If you receive a text message or email stating that the package cannot be delivered and the carrier needs to update your address, be aware that this is a phishing scam!
There are many versions of this scam, and sometimes they can make it feel like you have to pay import duties, but the process is much the same.
Especially around the holiday season, phishing scam emails seem to be more prevalent, as many recipients may mistakenly believe that they received a package from a family member or friend with the wrong address.
To show you how this phishing scam works, here is a screenshot of a text message I received this month. I followed the link provided (on a secure untrackable browser on a VPN) and stopped before the scammers wanted my credit card info.
SMS Phishing Scams
I’m using the SMS example because they are more common these days and most email filters will automatically send these types of phishing emails to the spam folder.
Note: I’ve used red blocks in these screenshots to hide some personally identifiable information that might be the contact details of real but innocent people.
In the first screenshot, you can easily see the first question of the text message. Scammers often try to slightly disguise the carrier name to avoid detection as a possible phishing scam. In this case, they use US/PS to make it appear to be from the United States Postal Service (USPS).
I’ve had similar text messages from scammers pretending to be from UPS, FedEx, and dhl. Therefore, this phishing scam is not unique to USPS and may come from other courier or e-commerce companies as well.
Second, you can see that the links in this article do not link to the USPS website (usps.com). Instead it looks similar to a link shortened by a link shortener.
You may have seen links that start with bit.ly, goo.gl, g.co, ow.ly, t.co, or youtu.be, all of which are legitimate link shortening services. but. Whether that link comes from a legitimate link shortening service or a fake link shortening service (like here), either way, it’s still a scam.
Seems real, right? But this is a phishing site. Some browsers might even flag it as a phishing site, but these crooks change URLs so often that browser companies have a hard time keeping up.
The page shows a tracking number (which has apparently been heavily used by this phishing scam, as a Google search for it found references to the scam) and big red letters asking for action to provide your shipping address.
The next screenshot shows more of the same phishing page from above. Here you can see how scammers are trying to get all your personal information. Obviously, I’m giving false information here.
I should also note that none of the links or text/buttons (except the “Continue” button) that look like links are actually functional. They are just text.
We get to the payment screen, where the scammer wants you to enter your credit card information, which includes an expiration date and a security code, so they can charge you a $3.00 redelivery fee.
The US Postal Service has no such fee (currently…), but some other carriers may charge a redelivery fee after multiple delivery attempts.
Payment success screen
I provided the scammer with a test credit card number that passed basic validation tests to ensure the credit card number was the correct number series before being passed on to the payment processor.
In this case, I did try a random set of 16 numbers first, and the validation failed, indicating that the phishing page was running those numbers through this pre-test to make sure the credit card was “valid”.
However, I doubt that scammers are actually doing this “charging” through payment processors, since the point of this phishing scam is not to charge a lousy $3, but to sell credit card numbers on the dark web for more. One secure site I found claimed that credit card data from 2022 was worth between $17 and $120 on the dark web.
Below are the next two screenshots, first showing the usual “Processing” wait graphic when a payment is processed, followed by a “Success Page” showing that the address has been updated.
Clicking the “Continue” button now will send you the real USPS home page, making the whole process look and feel legit.
what the liar got
Again, the key point here is that scammers now have a ton of information from you. they have:
- your name
- your address (billing address)
- your email address
- your phone number
- your credit card number
- Your credit card expiration date
- your credit card security code
This is sufficient for online purchases on many popular e-commerce sites, as many sites will only confirm the billing address and ship to any other valid address if the security code and expiration date returned by the payment processor is valid.
In a short period of time, scammers can charge hundreds to thousands of dollars online and have the product shipped to a specified address.
Credit Card Fraud Is a Billion Dollar Business
Unfortunately, credit card fraud continues to spread online and worldwide. One 2020 estimate puts the problem at $11 billion a year in the U.S. alone, while another report estimates that global fraud is increasing rapidly, tripling over the past decade to reach $32.39 billion by 2021 Dollar.
Often, victims of phishing scams don’t realize they’ve been scammed because the initial phishing attack didn’t come with an unusual charge. It may take weeks or months for small charges of approximately $1 or less to temporarily appear as pending charges on your credit card account.
But this is enough of a “test” to let the thief know that the card is “valid”, so they can go on to spend hundreds or thousands of dollars with the card, often avoiding detection for a short period of time.
Tips for Early Detection and Prevention
Hope you haven’t experienced this kind of phishing scam that steals your credit card details. However, if you suspect this may have happened, call your bank or credit card company’s security or fraud department and request a new card number immediately.
Today, many credit and debit cards offer instant notification of pending charges via text message, email, or pop-up notification on a mobile app. I highly recommend opting in to these, even if you don’t use certain cards very often. This is an early warning system, especially if you see a very small charge that you didn’t recognize.
Check your credit card account at least once a week and your debit card account daily. The reason I recommend checking your debit card account daily is that the money is immediately withdrawn from your bank account or unusable, not just reducing your available credit limit.
While almost all credit and debit cards today come with some kind of fraud protection that puts you at no risk, debit cards sometimes take longer to resolve. Now the money is out of your pocket.
This is also the reason I never use my debit card online, only at a bank or at a trusted big box grocery store or retailer. I am almost certain that there is almost zero risk of someone hacking a terminal to steal my debit card. Details .
Big tip: never use debit card In restaurants, the card itself disappears from your view when the waiter finishes the check. If the server is unethical, he or she might run it through a browser to get all the card information.
I don’t want to put the industry at such a disadvantage, but I have one credit card that I use for all my travel expenses, especially at restaurants, and I have to change my credit card charge at least once a year due to fraud.
In the US, more and more restaurants are switching to tableside terminals, which is very common in Canada and other countries. This will increase security because when the diner themselves process the card through this tableside terminal, the card never leaves the diner’s possession.
While we at eSeller365 primarily provide information for small business online merchants and marketplace sellers, I think this is great information for online business owners as well.
Customers might contact you asking why the address on their order was incorrect and why they had to pay to have it corrected, and now they know why. These phishing scams don’t reveal the sender, so customers may think the update our address message is from a recent order they may have placed at your store.
By explaining what might have happened, you can help your customers avoid being scammed. And they’re less likely to blame you, since research shows that customers won’t come back if they suspect that the fraud somehow originated with an online merchant.
While the example I’m using here is from a text message I received, as I already mentioned, there are many variations of this phishing scam, and they all follow the same general pattern. UPS published examples in PDF documents showing similar phishing attacks via email and in different languages.
Always keep an eye out for anything that looks weird!
Connect with us and other small business owners
Go to our Small Business Sellers Facebook Group and interact with other small business owners.
Follow us on Facebook, Twitterand LinkedIn to stay up-to-date with news and business insights relevant to your online presence.
subscribe to our newsletter
business insight for your online business humorous
We will not share your information and you can unsubscribe at any time.