It starts with a text message; it ends with you losing your life savings.
Police are battling fraudsters who are eliciting personal information and bank details from victims by sending out thousands of text messages a day and setting up “Sim farms” on their home computers.
Victims are ensnared by replying to innocent-looking text messages sent from the farms. They purport to be from a bank, a delivery company such as DPD, Hermes or Royal Mail, or from an official body such as the NHS, HM Revenue & Customs (HMRC) and the national census.
Using technology and mobile phone Sim cards bought cheaply on the internet, the scammers are able to send thousands of texts an hour to anyone whose phone number they have on file. The criminals often run several machines at once.
A specialist fraud team, the Dedicated Card and Payment Crime Unit, partly funded by the banks, is involved in a hunt for the so-called text farms — 99 search warrants have been issued as the police try to close them down, and 56 arrests have been made.
Advertisement
Police forces are receiving on average 100 reports a day of scams, and neighbourhood groups and social media are full of people reporting scam text messages, in particular purporting to be from Royal Mail.
Setting the trap
The text messages always sound plausible, particularly if you have just made an online payment, or are expecting a package. A typical example is “Royal Mail: Your package has a £2.99 unpaid postage fee. To pay this visit https://rm-redelivery-fee.com or your package will be returned to sender.”
Alternatively, you may receive one from a bank asking you to click on a link to confirm a payment, or from the NHS with the chance to book a Covid vaccine appointment.
If you are on your guard, the warning signs are there, particularly since the web address does not resemble the actual address of the company. However, if you are expecting a parcel, or have made a bank payment, you may be caught unawares.
The farms work in two ways. A text is not sent from an individual handset. Instead, a Sim card registered to a mobile phone number and purchased from a mobile phone network is plugged into a multiple Sim card reader attached to a computer. The Sim card readers are easily bought online. One that holds eight cards and is capable of sending 4,800 text messages an hour is on sale for £90. They are legitimately used by businesses that want to contact their customers.
Advertisement
Sophisticated scammers employ software that uses mobile phone numbers to automatically send texts. Called bulk text gateways, they are used by legitimate companies to send out marketing material. When a scam is detected, the services can be shut down.
However, because Sim cards can be bought so cheaply, for as little as £33 for a pack of 100 on eBay, the fraudsters are able to just start again with a new phone number. In 2019 an undercover investigation by Money found that Sim cards could be purchased with no identity checks from phone shops.
All the scammers need to do is send the same text to a list of phone numbers they have acquired. These could have been bought from internet databases, or taken in a hacking attack on another company. They need know nothing about the person other than their mobile number.
The vast majority of texts will be ignored or deleted, but the scammers need only one in every few thousand to hit home. The criminals use news events to make their messages sound plausible. For example, when the vaccine delivery began, texts were sent purporting to be from the NHS and inviting people to register their details for a jab.
At the end of the tax year the scammers send texts pretending to be from HMRC. Recently they have played on the confusion caused over Brexit, when many online shopping deliveries were held up and incurred extra import charges.
Advertisement
The boom in online shopping has exacerbated the problem as households receive so many parcels they may not remember what they are expecting. To add to the plausibility of the scam, often no money is taken immediately. Instead, the recipient of the text is invited to click on a link that takes them to an official-looking website to enter bank payment details as well as personal information such as date of birth, address and a memorable name.
In some cases the information is detailed, including full card numbers, the expiry date and the CVV security number. These are used to make small online purchases, which may go unnoticed for days, weeks or for ever. Often the scammer will buy vouchers that they can use to shop anywhere and are harder to trace, then buy more Sims.
Yet this is only the start. An accomplice will use other information gleaned to call the potential victim a few days later, pretending to be from the police or the bank and saying they have detected suspicious activity. They are asked to authorise a transfer to a “safe” account.
The money is sent to an account set up by a fraudster specifically to commit fraud. Or it is the account of an individual known as a money mule who has unwittingly agreed to work with the scammer to receive stolen funds.
Crooks who move with the news
UK Finance, the trade organisation for Britain’s leading banks, said impersonation scams — whereby a fraudster pretends to be someone they are not — last year doubled to 17,897 from 9,102 in 2019. The loss last year was £53.7 million.
Advertisement
Though with all fraud, this is thought to be an underestimate of the true scale of the problem as much goes unreported.
Fishing for information by fraudsters is nothing new, but so adaptive are their tricks that it can take a while for the police and banks to catch up.
