Royal Mail scams are always popular techniques for people up to no good. We’ve covered them several times over the last year or so. A quick reminder:

Your parcel is waiting for delivery

This is the go-to tactic for fake Royal Mail phishing attacks. You receive a text claiming there’s a parcel in your name, waiting for collection. The SMS contains a link to a fake Royal Mail website. There, you’re asked to pay a small charge for “settlement”. Once payment details are entered, they’re in the hands of the scammer. With your payment details, they can take litterally everything.

Something frequently overlooked is the impact wrought on people by these attacks. It isn’t “just” a throwaway phish. Like any bogus website asking for payment information, it can have a severe impact on people who’ve handed over their card details. Losing all your money, and access to payment methods, during times where people are essentially trapped indoors is plumbing the depths of awfulness.

Avoiding analysis

We’ve seen evidence of otherwise standard Royal Mail phishing sites attempting to evade detection and analysis. They do this by borrowing techniques from malware trying to avoid inspection in virtual machines. Anything from forms of rendering associated with VMs to causing issues in anonymising browsers such as TOR will do the job. They really don’t want people interfering with this particular money stream.

This is what they’ve been up to over the last year or so. We haven’t really seen any major developments in fake Royal Mail land for a while. This may be about to change, however. Step up to the plate, Which? Magazine.

A new year brings new tactics

Which? brings word of a new round of bogus messages. So far, so much business as usual although it mentions these messages are arriving via email rather than SMS. This doesn’t mean fake SMS messages are AWOL this time around, but email seems to be the focus here. People clicking links in the email are taken to a website which now seems to be offline. It’s also not stored in any search engine caches or the Internet Archive, so all we have to go on is video footage.

Here’s what happens (well, happened) while people visited the site in question:

Visitors are greeted by a “chatbot”, talking to them directly about a missing parcel. The chatbot cycles through some text, claiming the parcel is damaged in some way. It reads as follows:

Hello, welcome to the interactive parcel management system. I’m your virtual guide Suzy and I’ll be helping you today. Please confirm that this is your tracking number: [tracking number]. We have a parcel with you as a recipient, but the label was damaged—attached is a picture of your parcel.

It then asks if they should “deliver this parcel to a private or business address”. Once a reply is given, it then goes on to say:

Thank you, in order to deliver your parcel, we need to get your details, as we currently only have your name and phone number / email address on record. The rest of the label is not readable. I will direct you to a form where you can fill in your delivery details. As the details of the sender also are not readable on the label, we have to charge you for the manual handling of the package, as we cannot bill it back to an unknown sender. Since you used this automated flow, the price will be less than $3

You’ll note a potentially glaring error in that the “chatbot” that’s supposed to be part of the UK postal service, the Royal Mail, mentions dollars rather than UK pounds. This may well have tipped a few people off that what they were dealing with isn’t genuine.

From Royal Mail chatbots to…something completely unexpected

If the person in front of the screen clicks the schedule delivery and pay button, they’re taken to a distinctly non-Royal-Mail-looking website. It appears to be a sign-up form to get your hands on a “new iPhone 12”. There’s also a sign-up for a monthly rolling subscription, at a cost of £59 every 30 days.

Essentially, the scammers came up with an idea for an evolving Royal Mail phish—AI chatbots—and then inexplicably undermined themselves with a completely unrelated landing page promoting mobile phone competitions. You’d hope this would lower the chances of people signing up, but you never know.

As for the chatbot itself, there’s no way to know for sure how it operated. It may be like one of those pornography chatbots on spam sites which run through the same handful of replies no matter what you type. Perhaps it was coded to detect a handful of different responses. It might even have been the scammer themselves, for that added splash of interactivity.

The site sporting the competition itself informed Which? magazine that an affiliate is responsible for this one and they’ve refunded 3 people who fell for it. Hopefully this low number does indeed indicate that starting off with a Royal Mail delivery and ending with mobile phones is a bridge too far. This is definitely a better end result than if the landing page was a carefully crafted Royal Mail fakeout, so it’s possible we’ve all scored a lucky break here.

As with all these scams: Should you find a mysterious text or mail telling you a parcel is waiting, contact your local Royal Mail depot. Sites asking for delivery fees should be viewed with skepticism, and that goes double for offers of a distinctly non-postal variety.