with 7726 in the same way that its. readers might be confused over the Post Office and the Royal Mail.

It would be interesting to know if using 7726 does trigger prompt action.

That was a quote by the Post Office spokesperson, not a Daily Mirror comment.

I thought it was good that the newspaper obtained a comment from the Post Office. It is the only report on this issue I have seen that mentioned the key indicator of this scam, namely that the PO does not deliver post. Even Which? did not seem to be aware and appeared to be more alert to typographical and presentation failings.

Ignorance is the father of the scam so anything that improves public understanding is helpful in my opinion.

Please can more emphasis be placed on pausing to think first before reacting to texts or emails.

I help older people in learning IT skills and I always explain how many of these scams work by trying to get you to respond without thinking.

Incorrect spelling, dodgy urls and wrong logos have been spotted in this example because we’ve been told it’s a scam. All commentators here are in “thinking mode”.

We need to suppress our instinctive emotional reaction to these messages and think first.

Yes, this can be difficult because some of these scammers are very clever and generate strong reactions…

BUT REMEMBER

this is not a LIVE call
you do not have to respond IMMEDIATELY
you can put your PHONE DOWN and make a cup of tea
you are now in THINKING MODE
you can look at the message again and ASK YOURSELF is this for real
if you’re not sure, LET ME KNOW

… and on just about every occasion the message/email was a scam.

LIVE calls are way more dangerous and from personal experience some are extremely nasty.

Always remember that these people are criminals out to steal from you, whether it be a live call, recorded message, text or email.

THINK FIRST.

On the tech side it would help if domain registrars could be more responsive/proactive in dealing with domain registrations.

Some time ago now I came across a dubious web site with a domain name similar to a major bank.
The only reason I could see for the web site was to deceive.

I sent a simple email to the domain registrar to that effect.
I had a reply almost immediately saying that the domain had been suspended pending enquiries.
Very pleased with the response, but that’s the only time it’s ever happened.

(Others, subsequently, have passed the buck or made me jump through hoops to make a complaint)

However, I was concerned that no alarm signals had been raised when the domain was originally registered as it was clear that it could be misleading which was as it turned out exactly its purpose.

Question:
If I come across a dodgy domain where is the best place to report it?
I encounter a few from time to time and I would like to be able to report so that action can be taken as quickly as possible.

Is there a single place where I can go to do this.

I have wondered the same Tim. I have sent dodgy pages to report@phishing.gov.uk

Which? should be able to tell us because I presume it reports dodgy websites before providing them as a examples. Apart from one which was a well known site selling fake counterfeit Clarks shoes the others had been terminated.

I would also like to know what checks the registrars to reduce the risk of misuse of domains. It looks as if checks are needed before granting services and when they are in use.

From the introduction: “Scammers use our name, but Post Office never delivers letters and parcels. This is the job of Royal Mail.”

Fair enough, but if you are not in when your Royal Mail or Parcelforce delivery arrives, you can arrange to collect it from a Post Office, as an alternative to redelivery. I suspect the confusion will run and run.

I must admit I didn’t notice that when I first read this Conversation.

If you are not in when a delivery is attempted and cannot be left you can choose to have a redelivery or collection from a Royal Mail distribution office or have it delivered for a post office for collection. Where is the confusion?
https://www.royalmail.com/receiving-mail/redelivery

Two companies are involved. Maybe the scam designer was confused and put the Post Office logo instead of the one for Royal Mail in the scam text.

There is a close practical link between the two businesses. While the Royal Mail collects and delivers letters and parcels, you go to the post office to buy stamps, hand in parcels for collection, post many letters that require pricing, proof of delivery, registering etc and the option to collect undelivered items.

There is certainly room for confusion, which scammers exploit either by ignorance or design. However, if we are to avoid defeat by scam we have to learn the distinctions between different companies and remember that the Post Office does not deliver mail, so any messages saying they do are scams and no further examination of them, or analysis of their typography, is required.

We should not fool ourselves that this was a sophisticated scam so we can forgive ourselves for falling for it.

Maybe Postman Pat could be instrumental in helping the public distinguish between the Royal Mail and the Post Office, but at present there certainly is confusion.

Perhaps it’s worth thinking about how scams are possible. In this case a domain registrar has provided the scammer with a web address (URL) that has then been used for illegal purposes. It is clearly necessary for those who lease domains should be screened carefully and their activities monitored in case the site is operated legitimately for a period before being misused. In this scam the URL is “driver-department-info.com”. Did the domain registrar check that this domain name was appropriate for the intended use or might that have provided a clue as to how it could be used.

