Fraudsters attempted to wipe out a victim’s entire bank balance by setting up a clone Royal Mail website. Here’s how the scam worked and how it was stopped.
It started with a text, apparently from ‘Royal Mail’, claiming that a parcel was being held due to an unpaid shipping fee.
As Which? member Richard regularly exchanges parcels with family members who live abroad – and import and customs fees have increased following Brexit – this fake was particularly convincing:
The link in this text is disguised to look as though it points to the genuine royalmail.com website, this is done by capitalising the letter ‘I’ so it will appear to be the letter ‘L’. Therefore the link is actually ‘royaimaii.com’ which redirected Richard to a slick phishing website:
A lucky escape from a perfectly timed scam call
Richard entered his contact details, date of birth and debit card details on this Royal Mail clone.
The thief attempted to spend £1 using the stolen card details. Fortunately, his bank declined this payment (noting that it originated from an unusual device) and contacted Richard before immediately cancelling the card.
But the scammers weren’t finished with their con.
The next day, they phoned Richard claiming to be his bank’s fraud team. Thanks to cheap number spoofing technology, his mobile phone identified the call as being from ‘First Direct’.
The scammer pretended to be calling to follow up about the fraudulent card transaction, aware by now that the card had been cancelled. Understandably convinced that he was speaking to the bank, Richard initially followed the instructions – to protect his current account by logging into online banking and setting up a new sort code and account number.
The scam caller then asked him to transfer his balance to the new ‘secure’ account which thankfully rang alarm bells. Richard told us:
“At this stage the penny finally dropped and I told him I would prefer to call the bank myself to make sure that this was a legitimate exercise. He became very insistent and, essentially, tried to make me feel very guilty for wasting the bank’s time when they had called me to protect my money. When I asked him how I could be sure this was a genuine call he told me to look at the caller ID on my phone”
Fortunately, Richard stood his ground and called the genuine First Direct fraud team who confirmed that this was a scam. Which? reported the fake text and phishing website to both Royal Mail and the National Cyber Security Centre (NCSC). We also advised Richard to sign up for Cifas (£25 for two years) to protect against identity fraud.
How to spot genuine Royal Mail communication
A Royal Mail spokesperson told us:
“Royal Mail will only send email and SMS notifications to customers in cases where the sender has requested this when using our trackable products that offer this service.’
The only time we would ask customers to make a payment by email or by SMS is in instances where a customs fee is due. In such cases, we would also leave a grey card telling customers that there’s a Fee to Pay before we can release the item. This would apply either to an international customs fee or to a surcharge for an underpaid item. This card may arrive later than the email or SMS. Royal Mail Group works hard to prevent and detect fraud.
We work with UK law enforcement agencies, Trading Standards and other organisations to share information and support robust proactive action against scams. Customers looking for advice on how to spot a fake notification should visit www.royalmail.com/scamprotection. Here they can view examples of current scams, and get advice on appropriate action”
Is it really your bank calling?
As this example proves, scammers can use number spoofing software to display false caller-ID information and trick you into thinking that their number belongs to your bank or another legitimate business.
Which? is also aware that many scam callers will attempt to trick you into installing remote access software to ‘fix’ a spurious problem. This software is used by legitimate businesses – including the Which? Tech Support team and many IT support firms – but criminals abuse these tools to hack into email and bank accounts.
Call-blocking services and phones offer some respite from unwanted calls. But the easiest way to stay safe is to hang up and call back on a phone number you trust, such as the one on the back of your debit or credit card.
If you fall victim to fraud, contact your bank immediately and follow our step guide to getting your money back.
Have you had an experience of this Royal Mail scam? Let us know in the comments and, as always, help us warn friends and family.