A new twist on a delivery scam sees the perpetrators creating fake chatbots that sneakily sign victims up for expensive monthly subscriptions.
The UK has been bombarded with bogus texts and emails that impersonate Royal Mail and other large delivery companies in the past year.
Which? has already warned the public about scammers posing as delivery companies to steal money from payment cards, or following up fake delivery texts by impersonating banks. These scammers have stepped up a gear, by sending phishing emails inviting you to ‘start a chat’ to trace a delivery.
Find out more about this scam and how to protect yourself.
Royal Mail chatbot scam
Multiple phishing emails, including the one below, shared with Which? by members of the public, linked to the same fake Royal Mail chatbot.
This video shows you how the fake Royal Mail chatbot scam works:
The fake Royal Mail chatbot is plausible – it lists a delivery tracking number and shares an image of a parcel explaining that the ‘label was damaged’ to convince you to reschedule the delivery.
Clicking the link takes you to a different website, asking for your name, address, and payment details.
The small print at the very top of this page – which is only visible when you scroll up on a mobile phone – reveals that adding these details enters you into a ‘Skill Game’ and purchases a three-day trial to bilingua.net costing £2 then £59 every 30 days.
A few days later, we noticed that this form switched to promoting a different website – called proplanner.io – costing £62 every 30 days.
Who is behind the scam?
Bilingua.net – which offers subscriptions to language courses – told Which? that the Royal Mail scam is an unscrupulous activity conducted by an ‘affiliate’ i.e. a company that joined its marketing program and gets paid per sale generated for bilingua.net.
It told us: ‘Based on your enquiry, we have reviewed our previous abuse cases, and we have identified three that mention “Royal Mail” between December 15 2021 and December 17, 2021.’
‘We do not condone or approve the abusive behaviour by the affiliate in question. It is a gross violation of our affiliate terms and conditions and marketing code of conduct. We have marketing compliance procedures in place to ensure that such violations do not occur, but once in a while abusive affiliates do slip through.’
Bilngua.net has now refunded three UK customers. It told us it has identified the affiliate as a company called Ziiway ApS, based in Denmark.
Proplanner.io has also confirmed to Which? that it detected fraudulent traffic: ‘They were apparently made by Ziiway, a company that we do not know and have not done any business with, at least not directly. Upon detection we immediately notified the lead generator, from whom we buy our traffic. They confirmed that they would cease all relationships with this affiliate, and we haven’t detected irregularities since.’
‘We have furthermore blocked their IP address in our fraud detection system and taken other steps to make sure this affiliate or any successor doesn’t try to send us fake traffic in the future. As you can imagine, we are very unhappy with the situation, and reiterate that we have nothing to do with this party.’
We attempted to contact Ziiway using the contact details listed on its website but received no response.
Misleading promotions
While bilingua.net and proplanner.io say they have nothing to do with the fake Royal Mail chatbots, they did authorise the marketing ‘campaigns’ hosted on their websites.
These promotions – hosted at begin.bilingua.net and begin.proplanner.io – are highly misleading because the terms and conditions aren’t clear or prominent, meaning anyone entering their details risks signing up for an expensive subscription without their true consent.
Bilingua.net told us it does allow affiliates ‘certain liberties’ but imposes strict requirements for the campaigns, which it tests regularly:
‘In this case the campaign was authorised by us. The affiliate network is organising these campaigns, doing the designs, and their sub-affiliates are usually running these campaigns. After inspecting all the campaigns from our affiliate network, we have concluded that we do not always share the same interests. They might want maximum traffic, where we want quality traffic. Therefore, our monitoring will become stricter and now we are implementing new procedures and measures.’
Proplanner.io also said that it authorised the promotion hosted on its website and will be aiming to improve standards going forward:
‘The affiliate network is in the lead when it comes to creating content or publishing campaigns. We indeed have the power to decline campaigns, which did not happen. We have responded to earlier complaints and decided to no longer work with sub-affiliates that are responsible for these complaints. We will furthermore implement a more pro-active approach in checking campaigns.’
Bilingua.net told Which? that while it might share the same affiliate with Proplanner.io, it’s an independent operator and upholds its own compliance standards. Proplanner.io declined to comment on any connection to Bilingua.net.
How to spot a genuine Royal Mail email or text
Royal Mail explains how to distinguish a genuine message from a fake:
- Royal Mail will only send email and SMS notifications to customers in cases where the sender has requested this when using our trackable products that offer this service.
- In cases where customers need to pay a surcharge for an underpaid item, Royal Mail leaves a grey ‘Fee To Pay’ card. It doesn’t for payment by email or text.
- The only time Royal Mail asks customers to make a payment by email or by SMS is in instances where a customs fee is due. In such cases, it also leaves a grey card telling customers that there’s a ‘Fee to Pay’ before releasing the item. This would apply either to an international customs fee or to a surcharge for an underpaid item.
If you do have a fee to pay, you don’t need to click any links in texts or emails. The website is www.royalmail.com/receiving-mail/pay-a-fee, so type this into the address bar to make sure you don’t inadvertently click on a link for a fake site.
A Royal Mail spokesperson said: ‘The security of our customers is a high priority for Royal Mail. On our website we offer advice and information on what customers should do if they receive a suspicious email, text message, or telephone call that claims to be from Royal Mail, or if they or discover a Royal Mail branded website which they think is fraudulent.’
‘This advice includes reminding customers to never click on a link in an email if they are unsure about it, especially if it asks for personal financial information like your bank details. We also advise customers never to send sensitive, personal information, security details or credit card numbers by email or text.’
How to report scams
You can report scam texts by forwarding the message to 7726 (this spells SPAM on a phone keypad), which is a free reporting service provided by phone operators.
You can report dodgy websites to the National Cyber Security Centre (NCSC) using its suspicious website tool, or forward phishing emails to its report@phishing.gov.uk inbox.
If you spot a suspicious advert online (social media, newspaper websites, search engines) can be reported to the Advertising Standards Authority (ASA).
source https://www.which.co.uk/news/2022/03/watch-out-for-this-royal-mail-chatbot-scam/