Fake parcel delivery scam — how to get your money back.

A text message: “Your parcel could not be delivered. Please pay a small redelivery fee.” A link to a site that looks exactly like Royal Mail, Evri, or DHL. You pay. Nothing arrives. Your card details are stolen. These texts are sent millions of times each week in the UK. Your refund rights are stronger than you might think.

Can I get a refund for a fake Royal Mail / Evri / DHL text scam?

It depends on how you paid. If you entered your card details on a fake website and money was taken without your authorisation, that is unauthorised payment fraud under the Payment Services Regulations 2017, and your bank must refund you under regulation 76. If you were tricked into making a bank transfer, that is APP fraud covered by the PSR Mandatory Reimbursement Scheme (up to £85,000). For credit card payments of £100–£30,000, Section 75 of the Consumer Credit Act 1974 applies.

I only lost £2.99 — is it worth reporting?

Always report, even for small amounts, for three reasons. First, your bank details may now be compromised — reporting triggers a fraud investigation that may prevent larger losses. Second, a successful small-amount chargeback confirms the fraud pattern and strengthens any wider investigation. Third, if the scammer used your details for further transactions, you want those on record as fraudulent from the outset.

The fake site looked exactly like the Royal Mail website. Does that matter?

Yes, in your favour. The sophistication of the fraudulent site is evidence that this was a professionally organised scam, not an obviously fake one. A convincing clone of a major delivery company's website is not something a reasonable person should be expected to spot instantly. This supports your claim that any payment was made under a misapprehension rather than recklessly.

I entered my card details on the fake site. What do I do?

Contact your bank immediately and ask them to cancel the card and block the payee. Report it to the bank as fraudulent card use. If money has already been taken without your authorisation, the bank must refund it under Payment Services Regulations 2017 regulation 76. Also report to Action Fraud (actionfraud.police.uk) and to the National Cyber Security Centre via report.ncsc.gov.uk.

My bank says I authorised the payment by entering my card details. Can they refuse?

For unauthorised card fraud (you entered details on a fake site but did not knowingly authorise a payment to a fraudster), the bank cannot refuse on simple authorisation grounds — the payment was not to the payee you intended. For APP fraud (you made a transfer), the bank must prove gross negligence, not merely that you made the payment. Either way, a refusal should be challenged and, if necessary, escalated to the Financial Ombudsman Service.

What about the additional "customs clearance" fee they asked me to pay after the first payment?

Each payment made to the scammer is a separate fraudulent transaction, but they can all be included in the same claim. There is no limit on the number of individual payments within a single £85,000 PSR claim. The 13-month window runs from the last payment.

Scam Refund · Scam Types

Fake parcel delivery scam — how to get your money back.

How parcel delivery scams work

These are “smishing” attacks — SMS or messaging-based phishing. The National Cyber Security Centre (NCSC) and Action Fraud consistently rank fake parcel delivery notifications among the most reported fraud types in the UK, with hundreds of thousands of incidents per year.

The text arrives from what looks like a legitimate shortcode or UK mobile number. It references a parcel you may or may not be expecting — given how frequently most people order online, the message is plausible by default. A link takes you to a website that closely mimics the Royal Mail, Evri, DHL, DPD, or Parcelforce brand: correct logos, colour scheme, footer text, and a small fee request (£1.45, £2.99, £3.49 are common amounts).

Once you enter your card details to pay the “redelivery fee”, several things may happen. The scammer may immediately charge the small nominal amount and harvest your full card details for later, larger fraud. They may also capture your name, address, and phone number. Some variants then show a “customs clearance fee” demand, or a premium-rate phone number to call. A minority of victims are directed to make a full bank transfer.

Why the real delivery companies never do this

Royal Mail, Evri, DHL, and other major couriers do not send texts asking for payment to release a parcel via a link. If customs duty or a redelivery charge applies, genuine carriers will either leave a card at your address, send an email from a verified domain, or ask for payment through their official app. Any text message with a link asking for card details is a scam. The link will never be from royalmail.com, evri.com, or dhl.com — look carefully at the URL.

