SIM-Swap Attack Using Royal Mail Phishing as a Data Harvest
Criminals use a Royal Mail-branded phishing campaign to harvest mobile numbers and personal details, then use that information to perform a SIM-swap that transfers the victim's phone number to an attacker-controlled SIM, enabling interception of banking two-factor codes.
Part of: SIM Swap Scams
Last reviewed: 8 June 2026
SIM-swap fraud begins long before the fraudster contacts a mobile carrier. The information needed to impersonate a customer — full name, date of birth, address, and mobile number — is often collected through a prior phishing attack. Royal Mail's trusted brand provides a convincing pretext: a fake missed-delivery or customs-fee page that asks for personal details to confirm the delivery address.
With those details in hand, the attacker calls the victim's mobile carrier, poses as the account holder, and requests a SIM replacement, typically claiming the phone was lost or damaged. If the carrier's verification checks are insufficient, the victim's number is ported to a new SIM. From that moment, all SMS-based two-factor authentication codes — for banking, email, and financial accounts — go to the attacker instead.
Royal Mail does not require National Insurance numbers, dates of birth, or current-account details to redeliver parcels. Any form that requests this level of personal information under a delivery pretext is a data-harvesting operation, not a genuine redelivery service.
How this scam works on the Royal Mail brand
Phase one is a convincing Royal Mail SMS or email claiming a parcel is held. The linked page asks for name, address, date of birth, and mobile number to confirm identity for redelivery, plus a nominal delivery fee. This harvests exactly the data needed for a SIM-swap request.
In phase two, which may happen days later, the attacker contacts the victim's carrier using the harvested details. If the swap succeeds, the victim's phone loses signal. Shortly after, the attacker uses forgot-password flows on banking apps, receives the SMS two-factor code on the hijacked number, and drains accounts.
Victims often do not connect the loss of phone signal with the earlier Royal Mail phishing page, making the attack chain difficult to trace and report coherently.
Common red flags
- Royal Mail redelivery page asks for date of birth, NI number, or more personal detail than a name and address
- Your phone suddenly loses all signal for no apparent reason — a possible sign a SIM-swap has occurred
- You stop receiving calls and SMS while others report being able to reach you successfully
- Banking apps send password-reset or login-attempt notifications you did not initiate
- Phishing page requests your current mobile carrier's name
- A small card payment is requested alongside extensive personal data collection
How to protect yourself
- Book Royal Mail redeliveries only at royalmail.com — the real process requires only an item reference, not personal identity documents
- Set a SIM-swap PIN or account password with your mobile carrier and require it before any number transfer
- Use an authenticator app rather than SMS for two-factor authentication on banking and email accounts
- If your phone loses signal unexpectedly, call your carrier immediately from another device to check for unauthorised SIM activity
- Freeze your credit file with the main credit reference agencies if you suspect a full data harvest
- Change banking passwords and contact your bank if a SIM-swap is confirmed
- File reports with your carrier, Action Fraud, and your bank simultaneously
How to report it
- Contact your mobile carrier's fraud team immediately if you suspect a SIM-swap
- Report to Action Fraud at actionfraud.police.uk or 0300 123 2040
- Forward the Royal Mail phishing SMS to 7726
- Report phishing emails to [email protected] (UK NCSC)
- Contact your bank fraud line to place a watch on your accounts
Frequently asked questions
How do I know if my SIM has been swapped?
The clearest sign is your phone losing all mobile signal — calls and texts stop working — while your device still connects to Wi-Fi. You may also receive notifications from your carrier about account changes you did not make. If this happens, call your carrier immediately from a different phone.
Why does Royal Mail need a date of birth for redelivery?
It does not. Genuine Royal Mail redelivery requests require only the 12-digit item reference number from the original card. Any redelivery page requesting your date of birth, NI number, or more than a delivery address is not Royal Mail.
Can I stop a SIM-swap before it happens?
Yes. Contact your mobile carrier and add a verbal password or account PIN that must be provided before any account changes, including SIM replacements. Also switch two-factor authentication on sensitive accounts from SMS to an authenticator app, so a SIM-swap cannot intercept your login codes.