When Julia Whittaker, 70, received a text in early March saying she had missed a delivery from Royal Mail, and she needed to pay a £2.99 fee to receive her parcel, she followed the instructions, and clicked through to make a payment. “It’s happened before where people haven’t paid the correct postage, and you are asked for the difference,” she says.
Nothing seemed awry until she got a call from somebody who claimed to work the fraud department at her bank, Santander, saying there was suspicious activity on her account. She hung up, called back a number she says she found on the bank’s website, and spoke to someone who said he was called Dominic, who told her a payment of £750 to Amazon had been paid from an address in a different city. Over the next few days, the man convinced her that her account had been compromised, and persuaded her to visit a branch twice and transfer £35,000 to a different bank, where it would be safe from the criminals.
I wanted to hide away. I wanted to hide under the duvet and never come outJulia Whittaker
“I was suspicious – I kept thinking: ‘This isn’t real,’ but he was very, very convincing,” she says. “It was my daughter who said she’d read about something similar in the Guardian – and that it was a fraud.”
Whittaker had fallen victim to a scam in which fraudsters send out messages claiming to be from Royal Mail, or other courier firms, saying that there is a fee that needs to be paid before a parcel can be delivered. The texts and emails include a link to a webpage that asks for payment details and other personal information. The fraudsters use these either to set up accounts or payments in the victim’s name, or to start a more elaborate con where they pose as a bank employee and talk the victim into moving money to an account they control.
The scammer who spoke to Whittaker told her he suspected the security breach stemmed from someone at her local branch. He said he had set up an account in her husband’s name at another bank, and that she needed to move her money into it to keep it safe. On the first day, she transferred £25,000, and on the second day, she went back and moved £10,000 – money she and her husband planned to use to move home.
“In the end, I was shouting at him, asking why he couldn’t just close my account, but he said it was under the control of the Financial Conduct Authority,” she says. “It was very sophisticated.”
After she had talked to her daughter, and realised she had been defrauded, she contacted Santander, and it put a stop on her account. With the help of her children and an independent fraud expert, Richard Emery, she wrote to the bank, and it has since refunded every penny. But at first she felt terrible. “I wanted to hide away. I wanted to hide under the duvet and never come out.”
Scams making use of delivery firms’ names are not new, but the online shopping boom – and confusion over new fees that have come in since the Brexit transition period ended on 31 December – have given fraudsters a bigger pool of potential victims to phish in. Previous incarnations – which have involved cards put through letterboxes asking recipients to phone premium-rate numbers, as well as texts – tended to happen around Christmas, when people expected parcels from friends and, in more recent years, online deliveries.
With lockdown, we have all become mail-order shoppers, meaning more chance of a spam text landing with someone who is expecting a parcel. Action Fraud, the UK’s national reporting centre for these types of crimes, wasn’t able to give figures across the delivery industry, but says that between June 2020 and January 2021 it received 2,867 crime reports mentioning DPD, and that victims reported losing £3.4m over the same period. In December, the equivalent of 533 fake DPD emails a day were sent on to the suspicious email reporting service, which was launched last year.
When the Guardian asked readers if they had fallen victim to the scam, it received more than 120 responses in five days. Some were from people who had been taken in by the text and the website, and put in their details before smelling a rat. Others had got as far as pressing enter before they realised something was amiss. Others had been caught out completely.
Among the victims were doctors, teachers, psychologists and business owners, many of whom said they were busy when the texts landed, and were mortified to have been taken in by them. Texts had claimed to be from Royal Mail, Hermes, DPD and DHL, with similar messages involving an unpaid fee that needed to be met before a second delivery attempt could be made.
Neil from Grimsby described receiving a “completely convincing text from [Royal Mail] about a surcharge due for a parcel that coincided with something I ordered”. A reader who did not want to be named said she was expecting a couple of items when she received a message saying she owed £2. “Without thinking – and knowing that there have been additional tariffs on some things, due to Brexit – I clicked on the link and completed the form. Though it asked for bank and card details, I thought little of it, as no passwords were asked for.”
A student who ordered a dress online says she was expecting an import charge as it was coming from abroad. So, although she is “usually so good at spotting scams”, a text asking her for a fee slipped through. “It took me to a page exactly like the Royal Mail site,” she says. “As soon as I did it, I realised it was a scam. I went to block my cards … mobile banking was down, and I got scammed [out of] £300. I later found out that they had used the money to buy an electric scooter.”
