View all posts

Holiday Fraud Delivery Notification Scams

11/28/2023

By: Fidelity Bank

Holiday Fraud Delivery Notification Scams

There is an increase in sophisticated fraud schemes that could lead to a miserable holiday season. Do not be caught off guard.

 

This is a post from DefenseStorm, a provider of build for banking cyber risk and real-time fraud detection solutions.

Holiday Fraud Delivery Notification Scams: “You Have a Package for Delivery!”

THE SCAM: With the holiday season just around the corner, it’s a time for celebrations, travel, and shopping, but it’s also prime time for fraudsters to prey on unsuspecting consumers. Amidst the hustle and bustle of planning and festivities, people become easy targets for scammers. A common holiday scam involves fraudulent “Delivery Notification” text and email messages from reputable delivery services like FedEx, DHL, UPS, Amazon, and even the post office. Eager to receive their package, consumers often click on malicious links and even voluntarily provide banking information, resulting in loss of money or personal data.

THE SCHEME: Hilary Chapple [Calgary] unexpectedly received a text from the local post office claiming she had a package ready for delivery. Assuming it was a gift from her brother, she clicked the link, which instructed her to fill out forms and provide banking information to process the delivery. Unfortunately, Ms. Chapple proceeded to fill out all the requested information, and by the next morning, scammers had withdrawn nearly $2,700 from her account. Chapple realized the mistake and immediately contacted her bank. The financial institution (FI) initiated a fraud investigation and reimbursed all the money to her. In this case, Chapple acted quickly, and her FI refunded her money regardless of the fact that it was her error; however, other victims have not been quite as lucky with their outcome, and it wasn’t money they lost.

Tom Hoehn (Long Island, NY) was actually expecting a package delivery, so when he received an email from UPS stating that the package was “undeliverable,” it didn’t even occur to him that it was a phish. The email directed him to click on a provided link to obtain tracking information and reroute the package. The moment that Mr. Hoehn clicked the link, an ominous flashing began on his computer screen with the following message: “You have been hacked. We have encrypted all of your files. Send 150 bitcoins to this address.” Hoehn refused to comply to the request for bitcoins, which was valued at more than $66,000, and his computer was wiped of everything. Like a domino effect, one click to a malicious link resulted in losing everything on his computer, his identity stolen [as confirmed by the IRS], his email hacked, and phishing emails distributed to his entire contact list – which numbered in the thousands.

 

FRAUD GEEK EXPLAINS

Both of these cases were fraudulent “Delivery Notification” messages and seemed to come from a reputable company. In the first case, Chapple was a victim of a common scam called smishing, which refers to a cyberattack where fraudsters use text messages to trick individuals into divulging sensitive information. Smishing texts often contain deceptive or urgent messages with a request to confirm personal information or credentials to access accounts. According to the Federal Trade Commission (FTC), “Americans reported $330 million in losses to text scams last year, more than double the reported losses from 2021.”

In Mr. Hoehn’s case, the phishing email contained ransomware – a type of malicious software that encrypts a victim’s files or locks them out of their computer or data until a ransom is paid to the attacker. Often, fraudsters will request payment in cryptocurrency, like Bitcoin, to maintain a degree of anonymity. If the victim fails to pay, they face the loss of their data.

Both stories share a common theme where the victim trusted the text or email source due to the perceived legitimacy of the message. This trust was built on the fact that either they were anticipating a package or the message appeared credible. As we approach the holiday season, we tend to receive a higher volume of packages from our loved ones and various online retailers such as Amazon, which makes it easier to fall for such scams. According to new research from Citizens Advice, “Parcel delivery scams are by far the most common scam faced by the public so far this year [2022]. Almost half of people (49%) targeted by scammers had been on the receiving end of a malicious parcel delivery scam, with scammers attempting to get hold of personal information or bank details.”

 

FRAUD GEEK’S ADVICE

Consumers can protect themselves by remembering the following:

  • Scammers often impersonate credible delivery services: Amazon, UPS, FedEx, DHL, USPS
  • Never click on an unsolicited link from delivery services or couriers. If there is a question about a package, contact them directly using the email or phone number listed on their website.
  • Be wary of ANY unsolicited texts or emails that sound urgent or require immediate action.
  • Use official apps or websites to track deliveries – don’t rely on email/text updates.
  • Reputable businesses will not ask for login credentials or personal information over the phone or text.
  • If you think you’ve clicked on a phish or compromised your account, call your FI immediately to report fraud.

The messages/methods to commit fraud may vary, but the outcome remains the same – loss of money and/or personal data. Examples of malicious texts/email messaging:

  • Subject: URGENT: Your package delivery requires immediate payment
  • This is FedEx. We attempted to deliver your package today, but no one was available to receive it. Click the link below to schedule a new delivery date and pay a $20 rescheduling fee.
  • Your package delivery [tracking number 1234567] is showing an issue with delivery. Please click the link below to verify your details and reschedule the delivery.
  • Your UPS package is ready for pick up. To confirm your identity, please click the link below and provide the requested information.

When in doubt, don’t click or reply!