Sophos Cloud Optix
Another day of lockdown…
…another “package delivery notification” scam.
Here’s another reminder to think before you click, even if it adds a few seconds to your day to review what the offending email is asking you to do.
We’d like to think that you’d easily spot that this one is bogus – we’ll explain why in the article – but we can equally well see why it might seem harmless enough to click through.
Many scams of this sort that we’ve written about before rely on squeezing you to act, luring you to click, or a bit of both.
For example, delivery scams often entice you by telling you what cool “item” is on its way, such as a mobile phone that someone is sending you as a gift.
At the same time, they pressurise you to act quickly by warning you that delivery will be delayed or even cancelled if you don’t pay a necessary fee to release the article from storage.
To avoid sounding greedy, and to imply that they’re not fraudsters, the amount to pay is often very modest, such as $1, which doesn’t sound like the sort of money a scammer would ask for if they were in it for the cash.
That’s because they aren’t in it for the money up front – indeed, they never intend to bill you at all, because it’s your personal data that they’re after instead.
This time, the crooks are following a much more relaxed formula that doesn’t say much more than, “Hey, here’s how to track your delivery,” which is the sort of message you might reasonably expect when you order something, or when someone orders something for you:
Incoming Package Notification!
This it to notify you that you have an incoming shipment registered in your email [REDACTED]. Please follow the URL below to track your shipment.
And that’s all there is to the email.
OK, so the exclamation point after the word “Notification” probably wouldn’t be there in a genuine notification – it’s a notification, after all, not a warning or an alert.
More importantly, however, hovering over the link would show you a website name you’ve never heard of (this scam used a hacked webserver belonging to a construction company in Bahrain, as it happens).
If you click through just to see what this is all about, you’ll see a similarly simple web page:
As unexceptionable and as unscammy as the page itself looks, the address bar is a fortunate giveaway that this is a scam.
The URL (which we’ve masked out here) wasn’t on a lookalike or soundalike domain name, so it looked completely different to any website you might expect for a DHL server.
Also, there’s no padlock, because the URL started with http:// (insecure) rather than https:// (session encrypted).
Ironically, the web service used by the company whose website was hacked did support HTTPS, and the site had a valid HTTPS certificate, but the crooks neglected to take advantage of the encrypted connection.
As we’ve said before, the presence of an HTTPS certificate doesn’t mean you can trust the site and its content, just that your connection can’t easily be snooped on.
But the absence of an HTTPS certificate on legitimate sites is so unusual these days that you should take it as an immediate warning sign that all is not well.
Of course, if you don’t spot the warning signs and you do put in your password, the data doesn’t go to DHL but straight to the crooks, who are likely to try out your password not only on your real DHL account but on any other account they can think of that you might have. (That’s why you never use the same password on more than one site!)
What to do?
- Don’t be fooled just because you’re expecting a delivery. The crooks don’t have to know you are waiting for a delivery to get the timing right. Especially during the coronavirus pandemic, they can simply assume you are and they’ll be right for a lot of people a lot of the time.
- Treat delivery messages as notifications only and ignore the links. It’s a bit more hassle, but avoid clicking on links at all in messages like these. When you order items online, make a note of the right website to use for tracking the item, and go there yourself if there is any problem reported with delivery.
- Check the URL in the address bar. These days, most cybercriminals are using HTTPS websites, because everyone expects a padlock in the address bar. But the padlock doesn’t say you are on the correct site, merely that you are on a site with an HTTPS certificate. Consider going to your laptop if you can, and checking out the link from there. It’s worth the extra trouble because the address bar is bigger and tells you more.
- Use a third-party security product on your phone. Sophos Intercept X for Mobile adds to the built-in protection in your phone because it helps to keep you away from risky websites to start with.
- Change passwords at once that you put into sites you later realised were bogus. The sooner you change your current password, the less time the crooks have to try and use it. If you get as far as a “pay page” where you enter payment card data and then realise it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your actual card so you get the right phone number.)
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
In this line, “As unexpectionable and as unscammy as the page itself looks”, I think you meant to type “unexceptionable.”
That’s a complicated word to spell given its meaning. Thanks, fixing now!
“… hovering over the link wouldn’t show you a website name you’ve never heard of …”
Surely you mean it *would* show you a website you’d never heard of?
Or that it wouldn’t show you a website you’d *ever* heard of?
Double-negatives aren’t not hard to get right. 🙂
Fixed, thanks.
I am fed up getting these stupid email popping up how can I stop them there are so many help.
Click on the name/department of the person that sent you the mail and it won’t relate to dhl or any other delivery company. Here’s one from one of the 250 Spam delivery messages currently sitting in my junk mail [REDACTED].
