Couple from Somerset, UK targeted with double phishing scam

ByCraig Haley

A couple from Frome in Somerset, UK, lost their savings after being targeted by the Royal Mail text “smishing” scam followed by a “call from your bank” targeted phishing scam.

Here’s how the scam worked and how you can avoid it.

Step 1. The smishing scam

Tom and Freyja Cuff were first targeted by scammers after receiving a text message claiming to come from the Royal Mail about a pending delivery that needed a small £2.50 fee to be paid before it could be delivered.

This is a very popular scam that we’ve discussed before and these scam text messages are sent out to thousands of recipients with the scammers hoping that at least some people bite and click the link to make the payment.


An example of a scam Royal Mail text message

Of course there is no pending delivery from Royal Mail, and the link Mrs. Cuff clicked led to a spoof website pretending to be the genuine Royal Mail website. The objective of this website is to lure the victim into entering personal and financial information into it. This can include name, address and debit or credit card information.

Once that information is entered, it is sent to the crooks, while the victim believes it has gone to the Royal Mail. Now the crooks have enough information to make payments using the victim’s bank account.


Sponsored Content. Continued below...




Step 2. The “call from your bank” targeted phishing scam

You could ask why is there a reason for a step two given the cyber-crooks now have enough information to withdraw money from the victim’s bank account. There are two reasons.

Firstly, the crooks don’t know how much money is in the account and how much they can potentially steal. And secondly the crooks will know that continued purchases from the bank account will likely soon be closed off either because the victim notices the activity or the bank’s automated security systems will notice.

As such, the second stage of the scam begins after the crooks make a handful of smaller purchases from the victim’s bank account. The criminals contact the victim (no doubt using the phone number their spoof website asked for during step one) pretending to be from the victim’s bank claiming fraudulant activity has occurred.

This step of the scam can be particularly convincing because the crooks are now armed with plenty of personal information about their victim thanks to the information gleaned during the first step of the scam. The crooks claim to be from the victim’s bank, and claim the victim’s bank account has been compromised. They urge the victim to transfer their money to a “safe” bank account to ensure it remains intact.

As our regular readers will no doubt have determined, this is the crux of the scam. Any money transferred to the “safe” bank account is stolen because the safe account is really the scammer’s bank account. And now the crooks have all the victim’s money in their account, and neither the victim nor bank stopped the transaction because it was the victims themselves that executed it.


Sponsored Content. Continued below...




This is essentially a double-phishing scam. First the scammers pretended to be from Royal Mail to trick the victim into handing over sensitive information (a smishing attack, since it was orchestrated over SMS) and secondly a targeted phishing scam over the phone (targeted because the crooks had plenty of personal information about the victim.)

Avoiding this scam…

  • Don’t click on links in text messages you were not expecting. If you’re not sure if they are real, speak to the company in question without interacting or engaging with the message.
  • If you do click a link, double check the web address to see if it a genuine website of the company in question.
  • Be especially cautious of messages about pending deliveries from courier or postal companies, as these are particularly popular with scammers.
  • Never trust unexpected calls that claim to be from your bank. If you’re not sure, hang up and contact your bank directly.
  • Never transfer money from one account to another on the advice of someone claiming to be from your bank. A bank will never request a person transfer money to keep it safe.
  • Always have good antivirus installed that can potentially block known or suspected phishing websites. Our recommendation is here.

You can read more about the scam that targeted Tom and Freyja Cuff as they spoke to the BBC here.

Keep up-to-date with all the latest cybersecurity threats and our tips to stay safe online. Follow us on Facebook, Instagram and Twitter.

Continued below...


Thanks for reading! But before you go… as part of our latest series of articles on how to earn a little extra cash using the Internet (without getting scammed) we have been looking into how you can earn gift vouchers (like Amazon vouchers) using reward-per-action websites such as SwagBucks. If you are interested we even have our own sign-up code to get you started. Want to learn more? We discuss it here. (Or you can just sign-up here and use code Nonsense70SB when registering.)

Become a Facebook Supporter. For 0.99p (~$1.30) a month you can become a Facebook fan, meaning you get an optional Supporter Badge when you comment on our Facebook posts, as well as discounts on our merchandise. You can subscribe here (cancel anytime.)