In times of the Coronavirus Pandemic, when people are too apprehensive of walking to the local stores and malls, the internet and online shopping come as a relief to shoppers. Almost every day, package tracking, order confirmation, or cancellation messages from FedEx, Amazon, UPS, DHL, and other organizations pop up in the inbox. Hence, receiving fake package delivery messages look neither unusual nor suspicious.

But alarm bells should ring when there is an email, text, or call requiring ‘urgent’ identity verification for package delivery. Malicious actors take advantage of people’s dependence and faith in online shopping applications to launch identity theft, banking fraud, and other phishing or malware attacks. The Federal Trade Commission (FTC) also brings to light the significant increase in such fake package delivery scams.


What Does A Package Delivery Phishing Scam Look Like?

Some package delivery phishing emails or text messages reported in COVID times come with the delivery partner’s logos or shopping site, which naturally increases credibility. Some other emails ironically include warnings to be aware of phishing scams, which serve the purpose of winning the victim’s trust.

Most emails or messages come embedded with malicious links that either download spyware, ransomware, or lead the victim to a counterfeit Login or Customer Care page of the website (say, Amazon). Any unsuspecting user would believe these messages to be real and furnish personal information to ‘verify’ their identity for the so-called package delivery. Phishing examples of such delivery frauds during Black Friday sales are all over the internet, but such scams have significantly increased in COVID times.


What Do Malicious Actors Want?

Through these phishing tools and schemes, malicious actors hope to exfiltrate Personally Identifiable Information (PII) of users such as their names, addresses, credit or debit card numbers, bank account details, email addresses, social security numbers, etc. Such PII data fetch a reasonable sum on the dark web markets. They can also use the credentials for targeted phishing attacks, identity theft, bank fraud, etc.


How to Avoid Fake Package Delivery-Themed Phishing Attacks?

The shift from shopping at brick-and-mortar stores and malls to online shopping is one of the many changes brought in by the Coronavirus Pandemic. Using online delivery apps is no longer a choice. Like all other industries such as healthcare, education, and banking that are enduring more cyber-attacks in COVID times than earlier, the online shopping portals and applications are also becoming targets of various phishing campaigns.

Malicious actors exploit the current world crisis using fear as a tool to launch phishing, ransomware, and other cyberattacks. The package delivery-themed cyber-attacks are a byproduct of this sudden shift from offline to online shopping, and here is what a user can do about it:

  • Avoid clicking on links or documents embedded in emails or texts: A standard anti-phishing tip to follow not just for package delivery related scams, but all phishing scams, in general, is to refrain from clicking on links embedded in emails or texts. The documents attached in such emails often download malware and other viruses onto victims’ devices to extract sensitive credentials. The links in such phishing emails can redirect the user to a fake landing page to steal such information. 
  • Verify the sender’s email address: Checking whether an email address is legitimate is one of the first steps required if an email looks suspicious. Several email verification services are available online to help identify spam emails if hovering over the email address doesn’t work to verify the sender’s identity. When online vendors set up their Sender Policy Framework (SPF) records diligently, the clients are relieved from the arduous task of dealing with phishing emails.
  • Cross-check with the online shopping website or app before trusting an email: When a delivery-themed email or text makes it to the inbox, always verify the message’s authenticity by manually going to the vendor’s website and tracking the parcel. In some cases, the user anticipates several packages simultaneously from different vendors. In such a case, a delivery message might seem credible, but verification is a must for security.
  • Know that delivery of goods happens without identity verification: Shopping websites usually do not ask a user to verify their identity for goods ordered, nor do they cancel the order based on the condition. Receiving such an email should be a red alert in such phishing scams.
  • Not all ‘emergencies’ are true: Package delivery emails that need the user to urgently verify their identity by clicking on an embedded link or pressing ‘1’ are to be viewed with suspicion. Malicious actors have been using such fake emergencies to make victims panic and lose their rationality, and somehow the trick has often worked. The word ‘urgent’ should ring a bell, and the user must think before clicking anything!
  • Look for grammatical errors: A helpful way of spotting phishing emails is looking for grammatical mistakes. Though it might seem ineffective, scrutiny of email contents has saved many people from giving out their personal information to threat actors. The spelling and grammatical errors in emails are often deliberately inserted to evade the keyword-oriented spam filters.
  • Caution when there is no delivery anticipated: Before making it to the end of the email subject, one should try to recall if one expects a delivery. Users often skip the reasoning process.  Believing in the contents of an email or the claims of a ‘delivery agent’ on the phone saying, “The package is a gift from one of your friends,” happens more spontaneously than waiting and rethinking whether such a situation is plausible.

Phishing continues to be the most effective form of cyberattack, and COVID 19 has been making things worse for the cyber world. Online shoppers must note the many delivery scams and adopt the above-listed phishing prevention measures for better security from fake package delivery messages.