Con Artists Capitalize on Online Shopping Surge, Send Bogus Delivery Notices to Trick Consumers
Last updated October 19, 2020
The pandemic is changing the way Americans shop, pushing e-commerce to record levels––up 32 percent in the second quarter of 2020, according the U.S. Census Bureau.
Scammers have noticed the trend and are capitalizing on it with a fresh wave of email and text message phishing attacks. To arrange for delivery of your package, the typical fraudulent message says, you need to click on a link or open an attachment.
Hoping to fool you, a bogus email or text often has a logo or image copied from a well-known delivery service (DHL, FedEx, UPS, or the U.S. Postal Service).
“We’re all familiar with getting notifications about packages, so another one might not set off alarm bells,” said John Breyault with Fraud.org, a service of the National Consumers League. “The scammers are counting on that, and they're counting on you to open the attachment or click on the link and give them the information they need to defraud you.”
Download the attachment and it will install malware onto your device. Click on the fake link and it will lead to a phishing website created by the scammers to look like the real website of the delivery service or well-known retailer, such as Amazon.
“These authentic-looking sites are bogus, designed to steal your personal information, such as Social Security number, mailing address, credit card number, or bank account routing number to use for identity fraud,” Breyault cautioned. “Do not supply any personal information, even if it’s just to ‘verify’ your identity.”
People who click on the link may also wind up inadvertently signing up for high-cost subscription services they don't want and are difficult to cancel, Breyault told Checkbook.
I get a couple of bogus DHL alerts every week. While the designs are different, this phishing email typically includes a copied DHL logo or DHL image to make it look real. In most cases, the email is sent via a hacked server, often in a foreign country. Seeing the extension “.ro” (Romania) or “.pw” (Palau, an island nation in the western Pacific Ocean) is a dead giveaway.
Sometimes, imposters spoof their email addresses to make them look legit, such as [email protected]. That’s why you can never trust the address that’s displayed. It can be part of the scam.
Note: Unfortunately, in many mobile email apps, the sender’s address doesn’t appear when you read email on your phone unless you click on the sender’s name, making it even easier to get fooled.
Some Package Delivery Fraudsters Use the Phone
The Better Business Bureau warns that package delivery scams also can take place over the phone. They typically start with a robocall. You may be told to “press 1” to speak to a representative. Don’t do it.
If you take the bait, you’ll be connected to a scammer, who will claim to be with the parcel delivery service informing you about a package it couldn’t deliver for some reason.
“If you don’t remember ordering anything that needs to be delivered, the caller may try to convince you the package is a gift from a friend or relative,” the BBB cautions in a fraud alert. “The caller may sound friendly and professional, making the scam harder to spot.”
But it won’t take long for them to ask you to verify personal information or provide credit card information to reschedule the delivery. That’s when you need to hang up. There is no package and sharing your personal information with a con artist can have serious consequences.
“Package delivery companies will never contact you unsolicited via telephone call or text,” the BBB says. “Instead, if a package cannot be delivered, they usually will leave a note on your door. They may follow up with an email, but most official communications will be within your secure online account.”
Protect Yourself
If you get a package delivery notification via text or email for a package you were not expecting, you should assume it’s malicious.
“Do not be alarmed by language in text messages, emails, or phone calls that claim your response is ‘urgent.’ This is a common tactic that scammers use to get you to act before thinking,” Fraud.org warns.
Should you get an unexpected email or text message about a package, don’t click on any links. “If you think the message could be legit, contact the company using a website or phone number you know is real. But don’t use the information in the text message,” the Federal Trade Commission advises.
The smart move is to track your packages when you order online. If you don’t receive the information automatically, contact the retailer to request tracking numbers, so you’ll know when each package should arrive. By knowing what should arrive and when, it will be easier to spot a scammer trying to fool you with a fake delivery notice. Knowing when your order is coming should also reduce the chances of having your package stolen by a porch pirate.
If you think you’ve fallen for a package delivery phishing scam, file a complaint with Fraud.org via its secure online complaint form.
You should also take action to prevent identity theft, such as alerting your bank or credit card company and changing passwords or PIN codes. And enable two-factor authentication to protect all of your financial accounts, including any retirement plans.
There isn’t much you can do if you gave your Social Security Number to a scammer, other than monitor your accounts and put a freeze on your credit files at the big three credit bureaus, Equifax, Experian, and TransUnion. You should also file an identity theft report with your local police department (you should be able to do that online), in case a criminal pretends to be you. You can talk to trained ID theft counselor at the non-profit Identity Theft Resource Center by calling 1-888-400-5530.
More Info:
BBB: Safe Delivery Tips for Holiday Shipping
Contributing editor Herb Weisbaum (“The ConsumerMan”) is an Emmy award-winning broadcaster and one of America's top consumer experts. He is also the consumer reporter for KOMO radio in Seattle. You can also find him on Facebook, Twitter, and at ConsumerMan.com.