Three in five people have received a scam delivery text in the last year, Which? finds

Three in five people have received fake delivery company texts over the last year as fraudsters exploit the pandemic, according to new research from Which?.

Text scams have boomed as Covid confined millions of people to their homes and consumers became increasingly reliant on deliveries, with fraudsters posing as couriers and delivery companies and attempting to trick people into handing over their bank details via text.

A Which? survey of over 2,000 people in May revealed that three in five people (61%) had received a fake delivery company text in the past year.

Of those who received the scam text messages claiming to be from a delivery company, four in five (79%) said they realised it was fake straight away but 3 per cent said they lost money to the scam.

For those caught out, the financial and emotional impact can be devastating.

Which? also conducted its own experiment, setting up four new SIM cards on the UK’s big four network providers – EE, O2, Three and Vodafone. The numbers were never shared with anyone but two out of the four received at least one scam text message in just a two-week period.

Scammers use computers to generate combinations of numbers and send messages in bulk using ‘SIM farms’ – devices that operate several SIM cards at a time. The equipment and software is available online, and anyone can pick up cheap pay-as-you-go SIMs with unlimited free texts.

Numbers are often masked or ‘spoofed’ to avoid detection – so your phone might say you have received a text from a delivery company, when it’s actually a scammer.

The scam most often reported to Which? in the past three months has been fake text messages – also known as ‘smishing’ (SMS phishing) – pretending to be from Royal Mail. Of those surveyed who said they received one or more scam texts, seven in ten (70%) received the Royal Mail scam text.

The message usually requests a small payment for a parcel to be delivered, with a link to a copycat Royal Mail website, and victims who fell for it told us they were then called by scammers to try to trick them into sending large sums of money.

DHL, DPD and Hermes were the other most commonly impersonated companies in our survey. Of those who received a scam text message claiming to be from a delivery company, roughly one in three said the scam text pretended to be from DHL, DPD or Hermes (32% for DHL and DPD and 31% for Hermes).

One in eight scam texts (12%) impersonated  UPS over text.

Text messages claiming to be from couriers can also spread harmful malware. Spyware known as FluBot has been circulating through a message claiming to be from the delivery service DHL, which once downloaded could access sensitive information on your device.

Although companies being impersonated have no legal responsibility to deal with these scams, Which? believes they could find better ways to communicate with customers using text messages and do more to help raise awareness of scams.

Companies can register a recognisable sender ID to protect it against spoofing – although some spoofed messages can still slip through due to limitations of these protections and other weaknesses in SMS processes. Consumers would be better protected if it became standard practice for certain types of companies, such as banks, not to include links or payment requests in text messages – although this may not be possible in all cases.

While the telecoms industry is taking steps to address the explosion in text scams, there are clearly limits to how effective existing prevention measures are, as consumers continue to receive regular scam texts. The telecoms sector should continue to work to find solutions to protect consumers against scam texts.

Companies likely to be impersonated by scammers must be careful how they use SMS, and communicate clearly to their customers how and in what circumstances they will use SMS.

Consumers can sign up to Which?’s scam alert service in order to familiarise themselves with some of the latest tactics used by fraudsters.

The consumer champion has also launched a Scam Sharer tool to help it gather evidence in its work to protect consumers from fraud. More than 5,000 scams have been shared with Which? via the Scam Sharer tool since it went live on 17 March 2021.

Adam French, Which? Consumer Rights Expert, said: “Our research shows how fraudsters have bombarded Britain with scam delivery texts on an industrial scale as they try to exploit the unprecedented conditions of the pandemic.

“Couriers and the telecoms industry must take further steps to protect consumers, by making it harder for fraudsters to exploit systemic weaknesses to reach potential victims, and by making people more aware of how to spot such scams.

“In the meantime, people can sign up to Which?’s scam alert service to keep themselves, their friends and family informed about the latest tactics used by fraudsters.”

What to do if you fall victim to a text scam 

Report the scam text by forwarding it to your network provider on 7726.

If you have fallen victim to a text scam, you should contact your bank to ensure the scammer cannot take any more money from your account and ask to be reimbursed.

Many banks have promised to reimburse blameless victims of this kind of fraud by signing up to the voluntary authorised payments code. However, banks might challenge customers if they think the customer didn’t take precautions.

If consumers don’t have any luck getting their money back from their bank, the last resort would be to complain to the Financial Ombudsman.

Link to Which?’s scam alert service: https://campaigns.which.co.uk/scam-alert-service/

Link to Which?’s Scam Sharer tool: https://act.which.co.uk/scam-sharer

Online giants failing to remove online scam adverts, says Which?

Google and Facebook are failing to take action to remove online scam adverts even after fraud victims report them, raising concerns that the reactive approach to fraudulent content taken by online platforms is not fit for purpose, Which? research has revealed. 

The consumer champion’s survey found that a third (34%) of victims who reported an advert that led to a scam on Google said the advert was not taken down by the search engine, while a quarter (26%) of victims who reported an advert on Facebook that resulted in them being scammed said the advert was not removed by the social media site.

Which? believes that the significant flaws with the current reactive approaches taken to tackling online scams makes a clear case for online platforms to be given legal responsibility for preventing fake and fraudulent adverts from appearing on their sites.

