With holiday shopping season in high gear, shopping and delivery scams are also on the rise.
Scammers are sending phishing emails that appear to have tracking information, but are designed to trick you. They want to steal your personal data, take your deliveries, or buy some time to do some shopping of their own.
You check your inbox to see when your order is going to arrive. You see a very real looking email that looks something like this recent example:
In this email, the shipping label link is malicious but scammers also will also use tracking number links as well. Clicking the link could result in malware or adware being installed on your machine without your knowledge.
According the Better Business Bureau, a variation on this phishing scam is when the tracking number in the email is real and appears to work…but items end up delivered somewhere else.
There’s also a related con where you receive a shipping notification, but it’s not real because you actually shopped on a phony website. This means what you “ordered” never existed and will never arrive—but the shipping notification buys the scammers some time to use your credentials until you discover what’s going on.
No matter how the trickery works, the blame for a lost or missing package gets places on the package delivery service.
How to spot a phishing email
You may be expecting a package, and the email may appear legitimate at first glance— that is why you should be extra careful this time of year.
Look for these clues that the email may be a scam:
- Check who the email came from. Do you know who they are? An unknown sender or domain could be an indicator of a malicious email. TDS does not deal with many companies outside of the USA, so email from other countries are especially suspicious if not expected (.com.br, .ru, etc.).
- Check for urgency or threat of legal action. Some emails use pressure tactics, consequences, or threats of legal action to convince you to open an attachment or do something else you shouldn’t. Be on the alert for time-sensitive messages or final notice statements.
- Check the links/URLs. If you hover over a link for a second before clicking on it, it will show you the address for the link. If the address does not point to a location that is labeled similarly to the text of the link, it may be malicious.
- Check for poor spelling and bad grammar. Many phishing attempts are quickly put together and come from countries where English is not the primary language.
- If it seems too good to be true, it probably is. Here is an actual message someone reported here at our offices: “Please Kindly advise if your company has a trade license and capability to execute a multi-million contract project for the Government of Libya.” Um, yeah. Not real.
- Check the address before you reply. When you click Reply on an email, the address you are sending to should be the same as the original sender. For example, if you get an email from Your.Coworker@yourcompany.com and your reply is being sent to firstname.lastname@example.org, it’s a phishing attempt.
- Check for suspicious attachments. Attachments that contain malicious software are often given generic or random files names, like invoice.pdf or F5JD8FNM.DOC.
- Don’t open that attachment or click that link! If anything mentioned above makes you question the email, don’t open the attachment or click the link.
All of the suspicious indicators listed above have been found in various malicious emails sent to TDS employees at work and at home. If you aren’t careful with every message you get, you may lose control of your computer, lose pictures that are not backed up, or much worse.