What is SMS phishing aka ‘smishing’? Scam iPhone Evri text messages explained, plus how to spot a hoax iMessage

CUSTOMERS are being warned about a huge rise in scam text messages claiming to be from parcel delivery services.

Evri says that ‘smishing’ campaigns have become the most common type of scams. Here’s what we know about them.

1

What is SMS phishing aka 'smishing'?

Criminals use smishing to target consumers by sending texts that impersonate trusted organisations, frequently including a link to a fraudulent website. 

This site copies the appearance of the company's actual website and asks consumers to send their personal and financial details.

Some people, particularly those waiting for a delivery, might unknowingly fall victim to these scams.

Evri has reported a 174 per cent rise in scam incidents from April 2023 to April 2024 and has shut down over 5,000 scam sites.

More on scams

LINKING IN

Adults admit they're baffled by digital jargon - do you know what smishing is?

I-PHONEY

iPhone owners warned over ‘spray and pray’ attack - three red flags to look for

This marks a 268 per cent increase from the previous year.

How does smishing differ from 'vishing'?

Vishing, also known as voice phishing or telephone fraud, involves scammers using the telephone to impersonate reputable organisations and extract sensitive information from victims. 

This method generally uses pre-recorded messages or VoIP technology.

Vishing scams usually alert victims to an urgent issue, prompting them to disclose personal details to address the purported problem. 

Most read in Tech

TEXT BEST THING

Secret iPhone text hacks let you swap invisible messages and schedule sends

SPACE WARS

Chinese scientists 'build real-life Death Star’ that can wipe out satellites

I-CONIC!

iPhone has secret list of 'emoji' you've never seen including rare 'anger' icon

NOT-FLIX!

Netflix is axing popular bonus feature next month - but four titles will live on

For instance, you might receive an unsolicited call from someone claiming to be your business bank representative.

They may inform you of suspicious account activity and request your account information, passwords, or PINs under the guise of resolving the issue. 

It's important to remember that legitimate banks will not make such requests unexpectedly over the phone.

Common targets for vishing attacks include impersonating government agencies such as HM Revenue & Customs for tax-related scams, or pretending to be financial institutions, which may provide easier access to financial data.

How to spot vishing signs

To protect yourself, be wary of certain red flags, such as: 

A caller ID that seems manipulated or inconsistent with the claimed organisation

Be wary of the use of robotic or synthesised voices

Automated messages that are continuously looped.

How to spot the signs of 'smishing'?

There are several giveaways of a 'smishing' message, such as poorly written sentences riddled with grammatical errors.

Scammers typically use generic greetings like 'Dear Customer' or 'Dear [your email address]' instead of addressing you by name.

The sender's email address often shows slight misspellings or unusual formatting, differing from the standard email addresses you recognise.

For instance, Evri normally sends emails from @evri.com, and their text messages do not display a mobile phone number, ask for payments, or include any links other than those from evri.link.

However, Evri has noted that fraudsters are growing more sophisticated and are finding ways to bypass security measures. 

Now, there is a noticeable increase in fraudulent messages sent via iMessage, Apple’s messaging platform, and Rich Communication Services (RCS) used on Google Android devices.

These platforms, while improving personal privacy, make it more difficult to detect malicious links. 

This allows scammers to more effectively deliver their messages through these services, increasing their chances of success.

Lots of these messages try to charge a ‘redelivery fee’ which is nonsense – we will attempt delivery three times before an item is returned and there is no charge.

Raj Bhuttar, Evri security chief

Fraudsters also create a sense of urgency, compelling you to act immediately by clicking a link or calling a phone number. 

Sometimes they may use all capital letters to stress its importance and capture your attention.

Similar to phishing emails, smishing texts may include a link intended to redirect you to a fraudulent website. 

These links can be convincingly disguised to appear legitimate.

Major companies, such as retailers and service providers, usually send texts from short-code numbers that are five digits long. 

Texts originating from standard 11-digit phone numbers may be more likely to be part of a smishing scam.

Scammers are sending these types of messages to thousands of iPhone owners via iMessage, in what Evri's security chief Richa Bhuttar has called the "spray and pray" method.

Gmail and Hotmail have pretty much got it nailed in terms of diverting phishing emails to quarantine folders whereas smaller mail providers seem to be less effective because their maturity is not at the same level.

Raj Bhuttar, Evri security chief

This wide-net method is used to take "advantage of the millions of parcels we deliver to households every day," says Bhuttar.

She added: "They know sending thousands of messages every day means some of them are likely to reach some people expecting a parcel."

According to Bhuttar, "Lots of these messages try to charge a ‘redelivery fee’ which is nonsense – we will attempt delivery three times before an item is returned and there is no charge.

"Gmail and Hotmail have pretty much got it nailed in terms of diverting phishing emails to quarantine folders whereas smaller mail providers seem to be less effective because their maturity is not at the same level.”

Customers who have fallen prey to such attacks are strongly encouraged to contact their bank immediately if they have disclosed any financial information.

Evri also advises consumers to report any suspicious activity via their website at .

READ MORE SUN STORIES

PENSION PAIN

Five actions you can take NOW that could boost your State Pension

'NIGHTMARE'

Chris Hoy reveals moment he was told ache was a deadly tumour in BBC interview

The company has committed to investigating all reports with the assistance of expert partners to facilitate the takedown of associated fraudulent websites.

Suspicious texts can also be reported by forwarding to 7226, which is free - or via Action Fraud on 0300 123 2040.

Evri's three red flags to spotting a fake iMessages

Evri - like other delivery companies - is regularly impersonated by cyber crooks looking to prey on innocent smartphone owners.

The firm works closely with a number of cybersecurity organisations, including the UK Government’s National Cyber Security Centre, to take down delivery scams as quickly as possible.

Three red flags Evri has outlined in fake iMessages are:

• Poor language
• A lack of personal greeting
• Unusual links

Scammers typically don't have the best literacy skills - and their spelling and grammatical mistakes can make them easy to catch.

Legitimate Evri messages will always be spelled correctly - and will use the name that's on your account.

Fake messages may instead begin with 'Dear Customer' or ‘Dear [your email address]’ instead of using your name.

Evri will also never include links in their text messages, except for a tracking link at this address: //evri.link/.

However, Evri still encourages customers to practice caution when it comes to these links.

"Please be aware even if the link does show as https:/evri.link/... we cannot guarantee this is genuine," the company writes in a help page on its .

"If you are unsure do not click a link and do not enter any personal details."

Tracking links will only ever ask for your order number - and not financial information.