As the vast majority of customers shop from the safety of their homes amid another surge of Covid-19 cases, online shopping is seeing its biggest season ever. Amazon, for example, saw $4.8 billion in third-party sales in the days after Thanksgiving, a 60% increase from last year. But as online sales surge, so have the scams. Hackers are impersonating Amazon, FedEx, UPS and other major shippers texting and emailing fake package tracking links to launch malware or mine for personal information.
Example – I got an email: “Oh, your package is almost here. It couldn’t get delivered. Click on the following link to get a status update so it can be delivered.” I clicked on the link and then all of a sudden my whole computer screen went blank. And then I get this big pop-up screen on my computer that said, “OK, well, we’ve hacked your computer. Pay us, and I don’t remember how many bitcoin it was, to this account and then we will unlock your computer.” And I mean, I freaked out.
Check Point, a cybersecurity firm that secures consumers and Fortune 500 companies, found that messages impersonating shippers were up 440% from October to November and up 72% from this time last year. This is a look into why delivery fraud is on the rise, what’s at stake for victims of the scams and how to stop phishing attacks from flooding our devices.
How Hackers using delivery messages
Foot traffic at regional malls on Black Friday this year was down more than 70% according to S&P Global Market Intelligence. Meanwhile, Amazon’s third quarter sales increased by 37%, with profit up almost 200%. Wal-Mart’s e-commerce sales were up 79% and Target’s were up 155%. Fourth quarter is expected to be even bigger.
The phishing message includes a fake link to track or reroute your package and clicking it will launch ransomware or take you to a site that mimics one of the big shipping companies, tricking you into entering financial or personal details. In the U.S., Check Point found that 65% of those were impersonating Amazon.
The link may redirect to a counterfeit branded page promising a reward for filling out a survey, or it could trigger a ransomware attack. Sometimes when you don’t pay the ransom amount you lose everything from your computer. Months later, You may be a victim of identity theft. And when someone clicks once it signals to hackers that it could work again.
Fake gift hackers
Another form of delivery fraud involves hackers leaving fake missed delivery tags, enticing users to call and leave personal information to reschedule the delivery. And popular on social media now are fraudulent gift exchanges, what’s known as secret sister scams. The problem is, is that this scam that is running on social media is not coming from your friends. You’re being tacked on to a list that is generated from who knows where and that’s collecting personal information by a complete stranger.
Even unknowing users re-sharing gift exchange scams can be subject to penalties such as jail time and fines. More general shopping-related scams are also on the rise. According to Check Point, early November saw more than double the “special offer” phishing campaigns than early October, making up one of every 826 emails.
What you should do?
Don’t click on any links in that text or email. Don’t press one to speak to a customer service representative. Hang up the phone, go to FedEx.com or USPS.com or DHL.com and put in tracking information yourself. But as scammers get better at impersonating brands, fraud gets harder to spot. It may have the logo on there that may even be structured to look like the actual website for real.
Still, there are some warning signs to watch out for. If they’re asking you to click on a link to get more information, that’s a big red flag. You want to be on the lookout for, you know, urgent! Warning, urgent. We have some money for you. If you look closer, maybe it’s Amazon.co instead of Amazon.com, or maybe there’s an ever-so-slight misspelling like the Z and the A are reversed in the domain name.
There are also ways to prevent the scam messages from reaching you in the first place. You’re going to make sure your devices are up to date on all the security updates. That’s how that providers are protecting consumers is through those updates. Operating systems do have built-in security protections and so does each mobile provider.
- Back up your machine
- Change passwords often.
- Turn on two-factor authentication
- Use a variety of different email accounts and passwords for different online activities.
Statistically, many people are reusing passwords. Don’t do that. Use different passwords across your different logins. And if you do click a link, check the site is encrypted before entering any personal information. If it’s not https and there’s no s on the end, it’s not encrypted. You can also look for the little lock icon, which is going to be up in the left-hand corner.
Report the scams
But if you do fall victim to one of these scams or even just come across one, report it directly to the Federal Trade Commission or through the Better Business Bureau’s scam tracker tool. And that information is actually used by the Federal Trade Commission, by state, local and federal law enforcement agencies. So perhaps somebody on their IT team can go back and look at that if they’re working on a particular case and try to trace down the bad guys.
You can also file complaints with the Internet Crime Complaint Center Fraud.org or your state attorney general. Inform your carrier of a spam text by forwarding it directly to SPAM. Once a phishing attack is reported, the U.S. Postal Service and the FBI can get involved, but it’s largely up to the FTC to investigate.
Amazon, FedEx & DHL’s actions
Amazon told that it will go after hackers and scammers working with the FTC or the Better Business Bureau. In a statement, Amazon said, “Any customer that receives a questionable email, call or text from a person impersonating an Amazon employee should report them to Amazon customer service. Amazon investigates these complaints and will take action if warranted.”
FedEx told that it does not send unsolicited text messages or emails to customers requesting money or package or personal information, and it asked customers to report fraud. UPS has similar policies and a dedicated reporting email, as does DHL. DHL also told that it partners with, “A technology company to help us detect trademark infringements, counterfeit sales, phishing attacks, bogus recruitment ads, other types of fraud and more.”
Microsoft & Apple on Hackers
The companies that make our devices are also on guard. Microsoft, for example, has a digital crimes unit that works with law enforcement and claims to have rescued more than 500 million devices from cyber criminals since 2010. In its recent digital defense report, Microsoft said it stopped more than a billion phishing emails in 2019, with attacks up 35% overall in the first half of 2020.
Apple, meanwhile, offers public recognition and even bounties up to a $1 million to users who report security issues. As long as people have been exchanging things between each other, people have been scammed. Just be aware that the ways that scammers are contacting victims and getting victims to pay continually changes with the technology.
What’s the next scam to watch out for?
Hackers have figured out what works. And the suspicion is, along with government officials, is they will take a real hard look at the Covid vaccines. Check Point, found fake vaccines being sold online for bitcoins equivalent to around $300 dollars. And phishing emails containing a malicious file with vaccine language in the name that if clicked on, installs software that mines usernames and passwords from the device.
Organized crime is really gearing up to try and exploit people’s desire to get this vaccine. So consumers should really expect to start seeing messages on social media, emails, phone calls, text messages. Offering to get you to the front of the line for the vaccine if you’ll pay some money up front. Take Care & beware of hackers & scammers.