How This USPS Phishing Text Scam Is Really Sneaky but Detectable

The other morning, while lying in my bed and hitting the snooze button for the third time, I did what we all do and grabbed my phone.  To my surprise, I received a deceptive text claiming to be USPS stating that my package was damaged, the address information was lost and my package couldn’t be delivered.  Sarcastically, I mutter to myself “Oh no!  What am I to do?”.

This appeared to be a classic smishing scheme.  Smishing (SMS + Phishing) is a scam where someone tries to trick the victim into giving away personal and financial information by impersonating a person or company.  This could be used to steal login credentials, credit card numbers, social security numbers and other sensitive information.  In some cases, it may lead to activating a virus or malware on our device that could steal sensitive information.

This is why I never click on links that I don’t trust.  Always practice Stop, Think, and then Click.

Thankfully, I’m pretty skeptical of all texts and emails these days because phishing and scamming have become so prolific, it’s hard to trust even legitimate communications.  However some key observations stood out to me in reviewing this text message.

#1: I wasn’t expecting a package

This was the biggest red flag for me.  Fortunately, I wasn’t expecting a package so I had no sense of urgency or concern regarding the matter.

However, if I were expecting a package, like an expensive electronic gadget, I would be concerned about receiving my package in a timely manner.  In this case, the language that the scammer used “Please be sure to update the delivery address information in the link within 12 hours” would have created a real sense of urgency for me to act.

Urgency is a common tactic that scammers use to get us to act without thinking.  They first invoke emotion with fear such as “oh no, my package isn’t going to arrive” and then amplify it with the thought “oh no, I only have 12 hours to act”, otherwise I won’t get my package.

#2: USPS will not initiate contact via email or text message

According to the United States Postal Inspection Service (USPIS):

“The Postal Service offers free tools to track specific packages, but customers are required to either register online, or initiate a text message, and provide a tracking number. USPS does not charge for these services! USPS will not send customers text messages or e-mails without a customer first requesting the service with a tracking number, and it will NOT contain a link. So, if you did not initiate the tracking request for a specific package directly from USPS and it contains a link: don’t click the link!”

#3: The text message link is not from the official usps.com website

As we established in Number #2, USPS will not send a link, but we’re going through our investigative steps here.

The link contained “usps” as a subdomain, which is not the official USPS domain, indicating a scam.  The scammers were hoping that I would gloss over the fact that they are attempting to send me to a different domain that they, the attacker controls.

For a URL to the USPS website, we’d expect the text right before .com to be “usps”.  USPS’s domain name is “usps.com”.

Subdomain spoofing uses familiar words (e.g. “usps”) as a subdomain to trick users into clicking on a link to a website that the attacker controls.

Example:

https://usps.attacker123.com is owned and controlled by attacker123.com, not USPS.

#4: The text message was from a phone number

According to the USPIS:

“USPS utilizes the 5-digit short codes to send and receive SMS to and from mobile phones.”

The presence of a shortcode isn’t a foolproof way to decipher smishing texts vs legitimate texts, but it’s a helpful piece of information.  Because we know that USPS uses the 5-digit SMS short codes, we know that we can dismiss any text message claiming to be USPS that use a regular phone number.  It automatically becomes a red flag.

Again, worth noting that according to USPIS:

“USPS will not send customers text messages or e-mails without a customer first requesting the service with a tracking number, and it will NOT contain a link”.

What might happen if I visit the link?

Well, I somewhat screwed up here.  My plan was to visit the link in a sandboxed environment to safely share what the scammers have in place.  However, I let this task sit in my backlog for too long and the site is no longer active.  Which overall is a good thing.

Hypothetically, let me share what I think we’d see.  I think we’d very likely see a website that gives us the impression that we landed at the official USPS website.  From here, it could go a few different ways.

Scenario 1: Account Takeover Attack

By impersonating the official website, they might try to trick me into logging into a fake login form.  This would allow them to steal my login credentials and allow the scammer (now hacker) to be able to take over my account.

Scenario 2: Stolen Sensitive Personal Information from a Phishing Attack

Remember, in this scam they told me I had 12 hours to update my delivery address to retrieve the damaged package.  Because of this, I’d expect at a minimum that the scammers would have a form that collects personal information.  It would also likely include sensitive personal information that they could use to steal my identity in other attacks.

Scenario 3: Stolen Financial Information from a Phishing Attack

They might ask for credit card or bank account information to perform “processing” in the recovery of my package.  Remember, in this hypothetical scenario, the scammer’s page is impersonating the USPS website, which is an organization that I and most of us would generally trust with payment information.

I’d expect a payment request scam to be combined with Scenario 2 in the collection of personal information.

Scenario 4: Virus or Malware Attack

There could be something on the page that triggers the installation of viruses or malware, which could further steal information from the device that I’m using.

What I’d Do If I Fell For Any Of These Scam Scenarios

Note, there may be other scam scenarios that I haven’t covered or thought about at the moment.

How I’d Handle an Account Takeover Attack

If I were to give up my credentials through a malicious login form and realize it within a timely manner; I’d immediately change the login credentials and enable two-factor authentication.  Hopefully, in this case, I’d be able to beat the hackers before they take over my account.  If they do take over the account, then I’m at the mercy of the service (hypothetically USPS) to help me recover my account.

Because I don’t reuse passwords, my exposure should be limited to the account that has been taken over.  However, if I were reusing passwords, I’d need to immediately change the passwords for those accounts with reused passwords so they don’t also get hacked as a result of this phishing attack.

How I’d Handle Stolen Personal Information from a Phishing Attack

If I were to give up my sensitive personal information, then I need to be in a position where I need to play a little defense.  I personally use Credit Karma to monitor my credit accounts so, I’d pay close attention to any changes there.  Additionally, I’d consider freezing my accounts at the credit reporting agencies (Equifax, Experian and Transunion).  

Note that free annual credit reports are available from each of the three credit reporting agencies. However, if I knowingly gave my personal information to a scammer, I’d want to keep closer tabs on my credit to make sure financial accounts are not opened in my name.

Additionally, I’d keep a close eye on all of my accounts for any strange activity that may be as a result of this hack.

How I’d Handle Stolen Financial Information from a Phishing Attack

If I were to give up financial information, then I’d immediately call my bank or credit card company and freeze those accounts.  If it’s a credit card, it’s likely a little easier to cancel and get a replacement card.

Freezing a bank account or debit card might be a little more impactful to my daily life, but I’ve got to prevent the criminals from taking my money.  I imagine banks are very used to dealing with fraudulent and unauthorized transactions so they should be able to guide me through the appropriate steps in this process.

How I’d Handle a Virus or Malware Attack

If I realize that I have visited a malicious website, I am at a minimum running a virus or malware scan on that computer or device.  Before doing so, I’m going to make sure that the anti-virus software has the latest updates.

In specific situations where I believe the attack is more severe, I might take the additional step of completely wiping my harddrive, reformatting and reinstalling everything from scratch.  This is a little more extreme and before doing so, it might be a good idea to consult a computer repair specialist.

Closing Thoughts

Hopefully, the awareness of these deceptive USPS smishing (SMS + phishing) schemes and my rambling hypotheticals & investigation tactics will empower you to identify and feel confident in tackling these attacks.  If it’s too late and you have been scammed, the FTC has a great resource called What To Do if You Were Scammed.

If interested in being more proactive in your approach to your online security, then check out our Free More Secure in 5 Challenge.  In just 5 days we’ll help you set up some foundational security practices to help protect you and your accounts.