Louise Tully, 35, a neighbourhood manager from Great Yarmouth, was caught out in the run-up to her daughter’s birthday when “parcels were arriving nearly every day”. The message she got claimed to be from DPD. “With hindsight, I should have been alerted when it charged me and asked for my card details. But I just filled out the webpage and carried on.” A few days later, she got a call claiming to be the fraud team from NatWest and ended up being duped into giving her details, which the fraudsters used to set up Apple Pay linked to her account. “They instantly tried to pay for hundreds of pounds’ worth of goods and then my bank contacted me to alert me.” In total, the criminals tried to spend £600, but Tully has been fully refunded. “I felt so foolish,” she says. “It made me paranoid about my banking, and I reset all my passwords and info.”
It made me feel I was vulnerable, and brought me in touch with the darker side of humanityRose
Not all the frauds happened as quickly. Rose from Cambridge received an email claiming to be from DPD in December, when she was waiting for some face cream to be delivered. She says she filled in her details because she “wasn’t thinking straight … I got home, came to my senses and rang up my bank, which cancelled my card.”
All seemed well until February, when she was called by a man saying he was from her bank’s fraud department and someone had attempted to use her account to spend £745 on kitchen equipment. He appeared to be calling from Halifax’s phone number, and said he was able to see what she was doing on her phone’s banking app. “That’s why I was so convinced,” she says. “I said a couple of times: ‘Halifax wouldn’t ask that,’ but he said: ‘This is coronavirus time, it’s not a normal time.’”
Rose says she had a strange feeling that she was being bullied, yet she wanted to do the right thing. “I’ve never quite felt like that before,” she says. Like other victims, she was persuaded to move money into an account to keep it safe. She had transferred more than £8,000, and was about to move more, when the app crashed. Then he ended the call. She rushed to her bank, which she realised was closed, and then made calls to try to get her money back. It was only after several weeks that she was refunded. “It made me feel I was vulnerable,” she says. “It brought me in touch with the darker side of humanity.”
Royal Mail says it works with law enforcement agencies, and organisations such as the Chartered Trading Standards Institute, to share information and try to protect people from scams. A spokesperson says the company will only send email and SMS notifications “in cases where the sender has requested this when using our trackable products that offer this service”. Royal Mail adds: “In cases where customers need to pay a surcharge for an underpaid item, we would let them know by leaving a grey ‘fee to pay’ card. We would not request payment by email or text. The only time we would ask customers to make a payment by email or by text is in some instances where a customs fee is due. In such cases, we would also leave a grey card telling customers that there’s a fee to pay before we can release the item.”
It has advice about how to spot a fake notification, and what to do about it, on its website.
UK Finance, which represents the banking industry, says banks will never ask customers to transfer money to a safe account or get in touch out of the blue to ask for a pin, full password or passcode. It says customers should follow advice in its Take Five to Stop Fraud campaign, and also report scam texts by forwarding them to 7726 (which should work with every mobile service provider).
“If you receive a text message, phone call or email claiming to be from a trusted organisation, such as a parcel delivery company or your bank, stop and think before you part with your money or information. And don’t click on any links or attachments in case it’s a scam,” says Katy Worobec, the managing director of economic crime at UK Finance.
Although most of the readers who replied to our call-out chose not to give their full names, they wanted to go on the record to help prevent other people from falling victim to the fraudsters. Another Rose told us her father had received a text in April saying he had missed a delivery from Royal Mail and needed to pay a £1.45 charge to receive his parcel. The doctor, who is in his late 60s, had already submitted his details when his wife told him she thought it was a scam. “They rang their bank and cancelled all their cards,” Rose says. “A couple of hours later, they received a call, supposedly from the bank’s ‘fraud team’. My dad assumed that this was all part of what had happened and when asked to generate a code on his secure key device did so. That evening they realised that £20,000 had been withdrawn from their account.”
Loan sharks target new victims via WhatsApp and FacebookRead more
The couple’s bank has agreed to repay the money. Her father has been left shaken and “rather embarrassed” by what happened, “but hopes that by telling people about it, others may avoid falling into a similar trap. As events developed, each part felt entirely plausible.”
Rose adds: “It seems to me this is very sophisticated fraud, and that many people would have fallen for it. I received a similar text myself last week, and got as far as putting my postcode into it. If it hadn’t been for what had happened to my dad the week before, I very well might have paid the redelivery charge that they were asking for.”