The increase in online shopping during the pandemic paralleled an increase in complaints to the FCC regarding delivery notification scam calls and texts aimed at stealing victims’ personal information and money.1 Many package delivery scams begin with a text message or an email regarding a package delivery to your address. These messages often contain a tracking link that you are urged to click on in order to update or confirm your delivery and/or payment methods. In some instances, victims receive voicemail messages or physical door tags regarding a “missed delivery” and are prompted to call a provided phone number to arrange another delivery attempt. Clicking on malicious links or returning phone calls can lead to a number of cybersecurity threats:
Fake survey pages. Requests to complete surveys are routinely accompanied by promises of free gifts or entries into prize drawings. A malicious survey link may, instead, lead you to fill out an online survey that prompts you to provide excessive personal information, such as credit card details, claiming that the information is necessary for your reward to be processed. Cyberattackers then steal this personal information.
Fake login pages. Phishing emails can appear authentic complete with branding, disclaimers, social media links to Facebook, Instagram, Twitter, and LinkedIn, and official-looking contact information. Within the malicious email there will be a link prompting you to submit login details in order to view delivery status, change settings, or update your information before your package can be delivered. Once this information is inputted, cyberattackers then steal this personal information.
Trickbot. Trickbot is a malware that, once installed, can transform itself and add new features to evade detection. An authentic-looking USPS email contains a malicious attachment appearing to lead to a USPS invoice that claims to require editing due to document protection actually leads to a Trickbot installation full of malicious capabilities.
DHL spoofing. Cyberattackers send a convincing-looking email directing you to view a shipping document from DHL, but once the file is clicked on it actually directs you to a credential-harvesting web page that may also install a trojan to steal personal information from your computer and to take it over in order to propagate more attacks on your network2.
Sample package delivery phishing scam messages include:
- Your parcel from USPS was delivered to the parcel shop yesterday on 2021-12-27. View where you can pick it up: <URL>
- 3 Items addressed to you, will be getting there on December 27th. Confirm drop-off instructions, <URL>
- USPS NOTICE: Your order is scheduled for delivery tomorrow. Check estimated time of arrival here: <URL>
- Hello (you), your USPS delivery with tracking code 48722 is waiting for you to set delivery preferences: <URL>
- Your DHL parcel is out FOR delivery today. Track or divert your parcel here: <URL>
- Your package with DHL (ePacket) is now in transit. <URL>
- Your order will be delivered by DHL tomorrow between 10:27 and 13:27. Track progress <URL>
1 FCC, 2021, “How to Identify and Avoid Package Delivery Scams”
2 Montalbano, 2022, “Shipment-Delivery Scams Become the Favored Way to Spread Malware”