Shoppers Beware: Scammers Are Sending Fake Shipping Notifications to Steal Your Info

Shoppers Beware: Scammers Are Sending Fake Shipping Notifications to Steal Your Info
Photo: Tolga Akmen, Getty Images
To sign up for our daily newsletter covering the latest news, features and reviews, head HERE. For a running feed of all our stories, follow us on Twitter HERE. Or you can bookmark the Gizmodo Australia homepage to visit whenever you need a news fix.

With the pandemic pushing more holiday shoppers online this year, business is booming for major shippers like Amazon, FedEx and UPS. Shopping centres around this time are already veritable Petri dishes with crowds packing into stores and willing to elbow the ever-loving Christmas cheer out of each other over gifts. And to cash in on the wave of shoppers opting for a virtual haul this year, scammers have overwhelmingly shifted to using fake shipping notifications in their phishing schemes, per a CNBC report.

As the outlet notes, the cybersecurity firm Check Point Software Technologies found a more than 440% worldwide increase in phishing emails impersonating shipping companies between October and November and a 72% jump since November last year. Scammers most often impersonated DHL Express in their campaigns, followed by Amazon and FedEx.

Here’s how the scheme works: Scammers use these fake emails, which are typically disguised as “delivery issue” notices or shipment tracking details to lure people into clicking on them, to steal their personal information through phony password reset prompts, counterfeit branded pages asking for credit card information, and other phishing methods.

“We have our mind on other things like pandemic and our kids getting remotely educated,” Brian Linder, a threat prevention manager at Check Point, said in an interview with CNBC.

“And it’s a perfect time for these bad actors to prey on consumers that are not paying close attention,” he said, adding that these campaigns are often successful because so many shoppers are already accustomed to seeing major shipping companies like Amazon in their inbox.

“[M]ost of us are doing business with Amazon. We’re ordering on Amazon. And for us to get an email from Amazon about a package we ordered would be perfectly normal and expected,” Linder told the outlet.

Tom Hoehn, a Long Beach realtor and victim of one of these scams, said he received a fake shipping email disguised as a delivery error notice from UPS when he was expecting a package from the company:

“It looked like it was from UPS and it said we were unable to deliver your package. However, if you click on the following link you can look up the tracking information on that package and then you can reroute it back to your place. At that point, I clicked on the link and my screen started flashing,” Hoehn told CNBC.

A message then popped up warning him that he’d been hacked and his files encrypted and that he could pay a ransom of some 150 bitcoins, which was worth about $US66,000 ($86,572) at that time, to get them back. After he refused to pay, he lost access to everything on his computer, and a few months later had his email hacked and was informed by the IRS that he was the victim of identity theft, per the outlet.

Amazon, UPS, FedEx, and DHL all have dedicated emails and procedures for users to report emails, calls, or other forms of correspondence that look questionable. Amazon public relations manager Craig Andrews told Gizmodo that most of these scams are nothing new, but rather “a variant of common phishing scams – using popular brands and an urgent request to catch consumers off guard.” A company statement he shared via email said Amazon customers can report suspicious emails impersonating the company to [email protected], and pointed to several resources detailing how customers can avoid getting tricked by phishing schemes, including those that use gift cards to scam victims.

Telltale signs you should keep an eye out for to avoid these kinds of scams include grammar or spelling errors, unencrypted landing sites, copycat logos or domains, and messages with countdowns to convince you to quickly respond, per CNBC and Check Point. Check Point added that a good way to check if a link is legit is to avoid clicking it in the email and “instead click on the link from the Google results page after searching for it.” Victims of these scams can report them to the Federal Trade Commission or the Better Business Bureau’s Scam Tracker tool.

You’ve got to be a real Grinch to capitalise on the pandemic’s craziness (not that some billionaires, including Amazon CEO Jeff Bezos, weren’t doing that already, of course), but none the less I can see why the recent e-commerce boom has attracted scammers’ attention more than usual this holiday season. This year’s Cyber Monday was reportedly the largest online shopping day in U.S. history, with sales exceeding $US10 ($13) billion according to Adobe Analytics, and major shippers like Amazon have seen huge surges in their end-of-year sales. At the end of the day, grifters gonna grift, even while a deadly virus wreaks havoc.

[CNBC, Check Point Software Technologies]


Editor’s Note: Release dates within this article are based in the U.S., but will be updated with local Australian dates as soon as we know more.