3 Jun 2015
Home » Big Idea Tech Blog » Blog » Beware of USPS Phishing Scam

Beware of USPS Phishing Scam

uspsThe US Postal Service is once again a target of a phishing scam.  In fact, the US Postal Service has an alert on their website saying “Customers be aware of fraudulent delivery messages sent by email or phone.”  This alert has a link to a U.S. Postal Inspection Service Crime Alert that says that postal customers are receiving bogus emails about a package delivery or online postage charges.  It states that the emails contain a link or attachment that, when opened, installs a malicious virus that can steal personal information from your PC.

usps0

The scam:

Our client was a victim of this USPS scam.  When he checked his email, he found a message that said that the delivery status of his package had changed.   This seemed legitimate since he had just mailed two packages at the post office that day.  To reschedule delivery, he was instructed to download a shipping label from the following URL.  That URL, however, was not the same URL as the actual site to which the person would be directed if he clicked on the link.

Figure 1: Image of the spam email
Figure 1: Image of the spam email

When hovering over that link, it was clear that the redirect link for the download went to a completely different website:

Figure 2: The redirect link shows when hovering over the download link. DO NOT GO TO THIS WEBSITE!
Figure 2: The redirect link shows when hovering over the download link. DO NOT GO TO THIS WEBSITE!

The Postal Service has repeatedly been the target of email phishing scams.  Other recent scams included emails that said “the courier couldn’t make the delivery of the parcel today” and “delivery failure notification.”  Take note that the Postal Services doesn’t use email to notify customers about a package delivery.

What is a Phishing Scam?

Cybercriminals frequently “fish” for confidential information by sending phishing emails to unsuspecting victims.  The emails often appear to be from a company with which you regularly do business, such as the US Postal Service, FedEx, EZPass, and several financial institutions.  The email may even contain the logo of the company.  If the victim falls for the bait and clicks on the malicious link in the email, he may be redirected to a look-alike site in which to login and provide other information, and the site collects the information that is entered into the site.

Other phishing emails are designed to install malware on your computer.  If you open the attachment, your computer will be infected.  The malware might instruct your computer to send spam or to log your keystrokes or perform some other action that will send information to the attacker.

How to Recognize a Scam Email:

Being savvy will often alert you to the fact that an email is a scam.  Here are some warning signs of phishing:

  • The email contains spelling errors and/or grammatical mistakes. The name of the company might even be misspelled in the subject line or as the sender.
  • The email is regarding an account or activity with a company with which you have never done business.
  • The email is from a company that does not have your email address.
  • The email contains links that redirect the victim to a different site or which has the name of the company misspelled. Always hover over links before clicking and don’t click on links that don’t direct you to the expected page. If you are unsure, type in the company’s website or search for it instead of clicking on the link.
  • The email contains a link which is not referenced in the body of the email. If an email contains only a link without information referencing it, even if it appears to be from someone you know, it could be a scam being sent from a hijacked account.  Open a new email, type in the name of the sender, and ask if that person sent you an email with a link.
  • The email has attachments that you are not expecting. Examine the format of the attachments to the email.  Don’t open an attachment that is a zip file (.zip) or an executable program (.exe), unless of course you are expecting to receive it, as it can make changes to your computer.
  • The email requests personal information, especially if it is from a company that already has your information.
  • The message tries to scare you into acting immediately.

Phishing scams are designed to steal your information.  In addition to through email, phishing can also be conducted through phone calls, text messages and social media messages.

Back to the Scam:

In this case, the client fell for the email scam and clicked on the link, rather than first hovering over it.  He immediately realized that he should not have clicked on the link and closed the website without looking at it.  Not knowing whether he had opened a webpage designed to collect his login credentials or whether he had actually installed a malicious virus, he called Big Idea for help.  Our tech restored his system from back-up to its “pre-click” status.  This is a perfect example not only of what not to do, but also of how having a restorable backup can protect your data and your systems.

By the way, we also called the postal service to find out more about the malicious activity of the redirect link.  No one at the postal service, or the postal inspectors, or their technical assistance had more information than to simply tell us “don’t click on the link.”  That certainly is of no help to someone who already clicked on the link!  So let this experience be a lesson to you.  Hover over the link before clicking.  If the link of the site that displays is not the same as the link it says it should be, don’t click on the link!