Scam Emails – Royal Mail Delivery

It’s time for another of my occasional series of scam warnings. And seeing as I’ve had 4 emails for this particular scam this week, it’s clear these criminals are desperate for attention. Indeed, Googling the message, I can find examples going back to January 2019 that others have received. The fact that it’s been going on for a while suggests that people might be falling for it, making it worth repeat attempts, which is a worry.

These people are basically pretending to be the Royal Mail, with the claim that a parcel couldn’t be delivered that you need to pay a charge for. They’re then asking you to click on a link, which is clearly dodgy, and I have no idea what lies behind it as I’m not going to click on it. But I’ll explain the emails that I’ve received so you’re aware.

All of the emails are pretty much identical, though each varies in some way.

Scam email pretending to be from the Royal Mail, asking you to click a link to confirm a parcel that they attempted to deliver.

There are numerous signs this is fake. Checking the From address shows it’s not from Royal Mail, hovering over the link they want you to click shows that it’s not related to Royal mail, and the text of the email is very badly worded. But here’s a more in-depth analysis.

From Address

The sender’s name appears slightly differently each time. And when you look at the address behind the name, they are randomly generated nonsense. They haven’t made any effort to include the company name in the address.

  • Royal Mail – ijdneyukdolsk87ioijfjif3i3625525544ef@2idchd3954575fodlppss1d2.com
  • RoyalMail Notification – fghf67576yutu87687tyut656757@ghjg876876tyutyu567567trtyrty.com
  • RoyalMailService – ghjghj656757yutyu675675fghfgh675677tyutyu@hjghjg875656rtyr56467567gfh.com
  • royalmailUK – gfdgf56465tyrtyr6876iuyiuy687@fhgfhg6876tyutu465456cvbcb.com

Subject Line

This has also varied a bit with each email. Apart from the fact that they all look suspect on their own, the fact that they differ with each message proves they’re not from an official source.

For 2 emails, the subject line was simply Confirm your parcel. – complete with the full stop at the end of it, which in itself is rather unusual for a subject line.

2 other emails had reference numbers:

  • Notification N:3652632210
  • Notification n 52356TRTR06

Surely that would say “Notification No.” (where “No.” is short for “Number”), rather than Just “Notification N”? And notice how the formatting differs, with a capital “N” and a colon for the first email, and a lowercase “n” for the second. Plus of course, both notification numbers are different.

Body Text

This is pretty much the same for all 4 emails. They all start with the Royal Mail logo, in an attempt to make it look official. And then the actual text is grammatically awful. Here’s the first email:

Royal Mail Notification

Your parcel has arrived at MAY 08th, Courier was unable to deliver the parcel to you. Please confirm your parcel from £3.95

Confirm Now

Royal Mail Group LTD 2019

There’s lots wrong with this short message.

  • “Your parcel has arrived at MAY 08th,”:
    • Firstly, my parcel would arrive “on” a date, not “at” a date. After the word “at” you would expect a location, like a sorting office.
    • Secondly, nobody writes a date like that, with the month in capitals and a 0 before the single figure number. It might be auto-generated by the computer on the day it was sent out, but even so, formatting the date isn’t difficult.
    • And thirdly, there should be a full stop rather than a comma after the date, as the next bit is really a distinct sentence of its own.
  • “Courier was unable to deliver the parcel to you.” – This really should start with the word “The”. It feels wrong without it.
  • “Please confirm your parcel from £3.95” – There’s no full stop at the end of this strange sentence. Why the word “from”? Could the price be more than that? It feels like a lot is missing here. If it said something like “Please confirm your parcel. Redelivery will cost £3.95.” it might feel a bit better, though even that’s not perfect.

The text of the other emails was identical, apart from the date, which was updated each time, and the link, which I’ll get to in a moment.

Interestingly, however, the text of the latest email was contained within an image, And the entire image is clickable. So now, instead of just clicking on the link to visit their dodgy website, clicking anywhere in the email will take you there. That’s a very sneaky tactic.

So while it’s always important to just hover your mouse over a link to check its address it’s also worth hovering your mouse over the text in general as well, when it comes to suspicious emails. If the arrow changes to a typing bar, then it’s regular text, as you should be able to drag to highlight it. But if the arrow remains, or changes to a pointing hand, and you see a web address pop-up, then it’s a clickable link.

