Fake package delivery text messages are the fastest growing phishing scam this holiday season. Here’s how to avoid them
- Fake text message alerts claim to come from a legitimate messenger service
- URL requests personal or financial information to arrange redelivery
- If you have any doubts, please go to the official website and enter your tracking number
A new study has uncovered the fastest-growing scam you’ve probably already received this month: a fake package delivery alert sent by text message.
According to research published by NatWesta British bank, fake delivery alerts are the fastest growing scam of 2024. The research combines industry data with feedback from a survey of 2,000 British adults.
These messages, delivered to your mobile phone by SMS, claim to be from a courier service. They indicate that a package has been attempted to be delivered and needs to be rescheduled. They then ask the recipient to click on a link.
This malicious URL leads to a phishing website that looks legitimate. Personal information is requested and usually a fee is charged to arrange the fictitious redelivery. If users enter their details here, including login details or credit card details, cyber criminals can use them for fraudulent purposes, including purchases.
Companies that are often imitated in the examples we’ve seen include FedEx, DHL, and UPS. Since it’s common to receive genuine redelivery alerts via text message, it’s easy to be fooled by a seemingly convincing message. It is also easier to fake an SMS alert because it contains fewer words and no logo.
The scheme uses tactics common to most phishing scams. The message creates a sense of urgency, as most people want to respond to a missed package and arrange a new delivery as quickly as possible. They may also receive and read the text message when they are away from home and distracted, meaning they are not paying enough attention to whether it is legitimate.
The scam is especially effective this time of year, as many people expect real deliveries before the holidays. The scam also relies on emotional manipulation: many of these packages contain gifts for loved ones, so people will be especially keen to ensure they are delivered safely.
As a result, recipients of the text message can act quickly to resolve the apparent problem. This can cause them to miss inconsistencies in the message, such as the lack of a tracking number.
How to stay safe
As with any text message or email you receive claiming to be from a real company, the most important step is to pause and think before clicking a link. Be alert for signs of phishing, especially urgent requests for personal or financial information.
Stuart Skinner, a fraud expert from NatWest, advises people: “Think about it: would a real delivery company ask you to follow a link and make a payment?”
This statement from FedEx reflects the position of most courier services: “FedEx does not solicit, via unsolicited mail, email, or text message, any personal information relating to your account information or identity.”
After you’ve given it some thought, consider the details in the message and ask yourself a few questions. Are you expecting a delivery? If so, which company provides this delivery? You should have received a confirmation when you placed your order detailing the courier service and tracking number. If these do not match, you have received a fake message.
Also look for grammatical errors in the message, as well as misspelled website addresses or variations of real URLs. If you are unsure about a link, do not click on it. Instead, go directly to the courier service’s official website and enter your tracking number. This ensures you see real information about your package, including whether any action is needed.
Most couriers provide advice on how to avoid false delivery scams. For example, DHL states: “If you do not recognize the sender and do not expect the email or text message, there is a chance that you are phishing.”
The United States Postal Inspection Service reiterates this advice: “If you suspect the text message you received is suspicious but are expecting a package, do not click on any links. Rather, report it and visit USPS.com from your mobile device or computer for tracking and additional resources.
UPS has a similar recommendation: “If you are unsure of the validity of any text, do not click or select links or open attachments, as they may contain a virus.”