NCSC warns of 'Fake missed parcel' scam
The National Cyber Security Centre has issued new advice on how to deal with the epidemic of 'Fake missed parcel' scams that have been plaguing the UK.
Cybercriminals are encouraging UK citizens into downloading a malicious app by sending convincing-looking 'missed parcel' text messages. The messages contain links to an ‘official’ delivery or parcel tracking app.
The app is not as innocent or helpful as it may seem and in fact, is malicious and contains spyware. If installed, it can possibly steal your banking details, passwords, and other sensitive information. The app also accesses your contacts and sends them to the criminals, and sends additional text messages from your device to other people's contacts, further spreading itself.
This guidance explains:
- what to do if you think you’ve already downloaded the spyware app
- how to safely check if you've any missed parcels
- how to report suspicious-looking messages
- how to protect yourself from future scams
- how these spyware apps work.
An NCSC spokesman said: "These spyware apps are technically known as ‘banking trojans’. Currently, the two most common are called FluBot and Anatsa.
"The scam works by impersonating the apps and messages of legitimate organisations, so people believe they are installing ‘official’ apps. As we described above, the malicious app is designed to steal passwords and other sensitive data. These apps have even led to the theft of money from bank accounts."
The NCSC states the following steps should be taken immediately if you think you may have been a victim of this scam.
1.Perform a factory reset as soon as possible.
- The process for doing this will vary based on the device manufacturer, so refer to the NCSC’s second-hand devices guidance for details.
- Note that if you don’t have backups enabled, you will lose data.
- Note you may need to enter a password when you reset your device (make sure you change this password).
2. When you set up the device after the reset, it may ask you if you want to restore from a backup.
- Do not restore any backups created after you downloaded the app, as they will also be infected.
- Also, keep in mind that automatic backups are made every 24 hours if you’re connected to Wi-Fi.
3. Change your account password.
If you have logged in to any accounts or apps using a password since downloading the app, you must change that account password.
4. Change any passwords on other accounts if necessary.
If you have used these same passwords for any other accounts, then these also need to be changed.
5.How to safely check for missed parcels
If you’re expecting a delivery and you receive a ‘missed parcel’ message:
- Do not click the link.
- Use the official websites of delivery companies to track your parcel. We've listed the official websites of major delivery companies below.
- DHL - track a parcel
- Royal Mail - track your item
- DPD - tracking service
- Hermes - track your parcel
- Yodel - parcel tracking
- UPS - track a parcel
6. Reporting suspicious-looking messages
If you receive a ‘missed parcel’ message that looks suspicious:
- Do not click the link in the message, and do not install any apps if prompted.
- Forward the message to 7726, a free spam-reporting service provided by phone operators. If you are not sure how to forward a text message from your particular device, search online for instructions.
- Delete the message.
For more guidance on dealing with suspicious messages, refer to our separate guidance.
7. How to protect yourself from future scams
- Back up your device to ensure you don’t lose important information like photos and documents. The Cyber Aware guidance explains how to do this.
- Only install apps from official ‘App’ stores. For example, most Android devices use Google’s Play Store. Some manufacturers, such as Huawei, provide their own app store.
- For Android devices, make sure that Google’s Play Protect service is enabled if your device supports it. Some Huawei devices provide a similar tool to scan devices for viruses. This will ensure that any malware on your device can be detected and removed.