Warning Over Royal Mail Smishing Campaign

Mobile phone holders all over the UK may be seeing an increase in SMS phishing (smishing) attacks from the Royal Mail – the messages say the user owes a small fee to pay on postage or the package will be returned to sender. Cybercriminals using this tactic are preying on people who might actually be expecting something in the post (like me!) I do also have the image of the text if you would like me to send it. The worrying thing about this one is that the link it sends to is an https link, which we often get advice to only click on links with https as it indicates it’s a secure website. Cybersecurity experts commented below on this scam.

Experts Comments

May 21, 2021
Paul Bischoff
Privacy Advocate
Comparitech

The Royal Mail SMS scheme is a typical smishing (SMS phishing) campaign. The scammer pretends to be an authority figure and instils a sense of urgency in the victim to trick them into clicking a link. The link goes to a fake Royal Mail website where users are tricked into entering payment information, which is stolen by the scammers.

 

Many victims might be fooled into thinking the link is secure because it has "https" in it. But just because a site is secure doesn't mean it isn't malicious. In

.....Read More

The Royal Mail SMS scheme is a typical smishing (SMS phishing) campaign. The scammer pretends to be an authority figure and instils a sense of urgency in the victim to trick them into clicking a link. The link goes to a fake Royal Mail website where users are tricked into entering payment information, which is stolen by the scammers.

 

Many victims might be fooled into thinking the link is secure because it has "https" in it. But just because a site is secure doesn't mean it isn't malicious. In fact, more than half of phishing sites now use HTTPS with valid certificates. Furthermore, just because a shortened link uses HTTPS doesn't mean the full URL will. Do not blindly trust HTTPS!

 

More advice on phishing:

  • Never click on unsolicited links or attachments.
  • Instead, find the site from the supposed sender through Google and log in there.
  • Always check the URL and sender's email address for spelling errors and subdomains. A subdomain might look like royalmail.scam.com.
  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.