Tim.W asked a good question:
“Question:
If I come across a dodgy domain where is the best place to report it?
I encounter a few from time to time and I would like to be able to report so that action can be taken as quickly as possible.

Is there a single place where I can go to do this.”

Scams succeed because the scammers are provided with banking services. Again there is the possibility that an account could be operated properly to start with, so adequate monitoring is essential.

Unfortunately, we cannot prevent illegal activities but I believe that business could tackle its failings that have allowed scams to proliferate, and of course governments should be making sure that this happens.

I do not see in normal life that any confusion between the Royal Mail and the Post Office is of any consequence. Nor do I see how domain registrars can check whether a site will be used fraudulently. Whether, once a domain has been thus used, they can then bar the same applicant from taking up new domains in the future is a question. But, as we know, criminals are clever, will use different methods to secure a communications route. Just as they open bank accounts and establish credit card facilities.

Would that businesses, governments and other organisations could prevent illegal activities. How?

I can see opportunities for tackling the misuse of domain names though I do not know enough about the business to know about how it is currently managed.

I’ve run websites for 27 years (at that time there was little business use) and in that time there have been no questions about what I proposed to use them for. Soon I will have one that will be capable of taking money for what’s now called merchandise. The intention of a couple of my colleagues is to sell mugs, keyrings, etc. I wonder if I will be asked to provide information, if there will be limits on transactions and what would happen if next year the site was used for dodgy purposes.

Even if we as individuals do not see the opportunities prevent crime that does not mean that we should not push for action. A great deal has been done to protect us when we use computers but there are plenty of opportunities for action in the financial world.

Yes, my point simply was this. There are lots of detriments about which I would like to see “something done” but unless someone takes an active interest and seeks informed and expert input nothing happens. We need to look at practical and realistic solutions to make progress.

Maybe in the case of domain names being used in the execution of fraud Which? could explore the possibilities of controlling it with relevant people?

So we need to push for action otherwise scams will just continue.

The biggest need is to tackle the problem of banking services being used by criminals. If the banking industry is made more responsible for reimbursing fraud victims it may be forced to do more to tackle and prevent illegal use of its services.

Again, there needs to be properly considered and practical proposals as to how best to tackle fraud. Let’s see them made here.
I’m not sure whether “tackling fraud victims” meant that, or meant perpetrators.

There is no point. It would be like playing Monopoly or Diplomacy and pretending it was real. Leave it to those who have expertise, access to information and insights into crime.

But we can push for action.

I continue to ask Which?, who publicise these issues and should have access to information, expertise, knowledgable people, to be constructive in their approach and not just focus on compensation; that does not solve the problem. A responsible approach would be to keep us updated with work on solutions and how detriment might realistically be mitigated.

Commenters have made useful proposals in the various Convos and discussed the issues. Better than just saying something must be done, in my view.

There is every point in being constructive in discussing this topic, as with others. Except, as I have suggested, does anyone take any notice of Convo comments and take them into account in their work? If not then, perhaps, that is when there is no point.

The POST OFFICE does not deliver parcels. The ROYAL MAIL delivers letters and parcels. The POST OFFICE is now a separate company believe it or not! All part of the marvellous privatization of this great British Institution done by the Conservatives some years ago. The public still talk about The Post Office still being part of the Royal Mail. Well they do sell stamps and take parcels from you to be delivered but have absolutely nothing to do with delivering them.
Whoever is doing this terrible scam is obviously either not aware of this or targeting people who are not up to date with current affairs.

Now that our village Post Office has reopened I should be able to collect undelivered parcels from there to avoid having to stay at home waiting for a delivery: https://www.postoffice.co.uk/mail/collection-services

Tjis happened to me, I received a text saying the post office couldn’t deliver a package and they dont put the red cards through the letter box due to covid and I had to pay a re delivery fee to get my parcel, well firstly I hadn’t ordered anything so that was the first red flag. So I spoke to my postman who said they do use red cards to either tell you the package was with a neighbour and there was a number to ring the sorting office to arrange for another day for your parcel to be deliverec and they never ever ask you to pay for re delivery. So I text them back and said ‘ bugger off ‘ excuse my language.

Sarah — A pathetic scam attempt but it probably catches enough people to make it worthwhile for the perpetrators.

It would be helpful if Royal Mail would put a message in the franking mark on all letters passing through their sorting offices to remind us that (1) they always leave a card in the event of non-delivery, and (2) there is no charge for a redelivery.

Although your polite and restrained response to the scammers was understandable, it is probably not a good idea to reply since that just confirms that they have struck a target and can try another tack.