Fraudsters Impersonate DPD in "Convincing" New Smishing Scam

Consumers have been warned about a new “convincing” smishing scam that impersonates international parcel delivery firm DPD.

The consumer group Which? provided insights into the smishing campaign, in which scammers attempt to trick recipients into giving away personal information, including payment details.

In the scam, consumers receive a text that states: “DPD: We tried to deliver your parcel however no one was available to receive it. To arrange your redelivery, please proceed via: *link.”

The Which? researchers were then taken to a very convincing DPD copycat website requesting the user’s personal details to rearrange delivery and payment of a small ‘redelivery’ fee.

Although the website looked very similar to the official DPD site, Which? noted an error in the date format used: it stated that the ‘parcel’ was in the depot on ‘-1 August’ and ‘0 August’.

Interestingly, the researchers were unable to take a screenshot of the website on the device they were using, raising further suspicion. “Some security measures on the copycat website were blocking us from doing so,” they explained.

Which? reported the scam text and website to DPD, who recommended that users download its ‘Your DPD’ app as a safe alternative to text and email notifications. The firm added: “We continue to stress that only emails sent from one of three DPD email addresses are genuine, these are dpd.co.uk, dpdlocal.co.uk and dpdgroup.co.uk.

“With texts, we advise consumers to double check the links within the notifications to confirm that they are legitimate. These links should only be for www.dpd.co.uk/ or www.dpdlocal.co.uk/. We have worked with Action Fraud and regional police focus in the last couple of years on awareness campaigns and will continue to do so.”

The discovery of this new scam has followed the dramatic shift to online shopping during COVID-19, which has provided fraudsters with more opportunities to target consumers, including by impersonating delivery services.

In May, consumers were warned to be vigilant about a surge in meal kit delivery scams, following rising demand for these DIY recipe kits in the pandemic.

Commenting on Which? ’s investigation, Tony Pepper, CEO of Egress, said, “Cyber-criminals will always take advantage of any opportunity to trick people into giving up their valuable personal and financial information. Over the last year, there’s been a significant increase in this type of activity, and we’ve seen scams using the branding of well-known organizations such as DPD and Royal Mail to exploit people into sharing sensitive data. We urge anyone who has received a text message or email requesting their personal data to remain vigilant and always question why a company might need this information, and to double check with DPD directly if you’re unsure. We’d also encourage anyone who has received an email or text message of this nature to report it to the NCSC’s text reporting number at 7726, or to their Suspicious Email Reporting Service.”

What’s Hot on Infosecurity Magazine?