To Scammers: Please Stop Phishing for Information!

The Waiting Package Scam

So, I’ve been getting a few of these texts recently, how about you?

(Graphic from recent FTC article )

Notice the name of the carrier (FedEx, UPS, USPS etc.) is missing in this text example along with a tracking number. To find out more, you have to click the link. Don’t do it! This is a PHISHING scam, a form of Identity Theft. In these cases, the scammer tries to make the email, mail, text, telemarketing/customer service call look and sound like the real thing. They’re trying to get you to click on the link they provide, or fall for their practiced script, so you will give them your personal information and/or download malware.

What happens if you click the link provided in a suspect text or email? You’ll likely be directed to a false website to input personal information (name, address, credit card, Social Security Number, etc.). Scammers will then use this information in fraudulent ways such as opening false accounts (and possibly download malware on your computer/phone). Even if the text has a tracking number and carrier name, do NOT click on the provided link. Go online and find the carrier’s website and input the tracking number to see if it’s valid. Still unsure? Contact customer service from the website address you find. Again, do not use any link or telephone number provided in the suspect email or text.

Social Engineering

Now, one of the scammer’s tricks is to personalize the text/email. All the “waiting package” texts I’ve received recently included my real name. Why is it so important to personalize? Fraudsters hope you’ll see your name and think this must be real because they know your name and cellphone number!!! Ha! Not so!!

Cellphone numbers, names, addresses, ages and all kinds of other personal information are out there on the internet and scammers can get the info, or at least parts of it. Just because an email/text/phone call mentions your name or your partial Social Security number, it doesn’t mean the contact is legitimate. The scammer is using social engineering (we touched on this before). Social engineering is where fraudsters take the little info they get elsewhere and by schmoozing, fooling, or scaring you, get you to fill in the gaps of missing information for them. They’ll use various bogus excuses and reasons such as needing to verify their records or they had a computer crash and records were lost or your payment information didn’t go through. It’s all about getting you to buy into their story.

Let’s take emails. How do you know if an email is fake? Below is one way.

Emails with suspect email sender addresses

It seems not a day goes by that my spam filter doesn’t catch at least one email claiming to be from some company saying my account is locked or my info needs updating. They all look something like this:

Looks real, right?

It does look real or real enough. But if you click on the little drop down arrow next to the supposed sender, here, “Netflix”, in the header (the only click you should do in this email), you’ll discover Netflix did NOT send this. See below:

Only click on the dropdown arrow in the header, nowhere else in the email!

This is who is really sending you the email, NOT Netflix! In fact, Netflix isn’t mentioned anywhere in this email address.

Okay, how about this one:

Again, only click on the little drop-down arrow next to the sender’s name, here “verify-address@paypal…”. What do you see?

This is who is really sending the email, not PayPal! Below is a closer look:

Wow! This one even says “invisiblecoder@”. Do you really want to give your personal information to someone with the handle “invisible coder”? I doubt it. Again, there is nothing that shows this email is actually from Paypal.

What if this trick doesn’t work or the email address includes the company name (even in a weird manner)? Still don’t click if you aren’t sure. Go directly to your account at the website address you know (NOT the link in the suspected email) and check. If something is off with your account it will show. Or contact the company’s customer service, again only using the contact information you find independently.

Phishing Calls

Phishing telephone calls, landline and cellular, might not be as prevalent now (most are robocalls), but still be aware! Fraudsters could be pretending to be someone from your bank or credit card company, the electric or gas company, a debt collection service, a government agency, or even this one below, which did make the rounds a couple years ago:

Hello (insert your name here)!

We are from the FCC (or a made-up government agency). Your computer seems to be infected with a virus that is causing other servers in your area to run slow. We’ve been able to trace the problem to your computer. We need remote access immediately or you may lose all your data and have your identity stolen.

A real human voice, using your name in a friendly, but urgent, manner might sound very convincing. Yet remember, your name and phone number might be easily obtained from the internet (public voter registration records, paid background investigation services, or property search sources, etc.). The message above is really nonsense, but how many of us non-technical folk would know that? Hang-up and call the bank or credit card company (or whoever they say they were) at a number you find, not the one they give.

Other Phishing Lures

The old phrase, there are more “fish” in the sea is unfortunately true with “Phish” too. In fact, the limit of phishing schemes is sadly the limit of the fraudster’s imagination. In reality, any company, charity, business, or service can be the unfortunate tool of scammers. In addition to PayPal and Netflix, here are just a few types of companies/services who have had fake emails I’ve personally seen or been made aware of:

Big Box Stores such as : Home Depot/Lowes/Best Buy

Mailing Services: USPS, UPS, FedEx

Online Shopping: Amazon, Ebay, Etsy

Computer: Apple/iCloud, Microsoft

Personal Protection Services: Experian, Lifelock

Banks (numerous)

Online Fundraising companies (GoFundMe, etc)

Charities (numerous)

Credit Card Companies (various)

Funeral Homes

Wait, funeral homes? Yes, this was hot a few years ago, but there’s no reason it (or something similar) can’t come back. It’s another new low for fraudsters along with charitable fraud. The email would be entitled something along the lines of “Funeral Notification” and look like it came from an actual funeral home. In fact, using the name of legitimate funeral homes was key to its success. Below was one that defrauded a Texas funeral home. The owners, of course, had no idea their company was being so used! The fake email would request users to click on a link for the funeral details (even the name of the deceased). In this case, the scammers’ intent was to download malware on the recipient’s computer.

Original image and article can be seen here.

For more information on the Funeral Home phishing scheme, see this FTC article.

Need more information on Phishing Schemes in general to avoid taking the bait and getting hooked? Check out another article by the friendly folks at the FTC.

Stay safe out there!

Next Time on Fraud: Deter, Detect, Defend – Online Shopping Scams


You Might Also Like