Emmeline Hartley is smart and tech-savvy. But last week the actress, 28, unwittingly became the face of Britain’s fraud epidemic.
On March 21, she tweeted how she had been ‘scammed out of every penny’ in a sophisticated con involving a fake Royal Mail text and a ‘spoof’ call from Barclays.
Her message has since been shared 14,500 times and Emmeline says she has received hundreds of messages from people who have fallen foul of the same scam and are struggling to get refunds from their banks.
Scam text: The message purporting to be from Royal Mail that is thought to have been sent to millions of phones across the country
It’s thought the texts have been sent to millions of phones across the UK in recent weeks – and is perhaps the worst example yet of a costly year that has seen fraud victims lose a record £479 million.
On Monday, Graeme Biggar, the top fraud investigator at the National Crime Agency, said scammers were ‘finding it too easy’ to bombard the public with millions of fake texts, emails and phone calls.
Today, a Money Mail investigation reveals how cyber criminals are evading detection by using cheap Chinese technology to beat flimsy barriers put up by banks, telecoms firms and regulators…
Duped out of £1,000
Emmeline first received a text purporting to be from Royal Mail asking her to pay a £2.99 ‘postage fee’.
It was the day before her birthday and she was expecting deliveries, so she clicked on the link in the text. This took her to a fake Royal Mail website where she entered her details and made the payment.
Two days later she received a call, seemingly from a Barclays number. The caller, who spoke with a London accent, claimed to be from the bank’s fraud unit.
He knew the details of her accounts and said she had given away her bank details to scammers on the fake Royal Mail website.
He told her to transfer all the cash she had – around £1,000 – to a ‘safe account’, which she did.
Duped: Actress Emmeline Hartley lost £1,000 in the Royal Mail text scam
Emmeline, who lives in Birmingham, only realised it was a scam when the fraudster tried to get her to transfer her overdraft, but by then it was too late.
‘I broke down on the phone, I was crying and calling him a liar,’ she says.
She has since been refunded by Barclays. But other victims are still struggling to get their money back.
Experts say fraudsters are preying on the confusion faced by online shoppers following Brexit, with many being asked to pay extra customs fees and VAT charges.
It is not known how many people have fallen foul of this particular fraud.
Last year there was a 94 per cent increase in ‘impersonation scams’, in which criminals pose as trusted organisations, says UK Finance.
How it works
Steve Smith, director of blocking service trueCall, says the scammers are likely using ‘Sim farm’ machines to send texts en masse.
Money Mail found one available to buy for just £57.35 from Chinese website AliExpress, which can pump out 4,800 texts an hour.
We also found a Chinese ‘Sim farm’ (which also have legal uses) available to buy on eBay for £230.
The device can be hooked up to 16 pay-as-you-go Sim cards, which, unlike mobile contracts, do not require buyers to provide proof of identity.
It means even if investigators can trace the Sim or phone number, they do not know who’s behind it. Targets can be generated randomly, or from data breaches.
‘Number spoofing’ is a common scam tactic that makes a message or call appear to be from the same number as your bank or another trusted business.
The texts will show up in the same thread as real messages sent by your bank. Likewise, a ‘spoofed’ call will show the caller ID you have saved to your phone.
If you were to call the number back, you would likely hear an automated message saying ‘number unobtainable’.
Fake websites used by scammers to collect personal details or payments are also too easy to set up. Scammers are able to buy fake web addresses for just £25 a year
Why no action?
Ofcom says it has blocked outbound calls on 361 numbers provided by banks and government bodies, such as HMRC.
But it’s not watertight. Ofcom says not all of Barclays fraud team numbers are on its list, which means that some may still be able to be spoofed by scammers. This is also the case for other firms.
And Money Mail has spoken to a victim who said the fraudster called him from the number on the back of his bank card.
Seamus McCormack was scammed out of £12,000 in savings after he was duped by a fake Royal Mail text.
The 33-year-old from Walthamstow, North-East London, received a message on March 11 saying he needed to pay £2.99 in postage fees.
It led to a convincing phone call, apparently from the number shown on his bank card, which told him to move the money. His bank is investigating.
David Hickson, of the fair telecoms campaign, says scammers have already adapted and only need to change one digit to avoid being blocked.
He says the only way to stop them is for banks, telecoms firms and other businesses to pledge never to contact customers by phone unless requested.
Ofcom hopes authentication technology will be rolled out in the next few years to stamp out ‘spoofing’.
Scam texts are harder to stop, but most major mobile providers will apply an ‘SMS filter’, which can block scams by recognising suspicious patterns, such as many messages being sent from a single source in a short space of time.
Mr Smith says it would be much easier to track fraudsters if pay-as-you-go Sim cards came with identity checks – or if mobile providers imposed a realistic cap on texts to stop mass scams.
But he believes the real problem is that fraud is not being taken seriously enough.
Scams are cheap
Fake websites used by scammers to collect personal details or payments are also too easy to set up. Scammers are able to buy fake web addresses for just £25 a year.
Postoffice-myfees.com – one of the sites behind the Royal Mail scam – was hosted by U.S. tech firm Namecheap.
Once victims enter their details into the websites, the fraudsters can access and use the details to win trust during the follow-up ‘spoof’ call.
Namecheap has been accused of not doing enough to tackle fraud on its platform.
Last March, Facebook filed an ongoing lawsuit against the firm alleging it had refused to co-operate with an investigation into dozens of malicious sites.
Matt Russell, chief cloud officer at Namecheap, says the firm ‘shut down all domains and websites’ engaged in the Royal Mail scam as soon as it emerged.
He says Namecheap is stopping websites registering similar domain names.
Barclays says: ‘No genuine bank would message you to transfer money to a ‘safe account’. Ignore anyone who asks you to do this.’
A Royal Mail spokesman says: ‘In cases where customers need to pay a surcharge for an underpaid item, we’d let them know by leaving a grey Fee To Pay card. We would not request payment by email or text.’
Some links in this article may be affiliate links. If you click on them we may earn a small commission. That helps us fund This Is Money, and keep it free to use. We do not write articles to promote products. We do not allow any commercial relationship to affect our editorial independence.