Fake Royal Mail Account Takeover Phishing
Scammers send emails impersonating Royal Mail's security team, claiming suspicious login activity was detected and the recipient must verify their credentials immediately. A compromised Royal Mail Click and Drop or business account can be used to redirect parcels, harvest addresses, and commit shipping fraud.
Part of: Account Takeover Scams
Last reviewed: 7 June 2026
Royal Mail offers Click and Drop for business shippers and standard tracking accounts for consumers, both of which store personal addresses, payment details, and shipping histories. This stored data makes Royal Mail accounts a worthwhile target for credential thieves.
Phishing emails mimicking Royal Mail security notifications claim that the recipient's account was accessed from an unfamiliar device or location, and that credentials must be confirmed within a short window to prevent suspension. The legitimate-sounding security framing lowers the victim's guard.
The real Royal Mail security team communicates account alerts through your registered email address and directs you to sign in at royalmail.com — not to a third-party link. Royal Mail also supports two-factor authentication, which significantly reduces the risk of account takeover even if a password is compromised.
How this scam works on the Royal Mail brand
The phishing email reads: 'Royal Mail: Unusual sign-in activity detected on your account. Verify your identity within 24 hours to prevent suspension: [link].' The link opens a fake Royal Mail login page collecting email address and password.
With those credentials, the attacker accesses the victim's Royal Mail account to view saved addresses, change payment methods, or redirect tracked parcels in transit. Click and Drop business accounts can be used to generate fraudulent shipping labels charged to the account holder.
Some variants go further by adding a fake two-factor authentication step on the phishing page, creating a convincing multi-step login flow to harvest both the password and the OTP generated by the legitimate account's security settings.
Common red flags
- Unsolicited email about 'unusual Royal Mail account activity' with a verify-now link
- Link does not go to royalmail.com
- Email comes from a [email protected] address
- No corresponding security notification when you log in directly to royalmail.com
- Urgency: 'account suspended in 24 hours if not verified'
- Email asks for your Royal Mail password directly
- Phishing page includes a fake two-factor step to harvest your OTP
How to protect yourself
- Log in to your Royal Mail account by typing royalmail.com directly — never via an email link
- Enable two-factor authentication on your Royal Mail account
- Change your Royal Mail password if you suspect it was exposed
- Review your saved delivery addresses and pending shipments for any unauthorised changes
- Report phishing emails to the NCSC at report.ncsc.gov.uk
How to report it
- Forward smishing texts to 7726
- Report to the NCSC at report.ncsc.gov.uk
- Report to Action Fraud at actionfraud.police.uk
- Alert Royal Mail via royalmail.com/help/scam-mail
- Contact your bank if payment details linked to the account were accessed
Frequently asked questions
What can a criminal do with my Royal Mail account?
A compromised Royal Mail account exposes saved addresses, redirects parcels in transit, and for Click and Drop business accounts, allows fraudulent shipping labels to be generated at your expense.
Does Royal Mail send security alerts by email?
Royal Mail may send security notifications to your registered email, but they direct you to sign in at royalmail.com — not via a link in the email body. When in doubt, type royalmail.com directly.