The COVID-19 pandemic undeniably forced Brits to change their way of life and, although many are slowly returning to pre-pandemic habits, the convenience and ease of online shopping is not so easily forgotten. However, this brings with it a rise in scams - specifically SMS scam messages and 'smishing' scams.

The ONS reports that, despite online retail sales dipping to 25.3% in January this year, they are still higher than pre-pandemic sales figures (19.8% in February 2020)[1]. However, with more Brits shopping online, and making the most out of convenient online shopping deliveries, there’s been an opportunity for scammers to target and impersonate popular brands.

Especially those who use text messages to update their customers.

What is smishing?

You’ve probably heard of ‘phishing’, a term usually associated with emails. Action Fraud defines phishing emails as fake messages sent by cyber criminals to lure people into opening malicious links that can give away sensitive information[2].

Smishing, a machination of the words SMS and phishing, is the text message form of phishing - and it’s on the rise.

It’s really easy to click a link by accident so, to help you quickly recognise a potential scam, we’ve pulled together our security expert’s top tips on how to spot a fraudulent text message. We’ve also revealed the 15 popular brands that are most commonly impersonated by fraudsters using smishing SMS scams.

The 15 brands most likely to be impersonated in smishing scams, based on Google search data

Ranking Brand/company name impersonated by scammers Average Google search volumes per month % Search increase
(12 months)
1 DPD 4,400 -76%
2 Amazon 3,600 654%
3 Paypal 3,600 421%
4 Post Office 3,600 -80%
5 Santander 2,900 177%
6 Hermes 2,900 -95%
7 DHL 1,900 -66%
8 FedEx 1,900 -84%
9 UPS 1,300 0%
10 Royal Mail 1,300 -91%
11 EVRI 880 400%
12 Monzo 720 84%
13 NHS 720 -19%
14 Apple Pay 590 1,285%
15 Barclays 480 -19%

DPD is the most targeted brand by smishing scammers, according to Google searches

Google search data reveals that ‘DPD SMS scams’ are the most commonly searched for, with 4,400 Google searches per month.

Unfortunately, DPD may be the most targeted by scammers due to the nature of their service, handling and delivering customer's packages, so it may seem reasonable to ask for, or confirm, customer order details by text in order to deliver items.

Interestingly, the research named Royal Mail as the most likely brand to be impersonated in 2021 with 30,200 monthly searches. This has significantly dropped over the last 12 months with search volume tool, Keywordtool.io, citing a -91% decrease in searches relating to scams from Royal Mail, dropping the brand to tenth place on this list in 2022.

Amazon, Paypal, Post Office and Santander round off the top five

Amazon is the second most likely brand to be impersonated by scammers. The e-commerce business has climbed significantly in this ranking compared to 2021. According to search volume trends reported by Keywordtool.io, the brand has seen a 654% increase in searches and 3,600 monthly searches for scams compared to 650 searches per month in 2021.

The study also reveals that Paypal is still ranking high for searches around SMS scams, only dropping to third place in 2022, with a staggering 421% search increase over the last 12 months. Recently, there have been multiple Paypal SMS scams, including one that could see people having their bank accounts emptied.

Despite seeing a decrease in searches compared to the previous year, in fourth place is the Post Office with 3,600 monthly searches. The scam texts have included a parcel delivery that has failed and asking recipients to click a link to book or reschedule a delivery.

Finally, Santander rounds off the top five brands impersonated by scammers with 2,900 monthly searches and a 177% increase in searches over the last 12 months. Customers have been sent SMS scam texts encouraging them to update their banking details or log on to their accounts in an attempt to gather personal information.

Over the past 12 months payment SMS scams have become more common

Ranking Brand impersonated by scammers Average Search Volumes per month % Search Increase
(12 months)
1 Revolut 390 9,400%
2 Apple Pay 590 1,285%
3 Amazon 3,600 654%
4 Paypal 3,600 421%
5 EVRI 880 400%
6 Santander 2,900 177%
7 Monzo 720 84%
8 HMRC 320 50%
9 Virgin Media 90 29%
10 UPS 1,300 0%

Our analysis also looked into which brands had been impersonated the most by scammers over the last year. The data revealed that there has been a significant increase in Google searches for smishing texts from scammers impersonating payment brands including Revolut, Apple Pay, Paypal and Santander over this time period.

