How to spot and combat fake 'missed parcel' messages

First highlighted by the National Cyber Security Centre back in April, fake ‘missed parcel’ scams are still prominent and problematic today.

In this blog, we look at ways in which you can avoid scams sent via ‘missed parcel’ messages, and what to do if you think you’ve already fallen victim to one.

Cyber criminals are still tricking UK citizens into downloading a malicious app by sending convincing-looking 'missed parcel' text messages. The messages contain links to an ‘official’ delivery or parcel tracking app.

The app is in fact malicious and contains spyware. If installed, it can steal your banking details, passwords, and other sensitive information. The app also accesses your contacts and sends them to the criminals, and also sends additional text messages from your device to other people's contacts, further spreading itself.

This guidance explains:

• what to do if you think you’ve already downloaded the spyware app

• how to safely check if you've any missed parcels

• how to report suspicious-looking messages

• how to protect yourself from future scams

• advice about ‘banking trojan’ spyware apps

Click the anchor links above to drop down to the section you're interested in.

What to do if you think you have already downloaded the spyware app

Spyware is malicious software that secretly monitors your activity. Once installed on your device it can access your sensitive information such passwords, banking details and contacts.

If you think you may have downloaded the app, take the following steps to clean your device, as your passwords and online accounts could now be accessed by cyber criminals. Do not log into any accounts until you have followed these steps.

1. Perform a factory reset as soon as possible. The process for doing this will vary based on the device manufacturer, so refer to the NCSC’s second-hand devices guidance for details. Note that if you don’t have backups enabled, you will lose data, and you may need to enter a password when you reset your device (make sure you change this password).

2. When you set up the device after the reset, it may ask you if you want to restore from a backup. Do not restore from any backups created after you downloaded the app, as they will also be infected. Also keep in mind that automatic backups are made every 24 hours if you’re connected to Wi-Fi.

3. If you have logged in to any accounts or apps using a password since downloading the app, you must change that account password.

4. If you have used these same passwords for any other accounts, then these also need to be changed.

How to safely check for missed parcels

If you’re expecting a delivery and you receive a ‘missed parcel’ message:

1. Do not click the link.

2. Use the official websites of delivery companies to track your parcel. We've listed the official websites of major delivery companies below.

• DHL - track a parcel

• Royal Mail - track your item

• DPD - tracking service

• Hermes - track your parcel

• Yodel - parcel tracking

• UPS - track a parcel

Reporting suspicious-looking messages

If you receive a ‘missed parcel’ message that looks suspicious:

• Do not click the link in the message, and do not install any apps if prompted.

• Forward the message to 7726, a free spam-reporting service provided by phone operators. If you are not sure how to forward a text message from your particular device, search online for instructions.

• Delete the message.

For more guidance on dealing with suspicious messages, refer to the NCSC's separate guidance.

How to protect yourself from future scams

1. Back up your device to ensure you don’t lose important information like photos and documents. The Cyber Aware guidance explains how to do this.

2. Only install apps from official ‘App’ stores. For example, most Android devices use Google’s Play Store. Some manufacturers, such as Huawei, provide their own app store.

3. For Android devices, make sure that Google’s Play Protect service is enabled if your device supports it. Some Huawei devices provide a similar tool to scan devices for viruses. This will ensure that any malware on your device can be detected and removed.

About ‘banking trojan’ spyware apps

These spyware apps are technically known as ‘banking trojans’. Currently, the two most common are called FluBot and Anatsa.

The scam works by impersonating the apps and messages of legitimate organisations, so people believe they are installing ‘official’ apps. As we described above, the malicious app is designed to steal passwords and other sensitive data. These apps have even led to the theft of money from bank accounts.

If you receive a fake ‘missed parcel' text message, you’ll be prompted to click a link. Clicking the link directs you to a scam website, such as the ones shown below (although the branding may vary).

• Users of Android devices (such as those manufactured by Google, Huawei and Samsung) are then encouraged to download an app.

• Users of Apple devices are not currently at risk, although the scam text message may still redirect them to a scam website which may steal your personal information.

Here are a few examples of scam websites, which contain links to spyware:

If you encounter a suspicious website then you can report this directly to the NCSC. You can also report suspicious emails by forwarding them to report@phishing.gov.uk as part of the NCSC's Suspicious Email Reporting Service (SERS).

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).