Phishing attacks posing as popular delivery services are becoming more challenging to spot. Many of these scams begin with a text message or email , often claiming that a package cannot be delivered. They may use language, such as “final notice,” to scare users into acting immediately. These messages provide a link stating that more information is needed to finish the pending delivery. |
USPS SMiShing attempt. Source: Akamai |
Upon clicking the provided link, users are directed to a well-crafted malicious website. The website’s design may appear to be a replica of the authentic delivery service’s website, using logos, color schemes, and a falsified tracking information page. These websites may ask for address information or state that a small fee must be remitted to release the package for delivery. |
These malicious threat actors often use combosquatting domains to impersonate the delivery service. Researchers compared the amount of DNS traffic to the legitimate USPS.com and combosquatted domains over five months. The study was limited to domain names, which include “USPS,” and focused on the most apparent examples of combosquatting. Fully qualified domain names were ignored during their analysis due to the use of subdomains. Even within these parameters, the researchers discovered that the impersonated USPS domains receive as much traffic as the official domain and a much higher amount during holidays. |
While threat actors continue improving their techniques, there are signs of malicious attempts to steal information: |
The greetings are generic, as threat actors often send mass messages and do not have specific details. The message includes problems requiring personal details, payment information, or re-entry of address information. There is no prior knowledge of the incoming delivery. The provided link does not link to the official website for the delivery service. |
Recommendations |
Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails. Track incoming packages via websites obtained from verified and official sources. Navigate directly to legitimate websites and verify websites before submitting account credentials or providing personal or financial information. Report SMiShing to the FTC, FBI’s IC3, and the NJCCIC , and forward the message to 7726 (SPAM). USPS requests for any USPS-related SMiShing should also be reported to spam@uspis.gov. |