Fraudsters appear to be targeting Revolut, a popular app-based bank, with searches for smishing scams around the brand increasing the most over the past year, by 9,400%. Specifically in August this year, there was a prevalent scam where fraudsters sent SMS messages attempting to trick customers into sharing their personal details.

Apple Pay was the second most targeted brand by smishing scammers over the past 12 months, with a 1,285% increase in searches. The latest SMS scam tells recipients that their Apple Pay has been suspended and that they need to follow a link to reactivate the account.

With a 654% increase in searches over the last 12 months, Amazon is the third most targeted brand by fraudsters. Amazon has been subject to a variety of smishing texts including fake reports of suspicious activity on your account or fake information about shipping delays or package arrivals.

Although customers are becoming wiser to smishing texts, scammers are becoming more advanced and their fraudulent texts and emails aren’t always so easy to spot.

How to spot a smishing SMS

Although customers are becoming wiser to smishing texts, scammers are becoming more advanced and their fraudulent emails and texts aren’t always so easy to spot.

Naveed Islam, Chief Information Security Officer at Dojo, has rounded up five top tips on spotting a smishing SMS:

"Scammers are getting more creative with their deceit. With the rise in e-commerce accelerated by the global pandemic, seasoned fraudsters are seizing the opportunity to exploit the vulnerable and less-tech savvy. For many people adopting technologies such as online banking and shopping for the first time during COVID-19, these frauds are incredibly convincing.

This rise is being monitored and managed by the UK police’s dedicated team, Action Fraud. But in the short-term, there are some ways consumers can protect themselves and minimise their risk of digital fraud."

How to prevent smishing

1. Check if you were you expecting a message from that company

Always check your latest correspondence with the company and get in touch with them if you're not expecting any messages. Whether you’re unsure, or you’re totally convinced that you’ve received a scam text pretending to be a company, reach out to that company to inform them and seek further information.

To be safe, if you receive a text or email, don’t click on any links. Instead, go on the official website of delivery companies to track your parcel.

2. Check you have signed up to receive sms messaging from that company

When you sign up to a company they will always ask for your permission to receive SMS messages from them. So before clicking on any link in a suspected fraud text message, always check this first.

Whether it's clicking a suspicious link or providing your personal data, you should take some time to review the text and research its legitimacy before taking any actions.

If you’ve already clicked the link, check the URL straight away and do not login anywhere as scammers can capture your details to take over your account.

3. Check the text is from a number you recognise - Google the number before opening

Scammers can spoof phone numbers pretending to be from your local area code, or even a number that you know, so always Google the number if the text you receive is suspicious in any way.

In a scam text message, their goal is often to convince you to click a link. Scammers thrive from creating a sense of urgency and panic from the recipient. They will use scare tactics or threatening language to make you rush into doing something.

4. Check for poor spelling and grammar, or mistakes to the company’s name

Although some fraudulent texts are highly sophisticated, many of them can be poorly worded. Check the spelling and grammar for some tell-tale signs that they may not be legitimate.

5. Never input sensitive data from SMS messaging links

If you do suspect that you’ve been sent a smishing text, do not click on the link at all. Scammers often include malicious links and once opened allow them to access anything on your phone.

If you accidentally click on the link in your text, do not provide your private information (user ID, password, payment card details) to that website.

If you accidentally click on the link and provide private information, you should change your passwords immediately and alert your bank who issued the payment card immediately. Continue to check your bank accounts regularly to make sure no money has disappeared. It’s always better to be cautious and vigilant when dealing with online security.

Phone providers allow you to report suspicious text messages for free using the shortcode 7726. If you forward a text, your provider can investigate the origin of the text and take action, if found to be malicious.

If you’re worried you’ve received a smishing text or just want to find out more information, be sure to visit the Action Fraud official website for advice on online fraud.

We’ve covered SMS scams, or ‘smishing’, here but if you’re a business who accepts card payments you also need to be aware of card payment fraud, especially fraudulent chargebacks. Check out our helpful article on preventing chargeback fraud to help keep your business and hard earned profits safe.

Methodology:

Data was gathered from multiple sources to find the most common brands used within scam SMS text messages, and the brands with the highest increase in searches over the past year. Search volume data was based on monthly averages.

Data is accurate as of September 2022.

[1] https://www.ons.gov.uk/businessindustryandtrade/retailindustry/bulletins/retailsales/january2022/

[2] https://www.actionfraud.police.uk/a-z-of-fraud/phishing