Have you ever received items by courier from people overseas?
If so, you’ll know that sometimes – notably in the case of gifts, where the other person hasn’t told you what they’re sending – the courier company doesn’t deliver the item directly.
Sometimes you get an email saying that the item is delayed because the authorities want to inspect it; or there’s import duty; or there’s a supplementary delivery charge if you can’t collect it from the depot yourself.
And to help you get through the paperwork easily, there’s often a tracking code and a clickable link in the email.
You can see where this is going…
…because cybercooks love to copy real life, on the grounds that it’s easier to lull you into a false sense of security when you’re following a process that feels familiar.
Like this email that a Naked Security reader received this weekend:
A free MacBook Pro for just $1!
(Ironically, you could argue that this phish might work better if the “free gift” were a bit less valuable that a MacBook Pro laptop, and if the delivery fee were a bit higher than $1, because the value and the charge don’t quite seem to go together very well – but that’s a detail we shan’t investigate any further here.)
As we mentioned above, scams like this aren’t miles away from real life, because emails from courier companies that document unexpected import and delivery charges are not unusual.
As for gifts, well, they’re not unusual during the Christmas holiday season, either – and, being gifts, they’re often a surprise that you don’t find about until either you or customs officals open the package.
If you click though, you’ll see a landing page, in this case tailored to the same country as the recipient’s email address, which ended in
Next, the crooks tell you that they have “found” your item from its “barcode”:
And then the crooks advise you that the item has arrived in your country, but is stuck at the depot, pending payment of a delivery fee:
If you fall for the scam and click through, you’ll see some realistic-looking pages that take you to a fake pay page.
We entered bogus data here for the screenshot:
(All the sites used by the crooks have been hacked or setup for the purpose of the scam, so they all have HTTPS certificates and show a padlock in the address bar – but the server name is unlike any courier company you’ve ever heard of.)
The crooks then present a plausible conclusion for the fake transaction by simply claiming that it didn’t go through:
As you can see, the crooks are still phishing for more, even at the end, brazenly suggesting that you try another credit card and thus giving them two-for-the-price-of-one.
Of course, if you get this far you’ve just handed over your card details to the crooks, including the CVV (security short code) from the back of your card that no legitimate merchant would store.
What to do?
- Beware free gifts. Seriously, there is no free iPhone, no free iPad, and definitely no free MacBook. Even if the link just takes you to a survey rather than to a full-on phish like here, don’t give out personal data to people you’ve never heard of.
- Beware courier emails. When sending or receiving items by courier, try to get in contact with the recipient or sender without using email – perhaps make a phone call in advance – to advise them of the courier company you’re using and to provide a tracking number you can both trust.
- Check the URL in the address bar. These days, most cybercriminals are using HTTPS websites, because everyone expects a padlock in the address bar. But the padlock doesn’t say you are on the correct site, merely that you are on a site with an HTTPS certificate.
- Avoid links in emails. If you know you’ll be dealing with courier company X, find out the right website to use in advance, and go there yourself. Don’t rely on links emailed to you, because those links say whatever the sender wants.
- Report compromised cards immediately. If you get as far entering any banking data into a “pay page” and then realise it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your actual card so you get the right phone number.)
PS. Don’t forget that just typing data into a web form exposes it to crooks because they can “keylog” what you type into a webpage even if you never press the