Fake Royal Mail page detected

Posted byAnti-phishing Leave a comment on Fake Royal Mail page detected

Threat Intel: This scam layout was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the phishing source domain has been safely deactivated within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Actual screenshot of "Fake Royal Mail page detected" phishing interface captured during link moderation on our platform.
Figure 1: Actual screenshot of the active phishing operation isolated on our infrastructure.
Actual screenshot 2 of "Fake Royal Mail page detected" phishing interface captured during link moderation on our platform.
Figure 2: Actual screenshot of the active phishing operation isolated on our infrastructure.

These two screenshots show a phishing campaign impersonating Royal Mail, targeting users in the United Kingdom. The scam uses a fake delivery issue and a small redelivery fee to steal full credit card details.

Threat Analysis: Royal Mail Phishing – Fake Redelivery Fee & Card Harvesting

Step 1 – Fake Tracking Page (First Screenshot)
The victim lands on a page that mimics Royal Mail’s tracking interface. It displays:

  • A fake tracking number
  • A claim that there is an issue with the shipping address
  • Instructions to arrange redelivery

Step 2 – Card Payment Page (Second Screenshot)
The victim is taken to a page that asks for:

  • Full name
  • Card number
  • Expiration date
  • Security code (CVV)

A small redelivery fee (£3.00) is shown to make the payment seem insignificant.

The goal:
The attacker collects complete card details to make fraudulent purchases, clone the card, or sell the information.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not royalmail.com. Legitimate Royal Mail tracking and redelivery are only on official domains.
  • Fake tracking number: The tracking number format may look plausible, but it cannot be verified on the real Royal Mail site.
  • Request for CVV: Royal Mail does not ask for your card security code for redelivery fees. These fees are typically paid through a secure, integrated payment gateway after you log in or confirm your address.
  • Small fee trick: £3.00 is a trivial amount meant to lower suspicion.
  • Copied content: The second page includes real Royal Mail footer links and navigation menus, which are copied from the genuine site to appear authentic.

What to do if you encounter this:

  • Do not enter any card details.
  • If you are expecting a delivery, track it directly by typing royalmail.com into your browser and using your real tracking number.
  • If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Royal Mail (e.g., via their official fraud reporting page).

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never pay a “redelivery fee” via a link. Legitimate redelivery fees are paid through the official site after verifying your tracking number.
  • Check the URL carefully: Legitimate Royal Mail domains end with royalmail.com. Look for misspellings, extra words, or unusual top‑level domains.
  • Enable transaction alerts on your bank account to catch unauthorized charges early.

Leave a comment

Your email address will not be published. Required fields are marked *