Shoppers Beware: Scammers Are Sending Fake Shipping Notifications to Steal Your Info

Illustration for article titled Shoppers Beware: Scammers Are Sending Fake Shipping Notifications to Steal Your Info
Photo: Tolga Akmen (Getty Images)

With the pandemic pushing more holiday shoppers online this year, business is booming for major shippers like Amazon, FedEx, and UPS. Malls around this time are already veritable Petri dishes with crowds packing into stores and willing to elbow the ever-loving Christmas cheer out of each other over gifts. And to cash in on the wave of shoppers opting for a virtual haul this year, scammers have overwhelmingly shifted to using fake shipping notifications in their phishing schemes, per a CNBC report.

Advertisement

As the outlet notes, the cybersecurity firm Check Point Software Technologies found a more than 440% worldwide increase in phishing emails impersonating shipping companies between October and November and a 72% jump since November last year. Scammers most often impersonated DHL Express in their campaigns, followed by Amazon and FedEx. Check Point found that Amazon was the most impersonated shipper in America though, with 65% of all phony shipping messages there impersonating the e-commerce giant.

Here’s how the scheme works: Scammers use these fake emails, which are typically disguised as “delivery issue” notices or shipment tracking details to lure people into clicking on them, to steal their personal information through phony password reset prompts, counterfeit branded pages asking for credit card information, and other phishing methods.

“We have our mind on other things like pandemic and our kids getting remotely educated,” Brian Linder, a threat prevention manager at Check Point, said in an interview with CNBC. “And it’s a perfect time for these bad actors to prey on consumers that are not paying close attention,” he said, adding that these campaigns are often successful because so many shoppers are already accustomed to seeing major shipping companies like Amazon in their inbox.

“[M]ost of us are doing business with Amazon. We’re ordering on Amazon. And for us to get an email from Amazon about a package we ordered would be perfectly normal and expected,” Linder told the outlet.

Tom Hoehn, a Long Beach realtor and victim of one of these scams, said he received a fake shipping email disguised as a delivery error notice from UPS when he was expecting a package from the company:

“It looked like it was from UPS and it said we were unable to deliver your package. However, if you click on the following link you can look up the tracking information on that package and then you can reroute it back to your place. At that point, I clicked on the link and my screen started flashing,” Hoehn told CNBC.

Advertisement

A message then popped up warning him that he’d been hacked and his files encrypted and that he could pay a ransom of some 150 bitcoins, which was worth about $66,000 at that time, to get them back. After he refused to pay, he lost access to everything on his computer, and a few months later had his email hacked and was informed by the IRS that he was the victim of identity theft, per the outlet.

Amazon, UPS, FedEx, and DHL all have dedicated emails and procedures for users to report emails, calls, or other forms of correspondence that look questionable. Amazon public relations manager Craig Andrews told Gizmodo that most of these scams are nothing new, but rather “a variant of common phishing scams - using popular brands and an urgent request to catch consumers off guard.” A company statement he shared via email said Amazon customers can report suspicious emails impersonating the company to stop-spoofing@amazon.com, and pointed to several resources detailing how customers can avoid getting tricked by phishing schemes, including those that use gift cards to scam victims.

Advertisement

Telltale signs you should keep an eye out for to avoid these kinds of scams include grammar or spelling errors, unencrypted landing sites, copycat logos or domains, and messages with countdowns to convince you to quickly respond, per CNBC and Check Point. Check Point added that a good way to check if a link is legit is to avoid clicking it in the email and “instead click on the link from the Google results page after searching for it.” Victims of these scams can report them to the Federal Trade Commission or the Better Business Bureau’s Scam Tracker tool.

You’ve got to be a real Grinch to capitalize on the pandemic’s craziness (not that some billionaires, including Amazon CEO Jeff Bezos, weren’t doing that already, of course), but none the less I can see why the recent e-commerce boom has attracted scammers’ attention more than usual this holiday season. This year’s Cyber Monday was reportedly the largest online shopping day in U.S. history, with sales exceeding $10 billion according to Adobe Analytics, and major shippers like Amazon have seen huge surges in their end-of-year sales. At the end of the day, grifters gonna grift, even while a deadly virus wreaks havoc.

Advertisement

[CNBC, Check Point Software Technologies]

Gizmodo weekend editor. Freelance games reporter. Full-time disaster bi.

DISCUSSION

Scammers use these fake emails

And text messages as well. The fake shipping texts are up again this month.

Every major delivery service lets you sign up for a free account. Once you do, you can log in and check the status of any packages that are being shipped to you, whether you know the tracking numbers or not, so long as they are in the system.

So if you get one of these messages, and you are expecting something, sign into your account and look up the shipment. Don’t click the message. Or if you did the ordering, sign into the vendor and click “Track your Shipment”.

And yes, some bonehead shippers do send actual emails with these kind of links. My mother ordered me something that was delayed until after Christmas due to customs issues. And the message they sent me looked just like one of the spam messages. I had her call them since they wouldn’t talk to me; and she canceled the order since the new shipping date was “sometime in 2021".