USPS text scams is a type of phishing attack that, as its name implies, mimics the notifications from United States Postal Service (USPS). Fraudsters compose the text to look like a legitimate notification about the problems with the incoming delivery. At a certain point of this text, they add a phishing link that one should follow to resolve the said problems, and start mass-sending the message.
These messages in fact repeat the worldwide wave of scam SMS, related to postal services and deliveries. Fraudsters apparently try to capitalize on folks’ temptation to get the ordered goods as soon as possible, and apply all the possible social engineering tricks to make the user share their information or even pay the money. Recently, there was a similar scam going on in India with their India Post service.
What are USPS Scam Text Messages?
USPS scam text messages are phishing SMS messages that pretend to be the official notification from the Postal Service. The message typically says about certain troubles with delivering a parcel to your address. Then, it offers the user to follow the added link and resolve the problem. Depending on the “generation” of the scam message, they may say about incomplete address information, unpaid taxes, or similar minor issues.
Examples of USPS Scam SMS Messages
Potential Risks
Following the link will throw the user at a phishing website that will try replicating the original USPS website. These copies are typically not of the highest quality, with the best looking elements being logos and menu styles. This is especially visible if you try going an extra mile and clicking through other menus of the site. However, for someone who does not visit the page very often, it may look rather convincing, and they will happily proceed with what the message says.
Here is when the key part of the scam rolls out. Regardless of the reasoning mentioned in the text message, the site will always contain a large form for personal information. Name, surname, detailed address, postal code, email address, phone number – site asks for all this, further transferring the result to the hackers. In certain cases, there may also be a payment form – it happens in particular with the messages that say about an unpaid tax or delivery fee. Any card info that gets into that form will get to the fraudsters as well.
The risks of such data stealing are in-the-face. Cybercriminals can use one’s data to perform identity theft, or impersonation attacks that put the guilt on an impersonated user. Alternatively, they sell this data on the Darknet or other places, where more adversaries can use it in their attacks.
And that is it – the scheme is not at all complicated, and is rather simple to replicate by other con actors. That is, exactly, one of the reasons why it has become so popular and widespread: frauds from different corners of the globe change USPS to their local postal service, alter the site to look correspondingly, and just send it.
Signs of USPS Scam Text
There are quite a few red flags in the message, despite it being short and indistinct compared to similar scam emails. Still, the main issue with all this is that USPS never contacts its customers through SMS messages. Its typical reachout channels are phone calls and, in certain cases, emails. And for all these communications they use their own addresses and numbers, that are well visible over the rest. That is in fact the point of the sign of this scam.
Usage of a random number or email address
Obviously, cybercriminals cannot get hold of the genuine profiles of USPS, and are thus forced to improvise. To operate the campaign at the lowest cost possible, they register iCloud accounts using third-party email services, and use it exclusively for sending out messages. And what the user ends up seeing is a strange, utterly generic email address as the only piece of info about the sender. Does not feel quite proper, does it?
In the cases of this spam sent to Android phones, the trick is a tad bit more expensive, though not much. A sole number may be used to spam thousands, if not tens of thousands of people, before the cell operator will shut it down. The object of suspicion is the same: just a random number that says nothing about the sender. Even when USPS sends out certain messages by SMS, they use an option to display the brand name that cell operators provide for companies.
Questionable URL
Another point that gives out this scam immediately is the URL of the website where the victim should be able to solve the issue. In certain cases, frauds can pick a somewhat believable naming, like usps-packages-issue[.]com. Though the majority of time, it is something screaming of a scam like “www-uspost[.]com” or “usps.packages[.]oeidus[.]com”. Under any circumstances, seeing such a link should raise suspicions for you, and its presence in any kind of message is a definite scam sign.
No package/delivery information in message body
Despite the differences in the text of the scam SMS, one thing that goes across all of them is absence of any details regarding the alleged package. No tracking number, no “unconfirmed address”, not even a mention of the package sender, that may help the user to understand what this is all about. And there is no reason for the genuine USPS to hide this data from SMS or emails. They have access to it and are allowed to use it to a certain extent in mailing.
The use of generic information and facts is a great indicator of an impersonation attack. That is, eventually, a weak spot of such attacks: frauds cannot know all the details, and thus stick to non-personalized info.
How to protect against USPS scams?
That’s not much you can do proactively against such a scam. Fraudsters use publicly-available databases of emails to send their spam messages. At the same time, they do not target their messages at all, meaning that your attention is what will eventually make this scam unsuccessful. Keep an eye on red flags that I’ve told about above, and check all the questionable links with Online URL scanner.
What happens if i gave out my information like address and phone number but not credit card info?
Hello, Leslie!
Even having your address/personal number or similar “less critical” personal information, threat actors can impersonate you. Alternatively, you may start receiving numerous spam SMS. They will not be targeted, as crooks who phish such data usually sell it off in bundles to other rascals, but still unpleasant and annoying. And the more data crooks have – the higher are chances to receive a very convincing phishing mail, which will be extremely hard to distinguish from a legit one.
What happens if I did involve my credit card info but the purchase did not go through
There could be 2 different cases with different results.
When hackers offer you to pay for a fabricated invoice and send you a link to a legit payment system (e.g. PayPal) which contains invoice, only your money are at risk. In this case, crooks just try to make you pay for a thing you should not to. Once such a payment has failed, you are not losing anything. But I’d recommend you to block the sender and delete the message anyways.
The other situation involves a fake payment system page. It is relatively easy to make a copy of a legit payment system, and then make the victim visiting it “to pay off the bill”. Same as in the first case, bill is non-existent, but this time hackers also put their hands on your credit card info. As this copy is made and maintained by hackers, there’s no problem for them to extract what did you type in the fields on the site. If that is the case, you should reach your bank and ask to block and re-issue the card, so the info hackers have collected through such a phishing will be useless.