On the eve of her twenty-eighth birthday, a text message popped up on Emmeline Hartley’s phone as she walked home. It said it was from the Royal Mail and that she had to make some payments to ensure her packages were delivered. Hartley didn’t think much of it; she had been expecting a few packages anyway and the website the message linked to looked legitimate, so she filled in her information.
The next day, just as she was about to head out to celebrate her birthday, she received a call from someone who claimed they were from Barclays, her bank. Everything about the call was convincing – the number was the same one used by the official Barclays helpline, the call operator followed the same scripts Barclays uses and even knew background information about her. The man on the phone said that Hartley had been hacked as a result of the Royal Mail text message she had received. She had to act now to save her money by moving it to a “safe account”.
“As soon as I’d done it I started to get this sinking feeling,” Hartley explained. “I cried and cried and cried for ages… I kept seeing in my mind the app saying £0. The amount that was taken from me really wasn’t that much, but it was all I had.” She claims her bank told her to get loans from friends to survive the next month as they tried to return the lost money, until a Twitter post about her experience went viral and forced them to take action.
Hartley is just one of countless people who have been caught up in a surge of scam text messages claiming to be from delivery companies – frequently the Royal Mail. Fuelled by a rise in online shopping during the pandemic, Google search data hints at a 1,077 per cent increase in Royal Mail scams in 2020. This March alone there was a 645 per cent increase in Royal Mail-related phishing scams, according to security firm Check Point. Hartley says she now receives hundreds of messages from other people who have fallen victim to similar scams.
These Royal Mail scams are just the tip of the iceberg when it comes to SMS-based cons, which are not only far more dangerous than their email-based counterparts, but also pose some big questions about how we police the internet in the modern era. But can anything really be done about them?
“It’s huge. Distribution by SMS is potentially the most effective way to spread either malware or a scam these days,” says Jake Moore, a cyber security specialist for internet security firm ESET. “We’re hearing time and time again about people losing thousands and thousands of pounds, far more than we ever saw with email Nigerian lotteries.” Most of these SMS phishing (or ‘smishing') scams follow a similar pattern to Hartley’s – text messages tell you to click a link and enter your details to pay outstanding fees. Then you get a call from someone posing as your bank who tells you that you’ve been conned. The only way to stop it, they say, is to transfer all your money to a new account.
The scams aren’t new but part of what makes them so convincing comes down to how the way we use SMS has changed over the years. Initially designed as a way for people to chat, SMS is now used almost exclusively for communications from companies, two-factor authentication or other formal and official messages – such as the NHS’s vaccine texts. All the chat with friends and family has moved over to Facebook Messenger, iMessage, Signal and WhatsApp.
“This is a mode of communication that is not secure,” says Awais Rashid, a professor of cybersecurity at the University of Bristol, adding that SMS has now been “repurposed” to try and scam people. “Our relationship with SMS is now changing,” he says. “We think of them as things that come from a legitimate organisation that is providing us with something.” That, and the fact that these messages are so direct, makes them feel more personal – and safe – than a scam email. Mix that with the credibility of asking for a delivery fee, a 37 per cent spike in online shopping, and the anonymity provided by texting, and you have the recipe for an effective and untraceable scam.
What’s more, we also know next to nothing about the people behind these scams, few of whom are ever caught. “The barrier to entry is so low that you don’t have to be a master criminal organisation to get involved,” says Rashid. “And if a criminal is even moderately tech-savvy they will hide all their traces online.”
Sites such as SMS Bandits (which was recently shut down by the National Crime Agency) and countless others allow scammers to send misleading messages in bulk. Combine that with the leaked phone numbers and personal information of millions of people, which can be purchased online relatively cheaply, and the scam quickly scales. NameCheap.com, for example, was found to be hosting over 200 sites used by scammers to impersonate the Royal Mail.
Then there’s number spoofing. As in Hartley’s case, with enough technical know-how it isn’t too hard to mimic the mobile number of an official helpline to make a scam look credible. ‘Fraud-as-a-Service’ is common in smishing scams, where perpetrators purchase the technology to commit these crimes from a third-party and pay them a share of the profits. All of this helps to both make these scams convincing and the criminals even harder to identify and catch.
