It’s that time of year again: online shopping is on the rise. With events like Black Friday and Cyber Monday offering endless deals, parcel deliveries are booming – and so are parcel delivery scams.
These scams, known as ‘spray and pay’ attacks, are targeting consumers on a massive scale. So, what’s happening and what do consumers and businesses need to do to protect themselves? We explain all here.
Spray and pay is a form of phishing attack. Fraudsters will send out thousands of fake ‘missed parcel’ messages.
These messages typically ask victims to pay around £1- £2 to ‘redeliver’ a parcel, with links leading to fake courier websites designed to capture card details and personal information, often resulting in large-scale follow-on fraud.
They’re exploiting the high volume of deliveries and consumer expectations of instant delivery updates. They’re hitting the headlines too, with The Guardian reporting that these scams are now a significant national threat and no longer the small-scale nuisances we once considered them.
This is an example of cybercrime shifting to low-value, high-volume attacks. With online shopping more popular than ever, fraudsters have more legitimate delivery notification options and brands to imitate.
Brand impersonation is one of the most common fraud tactics, and delivery logistics brands are increasingly common targets.
Delivery companies’ brands can be easily spoofed over SMS and email, especially if they don’t have the necessary protections in place. Combine this with consumer demand for fast digital delivery updates, and it becomes a highly attractive avenue for criminals to exploit.
The scale of parcel-delivery scams in the UK is difficult to capture precisely, but existing data paints a stark picture.
Evri, one of the country’s major courier companies, reported approximately 10,000 cases of delivery-related fraud between November 2024 and January 2025.
Broader fraud trends are showing that fake parcel delivery messages dominate SMS-based phishing (smishing) attempts, with surveys from TransUnion revealing that 70% of UK consumers have received scam messages claiming to come from trusted organisations. Royal Mail and Evri are topping the list of impersonated brands.
When legitimate parcel issues coincide with fraudulent delivery messages, consumers increasingly struggle to distinguish between real problems and scams – and this confusion is exactly what attackers rely on.
Spray and pay scams are successful because they exploit human psychology:
Even vigilant consumers can be tricked, especially when bombarded with legitimate parcel notifications in the same channels that criminals are exploiting.
The effect on consumers is bad enough, and it’s worth raising awareness of that alone. But it’s not just a consumer issue – it affects the credibility of multiple sectors:
Addressing this issue requires cross-sector collaboration. We would suggest the following as positive steps:
While organisations implement protective measures, consumers must also take steps to protect themselves:
The Guardian’s spotlight on spray and pay scams underscores a systemic risk to the e-commerce and delivery sectors, with millions of UK consumers being exposed to fake delivery messages, and thousands falling victim each year.
For brands, banks and delivery firms, the rise of parcel-related fraud is a clear warning: trust in digital delivery communication is fragile, and only collective security strategies can reinforce it.
For more articles like this, head to our news and articles page: https://www.brigantia.com/resources