Cybercriminals are currently executing a sophisticated SMS phishing scam, commonly referred to as “smishing,” that impersonates the Royal Mail to extract sensitive personal and financial information from unsuspecting victims. The scam has been identified by cybersecurity researchers from Hackread.com and exploits fake delivery notifications to instill a sense of urgency and fear, particularly among vulnerable populations, including the elderly.
Victims receive a text message that claims to be from Royal Mail, informing them of a failed delivery due to an incomplete address. The message typically includes a link instructing the recipient to update their delivery information to avoid further delays. When users click this link, they are directed to a counterfeit website that closely resembles the official Royal Mail page, where they are prompted to enter their personal details under the pretense of confirming delivery information.
After entering their information, victims are directed to a payment page that requests a nominal “re-delivery fee.” This page collects credit card details and other sensitive financial information. To add an additional layer of legitimacy, the fraudulent site may request a one-time verification code, claiming it has been sent to the user’s mobile phone or email address. This tactic is intended to build trust, leading victims to believe the process is genuine. Subsequently, the victims receive a confirmation message claiming their package will be re-delivered, further entrenching the deception.
This scam poses a significant risk to countless individuals, particularly in the United Kingdom, where Royal Mail services around 32 million households. The implications of falling prey to such schemes are grave, as personal information can be exploited for identity theft, while stolen payment information can facilitate unauthorized financial transactions. Additionally, engaging with these phishing links could expose users to further cyber threats, such as malware infections.
From a cybersecurity perspective, the techniques employed in this smishing attack align with several tactics in the MITRE ATT&CK framework. The initial access technique is evident, as the scam initiates through misleading text messages designed to lure users into clicking dubious links. Once users engage with the fraudulent site, persistence might be employed through techniques aimed at maintaining their access to stolen credentials, while the collection of payment information indicates potential privilege escalation tactics, allowing attackers to exploit obtained data for greater financial gain.
To mitigate the risks posed by such scams, it is crucial for individuals to verify any communication claiming to be from a known entity. Carefully examining the URL before clicking on links, and directly contacting the organization through official channels, are essential steps to ensure legitimacy. Additionally, inquiring about payment requests via unsolicited messages should raise red flags, as reputable companies rarely require such fees in this manner.
As this Royal Mail phishing scam illustrates, the growing sophistication of cybercriminal tactics poses continual challenges to personal and financial security. Businesses and individuals must remain vigilant against these evolving threats, recognize the signs of phishing attempts, and adopt appropriate cybersecurity measures to safeguard their information.
