Warning: fake texts link to a cloned Post Office website
We received more than 2,000 reports of delivery text scams via our scam sharer tool last year. Our survey found that three in five of us have been targeted by scam delivery texts, typically using Royal Mail, DPD and Hermes company branding.
This time, the scammers are targeting the Post Office.
Post Office delivery scam exposed
Which? has seen variations of fake texts claiming that a parcel delivery has failed, asking recipients to click the link to ‘book a new date’ or ‘reschedule a delivery’ via two sites that have nothing to do with the Post Office.
Clicking the links takes you to extremely convincing Post Office clones, shown below. The websites were only set up in the last few days, and all other information has been ‘redacted for privacy’ – always treat new sites that hide information with suspicion.
The first step of the scam is to invite you to enter your postcode before asking for your full name, delivery address, email address, date of birth and mobile number. This information is fed directly to scammers who could use it commit identity fraud.
But they aren’t done yet. Next, you’re invited to pick a new delivery date and hand over your card details to cover the ‘redelivery charge’ of £1.10.
The scammers can now attempt to steal money directly from your account, as we demonstrate in this exclusive video about what happens if you follow a scam delivery text.
Cleverly, the scammers even tell you that your redelivery request has been ‘processed successfully,’ confirming the new date and asking you to press ‘exit’ – this redirects you to the official Post Office website, making this fake even more plausible.
Action taken against cloned sites
We reported this phishing website to the Post Office and the National Cyber Security Centre (NCSC) using its suspicious website tool. We are pleased to say that action is being taken to remove and block both websites.
A Post Office spokesperson said:
Scammers use our name, but Post Office never delivers letters and parcels. This is the job of Royal Mail.
Once we become aware of a fake Post Office website, we pass this information over to our digital enforcement partner. If there is a live website displaying our brand, we can submit a request for ‘takedown’ with the domain registrar that the URL is registered with.
In a lot of these cases, these websites are only live for a matter of days – mainly because once people start reporting a web URL to 7726, the site becomes untrustworthy. Web browsers will also start flagging whether a site could be a phishing site and start blocking attempts for people to access them.
This combination of reporting and network / device-based checks will intervene. These sites are then usually taken down fairly quickly. However, in our experience, once one site is taken down, another appears. From our data we’re aware of over 1,000 domain names that we suspect or know have been set up to be used in delivery phishing scams in the last nine months alone.
The Post Office has also launched a social media campaign to warn the public of impersonation scams:
What to do if you’ve been scammed
If you give your financial data away to a scammer, you should tell your bank in the first instance. Many banks let you cancel your cards via the mobile app so do this immediately if you can.
Keep a close eye on your bank statements and credit report – we explain how to do this for free in our guide. You can also sign up for Cifas (£25 for two years) to protect against potential identity fraud.
Banks must refund unauthorised transactions by the end of the next business day – unless it has grounds to believe you authorised the payment or acted fraudulently.
If your bank refuses to refund you, our guide explains how to get your money back.
Have you received these fake Post Office text messages? If so, did you believe they were genuine? Have you lost money to this scam?
If so, please get in touch in the comments and submit the details via our scam sharer tool.
