“Back to basics” as courier scammers skip fake fees and missed deliveries

by 

We’ve been warning about fake courier scams on Naked Security for many years, even before the coronavirus pandemic increased our collective reliance on home deliveries.

These scams can take many different forms, including:

  • A fake gift sent by an online “friend” is delayed by customs charges. This is a common ruse used by romance scammers, who sucker you into an online friendship, for example by stealing other people’s profile data from online data sites, courting you online, and then “sending” you a “gift”, often jewellery or something they know you would appreciate if it were real. The scammer then pretends to be the courier company handling the “delivery”, correctly identifying the item, its value and its made-up shipping code. Finally, there’s a customs or tax payment to make before the item can be released in your country (something that often happens with genuine deliveries via geniune courier companies). Some unfortunate victims pay out this fee, in cash, in good faith. In this sort of scam, the crooks are directly after your money.
  • A fake order will be delivered once you have confirmed the purchase. These fake orders range from low-value subscriptions that have auto-renewed, all the way to expensive new mobile phones or gaming consoles that will ship imminently. Given that it’s easier to guess what you haven’t just bought than what you have, these crooks are banking that you will click the link or phone the “customer support” number they’ve helpfully provided in order to cancel or dispute the charge. Once they have you on the hook, skilled social scammers in a call centre operated by the crooks offer to “help” you to cancel the bogus order or subscription (something that can be annoyingly hard for legitimate goods and services). In this sort of scam, the crooks are after as much personal information as they can persuade you to hand over, notably including full credit card data, phone number and home address.
  • A fake delivery failed and the item was returned to the depot. These fake delivery notices typically offer to help you reschedule the missed delivery (something that is occasionally necessary for legitimate deliveries of geniune online orders), but before you can choose a new date you usually need to login to a fake “courier company” website, hand over credit card data, or both. The credit card transactions are almost always for very small amounts, such as $1 or $2.99, and some crooks helpfully advise that your card “won’t be charged until the delivery is complete”, as a way of making you feel more comfortable about committing to the payment. In this sort of scam, the crooks won’t bill you $2.99 now, but they will almost certainly sell your credit card details on to someone else to rack up charges later on.

KISS – Keep It Simple and Straightforward

But some courier scams keep things way simpler than this, like this one we received ourselves over the weekend.

The email simply offers you a waybill for a delivery that’s headed your way:

This message was aimed at our business email address, and the company’s physical address is a matter of public record, so just confirming delivery details doesn’t sound as though it’s a major privacy risk…

…until the next stage of the process demands a password for the associated email account:

Note that the email address and the company name shown in the password phishing page are extracted directly from the URL specified in the original email.

In the example above, the URL was: https://[REDACTED]/index.php?​email=​yourname@​naksec.test, making it easy for the [REDACTED] website to present a login page with a company name in it, without needing a database of tracking codes shared between the crooks sending the scam emails and the crooks operating the scam web page page.

After you’ve put in your password and the crooks have harvested it, you’re redirected to the domain name from your email, typically the main page of your own company’s website, as a sort of decoy to distract you:

Interestingly, the fraudulent login site redirects via HTTP, but most web servers these days will then automatically redirect you to their HTTPS version, so you probably won’t end up on an insecure page as shown above.

Note that in this scam, there’s no fake payment demanded, no fraudulent credit card payment form, and no failed delivery to reschedule.

Just a “waybill” you can view and verify.

What to do?

  • Check all URLs carefully. Learn what server names to expect from the companies you do business with, and stick to those. Bookmark them for yourself in advance, based on trustworthy information such as URLs on printed statements or account signup forms. Learn not only what your own company’s email login page is supposed to look like, but also exactly what URL it uses, and never login from anywhere else. Look before you leap – it only takes a second.
  • Steer clear of links in messages or emails if you can. Legitimate companies often provide quick-to-click links to help you jump directly to useful web pages for online accounts such as utility bills. These links save you a few seconds because you don’t need to find and type in your own tracking code or account number by hand. But you’ll never get caught out by fake links if you never use in-message links at all! (See point 1 above.) Those few seconds are a small price to pay for not paying the large price of handing over your personal data to cybercriminals.
  • Stop. Think. Connect. Those three words are a long-running and easily remembered phrase from Cybersecurity Awareness Month, which starts in two weeks’ time (October 2021). Try repeating those word aloud to yourself, emphasising the pauses denoted by the periods (full stops), before every online transaction. When you’re on a login page or a payment form, you’re more likely to make a mistake if you’re in a hurry. Of course, you don’t need to wait for Cybersecurity Awareness Month to be aware – get in the habit today!