At the time of writing, the image address is https://bounasertech.com/wp-content/gfghf67567tyy.JPG. Bounaser Tech claim to be a mobile development company. But their website is just a WordPress page with a default Hello World post. Beyond that, they don’t exist as far as I can tell. Google comes up with nothing else for them.

Links

The link changes with each email, and it’s safe to say you should not click on it. They could be trying to steal information from you (perhaps with a fake looking website), or they might want to install malicious software on your computer, or whatever.

In any case, the important thing to remember is that you can make the text of a link say absolutely anything you want, which includes making it look like a genuine web address. So never rely on the text of the link itself. Always hover over it to see what the pop-up tells you is the real address.

In the email with the clickable image, the address appears to be royalmail.com/track-your-item#/GB66564432, but clicking anywhere in the body takes you to serviceroyalmail.live/bvcbv45354et. The fact that it’s different to the text of the link should ring alarm bells. But also, the Royal Mail will always take you to royalmail.com, and Googling the alternative website reveals no matches whatsoever.

The links in the other 3 emails either say “Confirm Now”, or state an address that looks like a proper mail tracking address (e.g. royalmail.com/track-your-item#/GB6563421). But hovering over all of those links shows that they’re pointing to:

  • rebrand.ly/8zxiis
  • rebrand.ly/n3s8u1
  • rebrand.ly/lreak9

rebrand.ly is a URL shortening site, rather like Bit.ly and Tiny URL, among others. These websites allow you to generate a short link that points to a much longer address. This can look visually better on websites, and shorter links are vital on places like Twitter where characters are limited. When you then click on the link, you are automatically redirected to whatever the real website is. So it’s an ideal way for scammers to hide their real intentions, as you don’t know where the link is going.

There are ways to check these links though. Bit.ly, for instance, will show you a preview if you just stick a plus sign on the end of the address. But there are also various websites that will let you expand URLs to see where they really go.

Finding a website that would expand a Rebrand.ly address proved tricky, with the first few I tried claiming not to have a result. But URL Expander told me that these addresses were pointing to:

a0303088.xsph.ru/GHFGHF456456FGHFG5564564CBVCBVCVBTRTYRTYGFGHFGHYYRYTTT46545645646BVCBVC5Y564YTRTRRY4567567UYJTJGHFTYR5646456HGFRTHRFHGRTY5Y65Y6TT65675766/

That’s clearly a Russian address given the .ru extension in the opening section. And it’s certainly nothing to do with the Royal Mail.

Footer

One final anomaly is that there is a huge amount of blank space below the body text of the email, and scrolling down to the very bottom shows an “Unsubscribe” link in small text, along with the address “TTYA 736 Walnut Street Jackson, Mississippi 39213 United States (682) 351-2207”.

And looking at the source code of the emails, I can see text like this:

This email was sent as HTML-only. To view it, please visit:

https://is-hosted-email-api-prod.appspot.com/api/v2/public/email/4524781372178432/5524859842985984

If you no longer wish to receive our emails, click the link below:

https://zv695.infusionsoft.com/app/optOut/8/fe2467cd487d40b2/33728/9d8e097e1668bf70

TTYA 736 Walnut Street Jackson, Mississippi 39213 United States (682) 351-2207

I have no idea who this company is, but this text is rather like what you get for an email newsletter. So my assumption is that these scammers have taken a newsletter email and modified it for their own purposes. Their hope is perhaps that email servers will see the newsletter elements when checking the email, and allow it to bypass the spam filters.

But irrespective of that, there is just no reason for an official Royal Mail email to include a United States address in the footer!

Conclusion

To me, it’s a pretty poor attempt to fake a Royal Mail message. But the persistence of these scammers is concerning, as they clearly feel it’s worth their while. So if you do get a message like this, never click on anything within it. Go to the official Royal Mail website yourself, and manually type in the reference number on their Tracking page if you want to find out if a package is genuine.

So I hope you found that useful. As always, stay vigilant and be safe!

Author: Glen

Love London, love a laugh, love life. Visually impaired blogger, culture vulture & accessibility advocate, with aniridia & nystagmus, posting about my experiences & adventures.

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: