Posted on September 23, 2019 at 2:37 AM

A Loophole in Royal Mail’s Delivery System Allows Fraudsters to Steal Packages

After he completed a sale for an iPhone worth £275 on eBay, Anastasios Siampos started to see suspicious behavior when the buyer said the item was defective. He knew there wasn’t anything wrong with the phone and disputed the claim, but eBay had ordered the buyer to return it through Royal Mail’s 48-hour tracker and proceeded to award a refund two days later after the tracker showed that the parcel was returned.

However, the seller, in this case, Siampos, got nothing. He completed the sale of a perfectly working phone and received no refund and no phone! After he got in touch with Royal Mail, he discovered that the parcel was delivered but to another address, not his. The tracking system confirms delivery to the postcode, but not the exact property, and there are other 53 properties in Siampos’ postcode.

As it turns out, criminals are taking advantage of a critical loophole in Royal Mail’s system to steal packages. Most online selling platforms depend on tracker data to prove that a specific item was returned, so the respective refunds can apply. But in Royal Mail’s web page, there isn’t any indication that they are tracked to the postcode.

The Companies Are Familiar With the Problem

According to what Siampos explained to a specialized news site, the customer service staff at Royal Mail seems to be familiar with the situation and explained to him that there had been a recent increase in similar cases.

Per Siampos, the staff let him know that irresponsible, unscrupulous buyers at eBay and other platforms configure the tracked service to the seller’s address, then proceed to download the label that Royal Mail creates, modify the house number with picture editing software (Photoshop) to another building in the same postcode, and then send an empty box.

While other similar services do, Royal Mail does not know the exact address associated with a tracking number, only the postcode, and that creates an opportunity for cybercriminals to pounce with creative methods. Royal Mail performs the delivery based on the address that the package shows.

That is why a person can receive an empty package, and since it wasn’t expecting anything, they throw it away. However, for Royal Mail’s registers, the parcel was successfully delivered, prompting the selling platform, in this case, eBay, to proceed with the refund.

At least Royal Mail is aware of the issue. The company told a news site that they know about the scam and they are working to spot the criminals.

A Delicate, Hard-To-Combat Issue

After the Observer ran the story, eBay decided to refund eBay and stated that it was working with Royal Mail to attend the “few cases” like that and to avoid similar ones in the future. However, the company keeps using tracking data as a justification for a refund instead of asking for returns to be signed for.

Many houses in rural areas can only be identified by their names, and lots of properties usually share the same postcode. It makes things quite interesting for couriers, and they usually have a hard time correctly spotting the recipient.

Outdated Technology is Part of the Problem

David Jinks, the head of consumer research for online delivery service ParcelHero, rightfully points out that the problem previously highlighted goes to show that postcodes are currently using obsolete technology.

Jinks believes that the whole system needs to be updated, and observes that the issue is not exclusive to eBay. He says that Amazon usually delivers packages to the wrong address, as well, and it can be a challenge for the seller to successfully prove that the parcel was delivered to the wrong location if the ones who took it don’t speak up.

Jinks also thinks that the fact that there aren’t many delivery firms with tracking based on Ordnance Survey mapping and data, a system closely-related with postcode information, makes matters worse.