Avoiding some common scams

A screenshot of a tweet by Shelagh Fogerty containing an image of a text reading "Royal Mail: Your package is waiting for delivery. Please confirm the settlement of £1.99 on the following link:". Fogarty asks in the tweet "Is this a scam?".
A screenshot of a tweet by Shelagh Fogarty.

The other day the British radio presenter Shelagh Fogarty tweeted asking her followers if a text she had received, telling her she had a parcel to collect but to click a link and “confirm the settlement of £1.99”, and the link was not to a Royal Mail site but to “rm-parcel8319.com”. (The comments underneath the tweet said that similar texts were being sent out in the name of other parcel companies, notably DPD.) The answer is that this is a scam and has a very clear red flag: that the web link in the text does not bear any resemblance to the carrier’s own website address.

What used to be known as ‘phishing’ scams rely on the victim to open a web link and provide them with access to their money through their bank account or credit card number. Email scams can disguise such things more effectively, because you can provide a web link that looks like an actual address but the actual target of the link is different. (On a computer, this can be worked around by running your mouse over the link and pausing it; a little box called a ‘tool tip’ will appear which shows the real address.) With text and telephone scams, however, the disguise is usually a lot thinner than that. They do not even bother with the old trick of using an address that uses similar-looking numbers or capital letters to those in the real address (e.g. roya1-mail.com, royal-maiI.com), though it would be quite useful if the carriers could buy these fake domains up themselves, which I can confirm that they haven’t. They just use their own domains, which allow the scam to be obvious.

A screenshot from an iPhone showing two texts from Royal Mail, reading "Your parcel from Seasalt is due on Saturday, 27 March 2021 between 08:41am and 11:41am. Not going to be in? Track it at [tracking address]". The second reads "today" instead of the date.
Real tracking texts from Royal Mail (tracking numbers obscured for privacy).

To begin with, if you have a parcel coming through the Royal Mail (or any other carrier for that matter), you will know about it. It will have a tracking number which the sender will have told you about: these all have a particular pattern of letters and numbers (in the case of Royal Mail, it’s two letters, nine numbers and two further letters which denote the country it was sent from, such as GB). If payment is required, they will try to deliver it and if they cannot, they will leave a card inviting you to collect it from the depot and pay any fees then. Royal Mail might text you about the progress of your parcel, but they will mention the name of the sender, so you know it’s what you ordered. In the image above you can see an actual Royal Mail tracking text: it included the name of the company I ordered the goods from, in this case the British clothing company Seasalt, and a tracking number which corresponded to one on an earlier email (the domain name is their shortened domain name, ryml.me; although not their usual domain name, the personal details make it clear it is real). Scam texts will typically come out of the blue and have no details you recognise.

A totally different web address on a cold-call text is a dead giveaway, but a slightly cleverer disguise is to use the company’s real address as a subdomain to their own address. A subdomain is a site within a site; for example, a department or college within a university might well have a subdomain on the university’s website (as in: balliol.oxford.ac.uk). This relies on victims not knowing how a web address is structured. The key is to look for a slash after the legitimate web address (e.g. royalmail.com or tsb.co.uk); if there is a dot after it, it is a link to a completely different site that belongs to fraudsters, as in “royalmail.com.fraudsters2345.com”. If you see that in a text, delete it.

Another common trick of scammers right now is to use colloquial or out-dated names for actual institutions. There was one scam exposed on the BBC’s You and Yours programme recently by people calling themselves “the gas board”, a name people used to refer to regional state-run gas providers up until the 1980s when British Gas was privatised. Nowadays, there’s no “gas board”. The scam was probably targeted at the elderly. Another is “Inland Revenue”; this was Britain’s actual tax authority until a few years ago when it merged with Customs and Excise to become Her Majesty’s Revenue and Customs or HMRC. Yet, some scammers use this name. I have received calls recently from “National Insurance”, the name of the contributions we make to our pension, but this is not an actual institution and you will not be contacted by anyone calling themselves this, except scammers. This practice serves as a “clue filter”: it filters out people who ask questions and might be wise to them, leaving the easy marks.

So, the best way to avoid falling victim to scams is to consider the following things when you receive a phone call or text which invites or demands your money:

  • Do you do business with the company purported to be sending you the text? If it’s a bank you don’t have an account with but it mentions “your account”, it’s a scam.
  • Are you expecting anything from the company? If it’s a parcel from a company you don’t remember ordering anything from, it’s probably a scam.
  • Does it mention your name or have other identifying details? “Dear customer” is a sign that they do not know who you are, and have sent the same message to many others. It’s a scam.
  • Does it use the organisation’s real name? If it uses an old or colloquial name, it’s a scam.
  • If you click the link and your browser or Internet service provider tells you this has a bad certificate or is a known scam site, do not continue. If the website looks shabby and unprofessional and is meant to belong to a major parcel service or bank, it’s not real.
  • Does the organisation do business like this? Reputable companies don’t do cold calls; they normally rely on physical mail which will include your name and some identifier, such as a social security or National Insurance number that you can verify. In the UK, HMRC will not make threatening phonecalls and tell you to “get in touch now” to get you to pay your taxes or “face the consequences”. This is a scam. If you owe taxes, they will send you a letter.
  • If you receive a phone call playing a recorded message that is not from a company you currently have business with, you can safely put the phone down. Most reputable companies do not use automated (‘robo’) calls.
  • If the domain name does not match the company’s real one (you can just use Google to search for the name) or the real name does not have a slash after it, the domain name is fake. It’s a scam.

Many companies have pages giving details on how they will or will not contact you so you can recognise a real approach from a scam; Royal Mail’s is here. Your bank will likely send you a letter or give you a leaflet telling you these things. There are a lot of scams around but they all follow similar patterns and if you delete any cold text that asks for money or details and put the phone down on any cold call, especially if it plays a recorded message, you can’t go wrong.

Possibly Related Posts:


You may also like...