Delivery text scammers could then pose as your bank

Beware phone calls from 'your bank' after receiving fake texts 
Distressed woman holding bank card

The public is being bombarded with fake texts used to steal personal data and card details, but victims may face a second attack by the same criminals, warns Which? Money. 

Earlier this year, we reported on an Eon phishing email that escalated into a bank impersonation scam. We’re also increasingly concerned by the number of people being targeted after receiving other fake texts. 

This one-two jab can be highly effective for fraudsters - they refer to the initial bogus messages to establish trust, and can then more convincingly claim to be calling from a bank’s fraud department. 

Here we describe the tactics used against three victims, and explain your rights if you lose money to this nasty scam. 

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

Baiting with fake texts

Scammers will initially send thousands of fake texts seemingly from legitimate companies you might expect to hear from. Recent examples we’ve seen impersonated are Evri (formerly Hermes), Royal Mail and the NHS. 

Phone numbers may be ‘spoofed’ to avoid detection, as you can see from the fake text about Covid testing kits below, which appears to come from ‘TraceNotify’. 

These messages invite you to click on web links that are disguised or intentionally misleading. For instance, the website mentioned here nhs.uk-pcr-testing-kit.com/nhs has nothing to do with the real NHS website, which is nhs.uk. 

Malicious websites are generally taken down quickly, but scammers can do damage in a short space of time. Clicking these links can also put you at risk of downloading malware (malicious software), as the National Cyber Security Centre explains. If installed, criminals could steal your banking details, passwords and other sensitive information. 

The criminals behind these scam texts can create sophisticated clone websites, using the branding and logos of genuine companies, as the copycat Royal Mail website shows below. Once they’ve captured your details, they can attempt to make unauthorised payments or commit identity fraud. For some people, this is the end of the ordeal. Others will be targeted for a second time. 

Fake Royal Mail site

The next stage of the scam

Victims who enter their details on fake websites are extremely vulnerable to further scams because opportunistic fraudsters are armed with plenty of information to be highly persuasive when impersonating their banks. 

One Which? member told us that his son, aged 25, was contacted by scammers pretending to be from his bank’s fraud team just a few days after he fell for a parcel delivery scam in 2021. The caller ID had been spoofed, so it appeared to be the genuine phone number for his bank.

The fraudsters convinced him that his savings had been compromised as a result of the parcel delivery scam and talked him through transferring his money to several third-party accounts ‘for safekeeping’. 

He lost more than £33,000, and said he ‘found the whole event shameful, embarrassing and felt stupid’. 

Find out more: Is your bank protecting you against number spoofing?

Scam tricks to watch out for

Scammers are master manipulators. They will say anything to trick you into giving away sensitive information, particularly:

Triggering security codes

Claire, 73, a retired social worker from Devon, received a missed delivery text from 'Evri' in June. As she was expecting a parcel, she assumed it was genuine and entered her Jaja credit card details on the cloned Evri website, intending to pay £1.45 for redelivery. 

A few days later, she received a phone call from an 0345 number, claiming to be from the fraud department of her credit card provider. The caller said they had noticed suspicious transactions on her account after she had entered her details on a cloned website. 

They triggered various security codes to her phone, claiming they needed her to share these to 'verify' her identity. She didn’t realise the criminals were using these codes to authenticate an £80 card payment at Pretty Little Thing and £3,363 at a car rental company in Spain.

Gaining remote access

Another common tactic is to try to take control of your device by persuading you to download a remote access tool

In one case we came across, a victim received a phone call in June from her 'bank' about suspected fraud on her account. Suspicious, she checked that the phone number was listed on the genuine website - it was. 

The caller took her through the usual security questions, then informed her that she had recently entered her personal details on a fraudulent website. Only days before she had received a 'Royal Mail' text, flagging an attempted delivery and inviting her to reschedule it. She had clicked the link and entered her card details. 

Now panicked, she agreed to download a remote access tool on her laptop so that the caller could 'secure her accounts'. This gave the fraudster full access to her laptop. 

She later transferred nearly £10,000, believing she was sending money to a ‘safe account’ in her own name. She has taken her case to the Financial Services Ombudsman (FOS) after her bank refused to reimburse her. 

Which? Money Magazine

Find the best deals, avoid scams and grow your savings and investments with our expert advice. £4.99 a month, cancel anytime

Sign up now

How do banks protect scam victims?

Most of the big high street banks have signed up to a voluntary code to protect and reimburse victims of authorised push payment (APP) fraud

The Banking Protocol is another layer of protection, where bank staff are trained to request police intervention if they suspect a customer is being coached by fraudsters to withdraw money. 

But you may still have a fight on your hands if the bank argues that you didn’t do enough to protect your account. 

Which? has repeatedly warned that banks have inconsistently and incorrectly applied the code, so complain to the FOS if you don’t think your bank has assessed your case fairly. The forthcoming Financial Services and Markets bill aims to improve the reimbursement of scam victims.

If fraudsters gain access to your accounts and transfer money themselves, or make unauthorised payments using your stolen card details, you should be refunded under the Payment Services Regulations (PSRs) - unless your bank can prove you were either ‘grossly negligent’ or authorised the payments. 

Some firms argue that divulging security codes is tantamount to authorising payments, but this isn’t always fair. And, if the fraud occurred on a credit card, or a credit facility such as an overdraft, different rules apply. 

Which? helps victim recover £3,500

Claire had to stand her ground when her credit card provider Jaja refused to reimburse nearly £3,500 spent using her stolen details.  

When the fraud was uncovered, Jaja initially told her it would not reimburse her for these losses, because she ‘did not meet the minimum standards, as defined by the Financial Conduct Authority for the protection of your credit card’. The email also referred to gross negligence. 

When Which? contacted Jaja about this case, we reminded it that the case should have been assessed under the Consumer Credit Act, as the fraud occurred on her credit card, not a debit card. The issue of gross negligence doesn't arise under this Act. 

We also expressed our concerns that it hadn’t used any additional controls such as behavioural biometrics or IP address (which identifies a device on the internet or a local network) detection to block the fraudulent payments.

A Jaja spokesperson said, ‘We have reviewed this case and are satisfied with the decision that was made not to refund the money, on the basis that verification codes for the transactions in question were disclosed to the fraudsters. 

'However, we appreciate that (she) gave the codes over the phone in good faith, unaware that her card details had already been collected through a prior deception. Therefore, as a gesture of goodwill and on the specific facts of this matter, we have offered to refund the money.’

Which? Money Podcast

Join us on our weekly audio show for the latest money news and personal finance hacks to help make you better off.

Listen now

How to protect yourself from scams

If you’re expecting a delivery and you receive a ‘missed parcel’ message, do NOT click on the link. Instead, use the delivery company's official website to track your parcel. 

You can’t always trust caller ID or the name shown on a text message, as these can be spoofed. 

So, if you receive a phone call from someone claiming to work for your bank, or any other business, politely tell them you would like to verify it’s a genuine call first. 

To do this, contact the business using a trusted number (eg the one on the back of your card or listed on the official website), or via secure messaging such as app chat features or direct messaging via online banking. 

Criminals may tell you your account is at risk, but stay calm and never divulge sensitive information such as security codes or passwords, no matter how persuasive they seem. 

The banking industry offers this 'Take Five' advice to stay safe:

  • STOP: Taking a moment to stop and think before parting with your money or information could keep you safe
  • CHALLENGE: Could it be fake? It’s ok to reject, refuse or ignore any requests. Only criminals will try to rush or panic you
  • PROTECT: Contact your bank immediately if you think you’ve fallen for a scam, and report it to Action Fraud.