What do I do if I clicked on the link before realizing it was a bogus email?
Dear customer.
Your package will be returned to the sender.
You have exceeded the delivery time.
For the return of your package.
Confirm your postal address correctly:
View Document in attached file.
Regards,
Helen Simmons
Customer Care
DHL International GmbH. All rights reserved.
As long as you didn’t enter any personal information (e.g. credit card details) you should be fine. If you did tell the crooks your card number, call your bank right away and get your card cancelled and a new one issued, and keep your eye on your statements!
My emails are being sent with “DHL Customer Support” in my To: line. What is this? And how do I remove it? I have nothing to do with DHL so I am perplexed. Has my account been hacked?
I have entered my credit card number and sent it too but it showed this message- “The transfer is declined”. Then after 2-3 days I realised that the website was a scam. What do I do ?
The money is still the same in my credit card… does it mean that I’m not hacked ??
If you entered your card data and submitted the fake form then you can assume that the crooks *do* have as much of your card data as you typed in. Even if that is just long number plus expiry date, your account is at risk. If you entered the short code printed on the back as well, you can consider that to be serious risk.
If I were you I would report the incident to your card provider as soon as you can and get another card.
1. Normally notices are addressed to you personally by name, not with a general “Dear Customer” or the like.
2. Be sure to scroll to the end of the message. My newest was full of blank spaces – before an original message to a french stranger ([REDACTED] in Nambsheim, order from July 2019, Paiement Paypal) – became visible far below the first visible page.
3. Before clicking any link in the message, I “reply” to the mail (without really replying!), then change to “text only”. So I can see the real link addresses, leading elsewhere … My latest wants to send me to “[REDACETED BUT DEFINITELY NOT THE RIGHT SITE].com”.
4. If you get frequent spams with the same subject, add a “rule” for your inbox to move these messages into a separate (sub)folder like “rejected-spam” and delete them some time later.
Your package [REDACTED] is waiting for delivery.We recommend you take the time to read our Terms and Conditions. Thangjfgjgfjfjggggfjfgjfjfjfjg67686786k you for cdcdcddvdvyour valued tom
Please confirm the payment of the shipping cost (2.99) to ship the package to your home.
You can follow its route by clicking below:. Maybe try a search?your valued custo
Tracking the package
Best regards
Accessibility 2021 @ DHI International . All rights reserved.
Thanks,
Note all those weird extra characters that showed up when you did copy-and-paste… in the email as viewed they were probably set up via HTML tags to be tiny or in an invisible colour, making it easy for the crooks to make each email very slightly different (this can confuse basic spam scanners).
Hi I have received messages that say Im selected to win a phone and must answer 9 questions and I won and I must give my bank details for the shipment fee but so far I didn’t because I don’t trust them , how possible is that winning but still must pay some fees . I asked them to post it to my address but they always say they didn’t find anyone at the address I gave them
It isn’t free if you have to pay! This is called “advance fee fraud” because it means you pay money (or hand over bank details) in advance but never get the “free” item you paid for. In this case you are giving the crooks access to your account… in return for nothing! Don’t do it…
The word is “unexceptional”. Don’t try to sound erudite if you don’t know the words. It seems people are just making them up nowadays, for instance: tooken, boughten, furthest, (there really is no such word, it is distance so it is “farthest). And so on.
Well, I disagree with your claim that there is no such word as “unexceptionable”, and the editors of both the Oxford Dictionary of English and the New American Oxford Dictionary disagree with you, too.
In fact, both of those dictionaries include a special sidebar in which they discuss the differences between “exceptional” and “exceptionable”, and between “unexceptional” and “unexceptionable.” Although the Oxford lexicographers admit that the negative versions of these words (the ones that start un-) are sometimes used interchangeably these days, they also insist that these word can, and do, usefully convey different meanings.
When use the word “unexceptional”, I generally use it to say that something is “satisfactory but not outstanding.” When I use the word “unexceptionable” I mean to say that something is “not open to objection”, i.e that it “doesn’t stand out as obviously bad”. So an unexceptional phishing message is one that wouldn’t win any prizes for looks or inventiveness at an awards ceremony held by cybercrooks. An unexpectionable phish is one that you would be inclined to accept.
Indeed, I think you could usefully describe the fake message in this article as both unexceptionable *and* unexceptional.
Interestingly, the same dictionaries are perfectly happy with the the words “further” and “furthest”, along with “farther” and “farthest”. (The dictionaries particularly note that “further” is far more commonly used than “farther”, for what that is worth).
So, despite your insistence that neither word even exists, I think we can say that the use of both “furthest” and “unexceptionable” is, in a word, unexceptionable.