In the aftermath of any viral scam most authorities simply warn consumers to be ‘wary’. Royal Mail has issued countless such warnings since the start of the pandemic, but did not respond to a request from WIRED about any technical changes it would be implementing. Despite those warnings and the scam existing for months, the Royal Mail smishing scam is not only still around but is increasing month-on-month. And it’s just one of any number of delivery scams.
“At the moment there is far too much weight on the user to make sense of all this and identifying what is a scam and what is not,” says Rashid. And that pressure on individuals to spot scams is particularly problematic when they are designed to be indistinguishable from the real thing. “SMSs are supposed to be received, links are supposed to be clicked on,” Rashid says.
Just telling consumers to be ‘wary’ fundamentally misunderstands what it’s like to be targeted by one of these cons. Hartley says it feels like emotional grooming. The scammers work you into such a fearful state that they become “knights in shining armour” and, in that moment, no amount of tech-savviness or awareness can convince you otherwise.
So while awareness is useful, more could be done to target these frauds. First, there are issues in policing. Only around 1.4 per cent of the 350,000 instances of scam messages (costing an estimated £2.1 billion) reported to Action Fraud in 2020 led to a prosecution. Despite fraud making up over 30 per cent of all crime, less than one per cent of policing resources are dedicated to combating it, prompting one official recently to claim they were losing the war against online scams.
“This used to drive me crazy, I used to be speaking with decision-makers, deciding on how much resources would be put into digital crimes and it was a fraction of what was needed,” explains Moore, who previously led a police cyber crime unit in Dorset before quitting in frustration at their poor conviction rates. Beyond a lack of resources, the problem goes back to the style of policing. According to Moore, policing is too “reactive” – only acting after a crime is committed when the perpetrators can be long gone. He suggests more proactive policing would be the only way to catch people – for example, posing as victims to coax in attackers and then sending emails and messages to the perpetrators containing malware to track their IP address or hack their webcams.
Beyond that, it simply needs to be made harder for scammers to scam in the first place. One way to do this would be to target specific parts of SMS scams, such as number spoofing, to make them less effective. SenderID usually works by the phone that’s receiving a call verifying the number against a list. But the lack of a central database of IDs means the system is easy to trick. In response, the industry has launched the SMS SenderID Protection Registry to try and create a centralised database of messages and numbers that will make certain official numbers harder to mimic while also blocking numbers used by scammers.
There are also bigger, trickier questions about how to combat the unintended consequences of technological progress. The SMS concept was developed in the early 1980s – back then, it made sense. In 2021, it’s woefully ill-equipped to cope with scammers. “We need to think: ‘What could a criminal do with this?’,” says Rashid. “We don’t do enough threat modelling when making our designs.” For Rashid, the core question now is how we future-proof systems against emerging scams. For SMS, that would likely have meant increasing the security on a platform that has little to no ways of identifying, protecting or effectively screening users and their messages.
“Self-regulation is just not happening right now,” says Stephen Timms, a Labour MP and chair of the Work and Pensions Select Committee. “We can’t take this hands-off approach anymore.” Timms, alongside other MPs, is pushing the government to take a more active role on fraud as part of its new Online Safety Bill. The change, which the government has suggested it might back, would mean the domain hosts who carry fake Royal Mail websites or banks without enough security measures could be compelled to safeguard their users from scams like these or risk fines.
But, as with any internet regulation, all this comes with a cost. The same systems that make these scams so successful and hard to shut down are also cornerstones of a safe, secure and open internet. “We need to understand that this is not a zero-sum game,” says Rashid. “When we talk about regulation we have to remember that mitigation of harms for one particular group can open harms to another.”
- 📚 The future of medicine, AI and climate change: get WIRED books
- WhatsApp and the battle for the future of encryption
- The best backpacks for all your walking needs
- Scientists have an ugly plant bias
- Traveling again? Here are the best translation apps
- Lewis Hamilton opens up about activism and life beyond F1
- 🔊 Subscribe to the WIRED Podcast. New episodes every Friday
This article was originally published by WIRED UK
