Scam Corner: Watch Out For Smishing This Holiday Season

If you’ve recently received a text message from the post office saying there was a problem with package delivery and to click a link to fix it, you’ve been a target of Smishing. For years, I’ve received these type messages in my spam email. They are called Phishing in email. The name Smishing comes from the fact that they are Phishing over SMS (text) or “SMishing”.

What Is Smishing?

Generally, these are text messages from a delivery company such USPS, UPS, Amazon, or FedEx. The message will indicate an issue with a package being delivered and will have a link to click on, or request a reply. The message may often be an email to text sent to your phone so that you cannot reply to it.

In any case, the common characteristics are going to be a link to click on to fix the issue and an urgency to respond quickly.

What happens if you click on the link?

Image capture of fake website page on phone courtesy of an anonymous victimYou’ll be taken to a website that probably looks very much like the real thing, but the URL (the website name) will be slightly off. It might be usps.SomeOtherSite dot com or www.usps-respond dot com or some other variation but it won’t be the actual www.usps.com website. In fact, the website may even have elements of the actual website such as text at the bottom of the page that has links to the actual website. In an example sent to me, the fake website even used the same colors and graphics used on the real website (see image).

The purpose is to make it look convincing enough that you think you are on the real website and will type in personal information such as social security number, a credit card number, or bank account information. In the example sent to me, the website wanted credit card information in order to “release the package.”

What Do The Delivery Companies Have To Say?

Many of the major delivery companies have advice on their website to keep from becoming a victim of these Smishing scams.

Tips from FedEx
FedEx states on its website that the company does not request any personal information or account credentials from consumers via email, mail, or text. FedEx offers these tips:

Do not engage with the sender who sent the suspicious email, and watch out for misspellings in the website or email addresses, like fedx.com or fed-ex.com and general grammatical errors, exclamation points and excessive capitalizations in the message.
Keep the latest versions of their FedEx Mobile App and report fraud at abuse@fedex.com, 1-800-GoFedEx or 1-800-463-3339.

Tips from UPS
UPS offers up advice on how to deal with various scam scenarios on their website, and also recommends staying alert where messages are like to come from when being contacted by the company.

Phone calls will come from 1-833-242-1931.
Texts will come from 94601, 69877, 48515 or 52892.
Emails will come from the following email addresses: accountconfirm@ups.com, mcinfo@ups.com, pkginfo@ups.com, customer-notifications@ups.com, auto-notify@ups.com, emailinfo@ups.com, invoice-notification@ups.com, donotreply@ups.com, ups@emails.ups.com, ups@upsemail.com UPSAdministrationSupport@ups.com, or no.reply@upsbilling.ups.com.
Report fraudulent emails or texts at fraud@ups.com.

Tips from USPS
USPS recommends that consumers never click the link in the suspicious email or texts, and take the following steps to ensure their personal information is kept safe:

Copy the body of the suspicious text message without clicking the link and report it to spam@uspis.gov.
In the email, also provide your name, screenshot of the text message showing the phone number of the sender and the date sent.
Include relevant details in your email, like if you clicked the link, lost money, provided any personal information, or if your credit was impacted.
You can also use USPS Text Tracking, to monitor packages by texting 2USPS (28777) with your tracking number.

Tips from Amazon
Amazon recommends shoppers stay aware of their orders and stay aware of their order history so they don’t fall for this scam. Also, be on the lookout in case the text message or email they received is legitimate.

Summary

The next time you receive and SMS that appears to come from a delivery company, the first thing you should do is suspect it as fraud. Instead of clicking on a link in the message, go to the delivery company’s website yourself and if there is a tracking number, type that in and see if it indeed is a package coming to you or even if the tracking number exists at all! As a daily money manager, I’m always available to review SMS messages for my clients if they are concerned whether a message is real or not.

The important rule is to do not click on any link coming in as an SMS unless you are absolutely sure that it is coming from a legitimate company. Since these often use 5-digit codes for the sender, that can be very difficult to ascertain. Most legitimate companies will not send links in text messages but will send enough text to define the issue (or status) and give a tracking number that you can look up on their website directly.

Want more of this?

This is one of three articles we sent to our subscribers this month. If you subscribe to our newsletter you’ll get additional content not found in our blog. Plus, the newsletter will be delivered to your inbox automatically. Subscribe Now