- Security TWENTY
- Women in Security
A survey by the consumer rights campaigners Which? of 2,006 people in May found that three in five (61pc) had received a fake delivery company text in the past year. Of those who received the scam text messages claiming to be from a delivery company, four in five (79pc) said they realised it was fake straight away but 3 per cent said they lost money to the scam.
Which? also conducted its own experiment, setting up four new SIM cards on the UK’s big four network providers – EE, O2, Three and Vodafone. The numbers were never shared with anyone but two out of the four received at least one scam text message in just a two-week period. Scammers use computers to generate combinations of numbers and send messages in bulk using ‘SIM farms’ – devices that operate several SIM cards at a time. The equipment and software is available online, and anyone can pick up cheap pay-as-you-go SIMs with unlimited free texts.
Numbers are often masked or ‘spoofed’ to avoid detection – so your phone might say you have received a text from a delivery company, when it’s actually a scammer. The scam most often reported to Which? in the past three months has been fake text messages – also known as ‘smishing’ (SMS phishing) – pretending to be from Royal Mail. Of those surveyed who said they received one or more scam texts, seven in ten (70pc) received the Royal Mail scam text.
The message usually requests a small payment for a parcel to be delivered, with a link to a copycat Royal Mail website, and victims who fell for it told us they were then called by scammers to try to trick them into sending large sums of money. DHL, DPD and Hermes were the other most commonly impersonated companies according to the survey. Of those who received a scam text message claiming to be from a delivery company, roughly one in three said the scam text pretended to be from DHL, DPD or Hermes (32pc for DHL and DPD and 31pc for Hermes). One in eight scam texts (12pc) impersonated UPS over text.
Text messages claiming to be from couriers can also spread malware. Spyware known as FluBot has been circulating through a message claiming to be from the delivery service DHL, which once downloaded could access sensitive information on your device.
Although companies being impersonated have no legal responsibility to deal with these scams, Which? believes they could find better ways to communicate with customers using text messages and do more to help raise awareness of scams.
Companies can register a recognisable sender ID to protect it against spoofing – although some spoofed messages can still slip through due to limitations of these protections and other weaknesses in SMS processes. Consumers would be better protected if it became standard practice for certain types of companies, such as banks, not to include links or payment requests in text messages – although this may not be possible in all cases.
As consumers continue to receive scam texts, Which? says that the telecoms sector should continue to work to find solutions.
Adam French at Which? said: “Our research shows how fraudsters have bombarded Britain with scam delivery texts on an industrial scale as they try to exploit the unprecedented conditions of the pandemic.
“Couriers and the telecoms industry must take further steps to protect consumers, by making it harder for fraudsters to exploit systemic weaknesses to reach potential victims, and by making people more aware of how to spot such scams. In the meantime, people can sign up to Which?’s scam alert service to keep themselves, their friends and family informed about the latest tactics used by fraudsters.”
Steve Ritter, CTO at Mitek, said: “All too often, industry experts are quick to blame consumers for “falling” for scams – but this blame game needs to stop. The onus should be on technology and finance organisations to step up to the challenge. With the right technologies in place, digital service providers – messaging apps, mobile manufacturers, email providers, or mobile networks – could warn us when a suspicious link or message is shared.
“Which? found that 79pc of people who received fake delivery scam texts realised they were fake straight away. But this means one in five people didn’t. Often, you might not notice a dubious link, or the unknown number it’s sent from – but your phone, messaging service, or network could. A simple flag (‘This link could be fraudulent’) would go a long way to protecting consumers. And all it takes is AI and machine learning algorithms that are trained to spot scams before they reach the consumer.
“In the future, technologies like behavioural biometrics could be used to track fraudsters’ behaviour and movements around the web, to build a digital footprint of their activity and figure out if they’re really who they say they are. Legislation also plays a role, and initiatives like the UK’s Online Safety Bill are a welcome step forward. For now, however, we have to rely on the tools we already have at our disposal – and use them to stamp out scams before they hit our phones.”
And Stuart Dobbie, SVP, Innovation, at Callsign, said: “Fraudsters are monopolising open channels such as SMS and email which are outdated methods of communication that have simply been digitised for the modern world. We can no longer rely on these channels to authenticate identities. Our own research shows that over a third (38pc) of UK consumers think identity is the problem and that people should prove who they are when signing up to use a platform to stop scammers.
“To ensure their brand is not tarnished by scammers, businesses must re-evaluate the communications channels they use to interact with customers to better establish trust. By digitally transforming from the ground up (instead of simply digitising), organisations can overcome the fraudsters, protect their brand, create seamless and secure customer journeys and build all important digital trust.”