These days, postal services use all kinds of channels to update you on your deliveries. Unfortunately, scammers can take advantage of these communications to trick you out of your money or install malware.
Let’s analyze how a scammer can impersonate your delivery service and how to avoid it.
1. Spreading Malware With Fake Postal Apps
Android banking trojan impersonates @lisalaposte and spreads via SMS
-targets #France ??
-sends SMS
-intercepts received SMS
-steals victims’ contact lists
-this Trojan is also known as FakeSpy/Roaming Mantis/MaqHao/XLoader #ESETresearch @LukasStefanko 1/3 pic.twitter.com/9qn4n3A62E— ESET research (@ESETresearch) April 16, 2020
Postal services will sometimes use apps to help manage and trace your packages. You can enter tracking numbers into them to see where your parcel is, or arrange for something to be delivered via the app.
They’re very convenient, which is why scammers use these apps to spread malware. They choose a country to operate in and design a phishing SMS message that mimics that country’s postal service.
The SMS message will state that the company has released a new version of its delivery app, and gives a download link. Of course, the link doesn’t lead to the official app at all; instead, it goes to a malware payload.
FakeSpy is an excellent example of this kind of attack. A malicious group called Roaming Mantis used this method to distribute malware called FakeSpy. When installed, FakeSpy asked for messaging permissions and the ability to work at 100 percent even if the phone is sleeping.
If the user granted these permissions to Fakespy, it would harvest sensitive information from the phone. Then, using the messaging permissions that the user gave it, it sends its download page to more victims. Even when the user puts the phone to sleep, FakeSpy would be hard at work harvesting data.
2. Spreading Malware Using Fake Attachments
This method of attack abuses how postal companies send you emails if your package suffers delays. Of course, it’s stressful to hear that an important delivery won’t arrive on time, which a scammer can capitalize on to trick users.
In terms of operation, postal service email scams aren’t too different than other email-based scams. The scammer will send you an email with malware attached and attempt to convince you to download the attachment.
How the scammer constructs the framework of the attack varies. Some will claim that the deliveryman missed you and that the package is now in a warehouse. They then prompt the user to click on the infected attachment, claiming the warehouse address is inside. Others may say they couldn’t verify your details and will point to the infected attachment so you can double-check your credentials.
The scammer may also use current affairs to cause panic among victims. For example, when the coronavirus began to take hold, scammers sent out emails saying that, unless the victim sends back their details in the infected attachment ASAP, their package will be held in lockdown
3. Tricking Users With Fake Websites
When we’re in a rush to get something done, we tend to miss out on tiny details that identify what websites are legitimate and which are fake. Scammers capitalize on this by creating impostor websites that look just like the real thing. They can then trick people into visiting these websites and hand over money and personal details.
For postal services, a scammer may set up a fake website that asks for names, addresses, and phone numbers to create a personal profile about you. These pieces of information are used in identity fraud, and handing over the data may lead to them using your information for future scams.
Others may ask for phoney delivery charges, including VAT and customs charges. If the victim obeys, the scammers run with the money while the victim believes they’ve paid for an important delivery.
For example, some scammers take advantage of change-of-address services to make money. A change-of-address service lets you temporarily redirect mail from one address to another, which is handy when moving house. As such, people looking for such a service are highly likely to be in the throes of moving home—a stressful period.
Scammers create pages that look similar to official change-of-address services, then try to get them high on Google’s rankings. When people search to redirect their mail, they click through onto the fake website and enter their details. The phoney site asks for a large payment to perform the service, which the victim pays.
Of course, because the website was fake, their mail isn’t redirected despite the victim paying up. It may take weeks, or even months before the victim discovers they’ve been conned.
4. Stealing Personal Information Using Phone Calls
In a similar vein as above, sometimes a scammer will call your home directly. They’ll use number spoofing to appear as if they’re calling from your country’s postal service. Once you pick up, they’ll say that an error occurred when processing a package and that they need to double-check your details to ensure the delivery can take place.
Of course, they don’t have any package waiting for you; instead, they can use this angle to ask you for your name, address, phone numbers, and other personal information. This information can be collected and used in future scams, such as identity theft.
If you’re worried that the representative on the other end of the line isn’t who they say they are, never fear; there are telltale signs that you’re on the phone with a scammer. Keep an eye out for these traits if you suspect someone is trying to scam you over the phone.
5. Mailing Fake “Missed Delivery” Cards
"Watch out scam"Top one with Royal Mail logo Genuine. Bottom one "Fake" No logo theywill bill you £45 if you ring number.. be vigilant.? pic.twitter.com/bBIyBZBWbR
— Dezzie… (@dezzietheblue) July 26, 2017
Some postal services will use a calling card if they couldn’t deliver your parcel. This card will state when the delivery took place, what the delivery is, and how to schedule a re-delivery. Unfortunately, these cards are easy to clone and used for scams.
For instance, in the UK, there’s the “Something For You” card. If the Post Office couldn’t deliver your parcel, they leave a red card with information on how to get it.
Scammers have created a near-identical copy to this card to direct people towards their scam. The only real difference is the lack of any official Post Office imagery or insignia—everything else looks similar.
These fake cards give the user a number to call to schedule the re-delivery. If the user dials it, their call redirects to a premium rate line. Once the call is over, the victim racks up a hefty phone bill for calling the premium rate service.
How to Protect Yourself From Postal Service Scams
The above scams all have one thing in common: they try to impersonate your postal service. As such, if you learn how your own service operates, you can detect these scams before they can trick you.
When you receive correspondence from your postal service, be sure to look out for any warning signs. A postal service shouldn’t contact you to “double-check” your delivery details, nor will they try to push you to download an attachment.
Likewise, if you receive a missed delivery card that doesn’t “seem right,” be careful—doubly so if you didn’t order anything online! If your postal service normally lets you reschedule deliveries online, and you get a card that suddenly demands you phone them instead, double-check the phone number online, and if possible confirm with the sender.
Staying Safe From Delivery Scams
With online deliveries becoming a booming industry, scammers gravitate towards delivery fraud to trick others into handing over their details or their money. Now you know the most notorious kinds of delivery scams and how to dodge them.
If you love buying things on eBay, be sure to read about the eBay scams you need to be aware of.
Read the full article: Love Online Shopping? 5 Postal Scams You Should Avoid