Lockdown, for example, gave fraudsters an opportunity to prey on stressed families stuck indoors. It meant that some people could be tricked into thinking texts were real, particularly if they offered advice from the NHS or the promise of government financial support.
The Royal Mail parcel scam was first noticed at the end of last year in the run-up to Christmas when the Chartered Trading Standards Institute (CTSI) issued a warning.
With Brexit the scammers got a second chance, and in February Royal Mail issued a warning that texts were being sent that were similar to the email scams reported previously.
Advertisement
Katherine Hart from Trading Standards said: “People must be vigilant as the scammers change tactics as and when news events change. I want to make sure as many people as possible understand how cleverly the scammers operate.”
City of London Police, which tackles such crime, said it received at least 9,000 reports of Royal Mail scams between January 1 and March 31. Last week a retired police officer told the BBC of his shame after being conned out of £3,000 after a text message from Royal Mail.
With the help of mobile phone companies, the police are running multiple investigations to hunt down Sim farms. Police raids have found computers with account details of 1,200 individuals and have reported this to the banks.
Taige Gallagher, 21, of Wood Green, north London, has pleaded guilty to fraud by false representation and possession of articles for use in fraud and is awaiting sentencing. He was identified by the police and their partners in the telecoms industry as sending out bulk text messages purporting to be from the NHS.
Banks have begun lobbying the government to force internet companies and other technology firms to take more responsibility for Britain’s fraud epidemic. They want fraud added to the Online Safety Bill before parliament.
Royal Mail said it would never send such a text or email. It would only ask customers to make a payment, by email or by text, if a parcel had been sent from overseas and a customs payment was due. In such cases, it would leave a grey card through the post saying there was a fee to pay before it could release the item.
Royal Mail said it “works hard to prevent and detect fraud. Customers looking for advice on how to spot a fake notification should visit royalmail.com/scamprotection. Here they can view examples of current scams, and get advice.”
Hamish MacLeod, the director of Mobile UK, a representative of the mobile phone industry, said: “We have been taking action to the ever-changing scourge of spam texts for many years. We’re committed to working with Ofcom, the Information Commissioner’s Office and law-enforcement agencies to reduce the threat that nuisance calls and scammers pose to the public.”
How to spot a fake
You will receive a text message from a reputable-sounding organisation. It may sound plausible because you had been expecting a parcel, or had made payments from your account. However, there are key signs to show it is fake.
An official text message will have the name of the organisation that issued it, for example the NHS or Vodafone. If the text shows it was issued from another mobile phone number, but claims to be from an organisation, then report and delete it immediately.
The other sign is that website links will look slightly different from the official website. Note where the full stop is, for example. Royal Mail’s website is royalmail.com; a scam website may be royal.mail.com. Use Google to find out the official web address.
If an organisation asks for your account number and the long number on your bank card, it is a red flag.
Never feel pressured. If you are told you have a limited time to respond, it is a red flag.
If you receive a suspicious email, forward it to report@phishing.gov.uk. Suspicious text messages can be sent to 7726, which spells SPAM on your keyboard, and is free of charge.
Anyone who has provided personal or financial details should inform their bank as soon as possible and report it to actionfraud.police.uk or call 0300 123 2040.
I was only refunded in full when I complained
Peter Henderson, 63, an actor from Harrow, north London, was scammed after responding to a text purportedly from Hermes, the delivery firm. The text read: “Hermes: Sorry we missed you earlier. To book a redelivery follow the link.”
He was asked to make a £2.14 payment. After going through the link he provided his name, address, date of birth and bank account details.
A scammer contacted him the next day, saying it was his bank, Lloyds. He was asked to verify two payments, but was suspicious so put the phone down.
The individual rang back and asked him to check the caller number on his phone against the one on the back of his bank card. They matched — software can disguise the real caller number.
Henderson was persuaded to authorise transfers totalling about £2,900 to a “safe” account.
Realising he had been scammed, he contacted Lloyds, which refused a refund as he had provided the pass codes giving access to his account. After he complained Lloyds refunded him along with a £75 goodwill gesture.
Lloyds said: “We have refunded the full amount and apologised for not getting it right the first time. It’s important to remember never to enter details in a link and that a genuine organisation will never ask you to share secure banking details.”
Times Money Mentor
Should you invest in Bitcoin? We investigate