Red flags to recognise

• A text from a mobile number (not an official shortcode) about a parcel you may or may not know about.
• A link that, on close inspection, is not the genuine courier domain (e.g. royalmail-delivery.com vs royalmail.com).
• A request to pay a small fee (£1–£5 range) to release or redeliver your item.
• The website asks for your full card details, including the CVV, for a tiny transaction.
• After paying, a second fee is immediately requested (“customs clearance”, “insurance”).
• Urgency: “pay within 24 hours or the parcel will be returned.”

What to do in the first 24 hours

• Contact your bank or card issuer immediately.
• Ask them to block the card and reverse any fraudulent transactions. If card details were entered on a fraudulent site, this is unauthorised card fraud and the bank must refund under Payment Services Regulations 2017 regulation 76.
• Screenshot everything:
• the original text, the link (without clicking it again), the fake website if you have a screenshot, and any payment confirmation emails.
• Report to Action Fraud
• at actionfraud.police.uk. Also report the URL to the NCSC via report.ncsc.gov.uk — they can have fraudulent sites taken down rapidly.
• Forward the original text to 7726
• (the UK spam-reporting service run by Ofcom). This is free on all major networks.
• if you used the same credentials on the fake site as any other account.
• Monitor your statements
• closely for the next 60 days for any unauthorised charges using the harvested card details.

Your legal refund routes

1. Unauthorised payment fraud (card details entered on fake site)

If you entered your card details and money was debited without your conscious authorisation to the fraudulent payee, this is unauthorised payment fraud under regulation 76 of the Payment Services Regulations 2017. Your bank must refund you promptly — usually within one to three working days — unless it can prove you acted fraudulently or with gross negligence. The burden of proof is on the bank. This is the strongest and fastest refund route for parcel delivery scams.

2. APP fraud (bank transfer made to scammer)

A smaller number of parcel delivery scams end with the victim being instructed to make a bank transfer — for example for a larger “customs clearance” payment. This is Authorised Push Payment (APP) fraud and falls under the PSR Mandatory Reimbursement Scheme, covering up to

per claim. See our guide on

for the full legal framework.

3. Section 75 Consumer Credit Act 1974 (credit card, £100–£30,000)

If you paid on a credit card and the purchase was between £100 and £30,000, Section 75 of the Consumer Credit Act 1974 makes your credit card issuer jointly liable with the supplier for misrepresentation or breach of contract. A fake delivery company that does not exist is misrepresentation by definition. This claim runs against the card issuer independently of any fraud claim.

4. Chargeback (card payments below £100 or debit cards)

For smaller card payments or debit card payments, Visa, Mastercard, and Amex chargeback rules allow your bank to dispute the charge with the card network. Chargeback is not a statutory right but a scheme rule; however, banks are expected to pursue it in clear fraud cases. Success rates are reasonable for smishing fraud where the merchant did not deliver any goods or services.

• Unauthorised card fraud:
• Report as soon as possible. Your bank must process under PSR reg.76. 13 months from the debit is the outer limit for unauthorised payment disputes.
• PSR APP fraud (bank transfer):
• 13 months from the last fraudulent payment.
• Section 75 (credit card):
• 6 years under the Limitation Act 1980 s.5.
• Usually 120 days from the transaction, though some networks allow longer.
• 6 months from the bank’s final response letter.

If your bank refuses

Banks sometimes argue that entering card details on a third-party site falls outside their refund obligations. For unauthorised card payments, this argument is legally wrong — the bank must show you authorised the specific transaction, not merely that you used your card. For APP fraud, it must show gross negligence. Either way, a bank refusal should be followed by a formal complaint and, within six months of the final response, escalation to the

. The FOS can order refunds, interest at 8% per year, and distress compensation.

. For related purchase fraud, see our guide to

Ready to claim your refund?

We build your bank complaint and Financial Ombudsman pack for a fixed £49. No CMC fees. You keep every penny.

Not legal advice. This guide is for general information only. For advice specific to your circumstances, consult a regulated legal professional or contact Citizens Advice.