Which? is calling for the government to take the opportunity to include content that leads to online scams in the scope of its proposed Online Safety Bill.

Of those who said they had fallen victim to a scam as a result of an advert on a search engine or social media, a quarter (27%) said they’d fallen for a fraudulent advert they saw on Facebook and one in five (19%) said a scam targeted them through Google adverts. Three per cent said they’d been tricked by an advert on Twitter.

The survey also highlighted low levels of engagement with the scam reporting processes on online platforms. Two in five (43%) scam victims conned by an advert they saw online, via a search engine or social media ad, said they did not report the scam to the platform hosting it.

The biggest reason for not reporting adverts that caused a scam to Facebook was that victims didn’t think the platform would do anything about it or take it down – this was the response from nearly a third (31%) of victims.

For Google, the main reason for not reporting the scam ad was that the victim didn’t know how to do so – this applied to a third (32%) of victims. This backs up the experience of Which?’s researchers who similarly found it was not immediately clear how to report fraudulent content to Google, and when they did it involved navigating five complex pages of information.

Worryingly, over half (51%) of 1,800 search engine users Which? surveyed said they did not know how to report suspicious ads that appear in their search listings, while over a third (35%) of 1,600 social media users said they didn’t know how to report a suspicious advert seen on social media channels

Another issue identified by victims that Which? has spoken to is that even if fake and fraudulent adverts are successfully taken down they often pop up again under different names.

One scam victim, Stefan Johansson, who lost £30.50, told Which? he had repeatedly reported a scam retailer operating under the names ‘Swanbrooch’ and ‘Omerga’ to Facebook.

He believes the social media site has a ‘scattergun’ approach to removing the ads and says that a week rarely goes by when he doesn’t spot dodgy ads in his newsfeed, posted by what he suspects are unscrupulous companies.

Another victim, Mandy, told Which? she was tricked by a fake Clarks ‘clearance sale’ advert she saw on Facebook. She paid £85 for two pairs of boots, but instead she received a large box containing a pair of cheap sunglasses.

‘I’ve had a lot of back and forth with my bank over the past six months, trying to prove that I didn’t receive what I ordered,’ Mandy said. Facebook has since removed this advert and the advertiser’s account.

The tech giants make significant profits from adverts, including ones that lead to scams. These companies have some of the most sophisticated technology in the world but the evidence suggests they are failing to use it to prevent scammers from abusing the platforms by using fake and fraudulent content on an industrial scale to target victims.

The combination of inaction from online platforms when scam ads are reported, low reporting levels by scam victims, and the ease with which advertisers can post new fraudulent adverts even after the original ad has been removed, suggests that online platforms need to take a far more proactive approach to prevent fraudulent content from reaching potential victims in the first place.

Consumers should also sign up to Which?’s scam alert service in order to familiarise themselves with some of the latest tactics used by fraudsters, particularly given the explosion of scams since the coronavirus crisis.

The consumer champion has also launched a Scam Sharing tool to help it gather evidence in its work to protect consumers from fraud. The tool has received more than 2,500 reports since it went live three weeks ago.

Adam French, Consumer Rights Expert at Which?, said: “Our latest research has exposed significant flaws with the reactive approach taken by tech giants including Google and Facebook in response to the reporting of fraudulent content – leaving victims worryingly exposed to scams.

“Which? has launched a free scam alert service to help consumers familiarise themselves with the latest tactics used by fraudsters, but there is no doubt that tech giants, regulators and the government need to go to greater lengths to prevent scams from flourishing.

“Online platforms must be given a legal responsibility to identify, remove and prevent fake and fraudulent content on their sites. The case for including scams in the Online Safety Bill is overwhelming and the government needs to act now.”

Google responded: “We’re constantly reviewing ads, sites and accounts to ensure they comply with our policies. As a result of our enforcement actions (proactive and reactive), our team blocked or removed over 3.1 billion ads for violating our policies.

“As part of the various ways we are tackling bad ads, we also encourage people to flag bad actors they’re seeing via our support tool where you can report bad ads directly. It can easily be found on Search when looking for “How to report bad ads on Google” and filling out the necessary information. It is simple for consumers to provide the required information for the Google ads team to act accordingly.

“We take action on potentially bad ads reported to us and these complaints are always manually reviewed.”

“We have strict policies that govern the kinds of ads that we allow to run on our platform. We enforce those policies vigorously, and if we find ads that are in violation we remove them. We utilize a mix of automated systems and human review to enforce our policies.”

A spokesperson for Facebook responded: “Fraudulent activity is not allowed on Facebook and we have taken action on a number of pages reported to us by Which?.

“Our 35,000 strong team of safety and security experts work alongside sophisticated AI to proactively identify and remove this content, and we urge people to report any suspicious activity to us. Our teams disable billions of fake accounts every year and we have donated £3 million to Citizens Advice to deliver a UK Scam Action Programme.”

A Twitter spokesperson said: “Where we identify violations of our rules, we take robust enforcement action.

“We’re constantly adapting to bad actors’ evolving methods, and we will continue to iterate and improve upon our policies as the industry evolves.”

To sign up to Which?’s scam alert service visit: www.which.co.uk/scamalerts