“This is a mode of communication that is not secure,” says Awais Rashid, a professor of cybersecurity at the University of Bristol, adding that SMS has now been “repurposed” to try and scam people. “Our relationship with SMS is now changing,” he says. “We think of them as things that come from a legitimate organisation that is providing us with something.” That, and the fact that these messages are so direct, makes them feel more personal – and safe – than a scam email. Mix that with the credibility of asking for a delivery fee, a 37 per cent spike in online shopping, and the anonymity provided by texting, and you have the recipe for an effective and untraceable scam.
What’s more, we also know next to nothing about the people behind these scams, few of whom are ever caught. “The barrier to entry is so low that you don’t have to be a master criminal organisation to get involved,” says Rashid. “And if a criminal is even moderately tech-savvy they will hide all their traces online.”
Sites such as SMS Bandits (which was recently shut down by the National Crime Agency) and countless others allow scammers to send misleading messages in bulk. Combine that with the leaked phone numbers and personal information of millions of people, which can be purchased online relatively cheaply, and the scam quickly scales. NameCheap.com, for example, was found to be hosting over 200 sites used by scammers to impersonate the Royal Mail.
Then there’s number spoofing. As in Hartley’s case, with enough technical know-how it isn’t too hard to mimic the mobile number of an official helpline to make a scam look credible. ‘Fraud-as-a-Service’ is common in smishing scams, where perpetrators purchase the technology to commit these crimes from a third-party and pay them a share of the profits. All of this helps to both make these scams convincing and the criminals even harder to identify and catch.
In the aftermath of any viral scam most authorities simply warn consumers to be ‘wary’. Royal Mail has issued countless such warnings since the start of the pandemic, but did not respond to a request from WIRED about any technical changes it would be implementing. Despite those warnings and the scam existing for months, the Royal Mail smishing scam is not only still around but is increasing month-on-month. And it’s just one of any number of delivery scams.
“At the moment there is far too much weight on the user to make sense of all this and identifying what is a scam and what is not,” says Rashid. And that pressure on individuals to spot scams is particularly problematic when they are designed to be indistinguishable from the real thing. “SMSs are supposed to be received, links are supposed to be clicked on,” Rashid says.
Just telling consumers to be ‘wary’ fundamentally misunderstands what it’s like to be targeted by one of these cons. Hartley says it feels like emotional grooming. The scammers work you into such a fearful state that they become “knights in shining armour” and, in that moment, no amount of tech-savviness or awareness can convince you otherwise.
So while awareness is useful, more could be done to target these frauds. First, there are issues in policing. Only around 1.4 per cent of the 350,000 instances of scam messages (costing an estimated £2.1 billion) reported to Action Fraud in 2020 led to a prosecution. Despite fraud making up over 30 per cent of all crime, less than one per cent of policing resources are dedicated to combating it, prompting one official recently to claim they were losing the war against online scams.