How to avoid package delivery scams

For record numbers of people, holiday gift buying was done online this year — and now everyone is waiting around for those presents to be delivered, hoping there won’t be any issues or delays. 

The bad guys know this, and are using package delivery scams to take advantage of the situation. Here are 4 main types of attack that you should know about, along with tips for how to keep yourself safe.

1. 1

   Phishing emails

   Bad actors often use phishing emails to perpetrate package delivery scams. They send these out at random, but since so many people use the same delivery services and shopping platforms, there’s a good chance that the emails will find their way to people who really do have current Amazon orders, or who are expecting FedEx deliveries. The scammers claim to be from the shopping platform or delivery company, and warn that there is an issue with an order or with a delivery. The phishing emails include malware-laden attachments, links to malicious sites, or redirects to fake websites that try to trick the victim into handing over sensitive personal information.

   Tip: You may be able to spot a phishing email if it contains one of the classic “tells”: it uses poor spelling and grammar, comes from an obviously fake domain, or has an exaggerated sense of urgency. However, some phishing emails can be quite convincing, so don’t be too confident in your ability to spot a fake. The safest thing to do is never click on any link in an email claiming there is a delivery or order issue. Instead, navigate to the website of the relevant company on your own, and then either log in to your account area or enter your tracking number directly. If there really is a problem, you’ll be able to see it there.

2. 2

   Text messages

   These days, delivery scams can arrive by text message as well as by email. Be extremely careful when dealing with text messages that claim there is an issue with your order or delivery, especially if you’re asked to click on a link. To give one example of what these scams look like: police in Ireland have just warned the public about a rash of fraudulent text messages claiming that packages can’t be delivered due to unpaid customs fees; the messages contain a link to a fraudulent webpage that requests credit card details in order to “pay the fees”.

   Tip: As with emails, don’t click on any link that comes via SMS or messenger app, and be skeptical of these messages when they arrive. Check out any potential problems by going to the company’s website directly and investigating the issue yourself. If you’re expecting package deliveries and would like to receive mobile notifications, you can always install the company’s official app on your device and either connect it to your account or load it with the tracking numbers of the deliveries you’re expecting. Best of all, with the new privacy features in iOS 14, installing apps is less of a privacy risk than it used to be!

3. 3

   Voice calls

   You may know that fraudsters conduct tax scams over the phone, but they also use phone calls and voicemails to trick people into believing there’s a problem with their delivery or order. The targets of these attacks either receive a phone call from a scammer, or get a voicemail warning of a “delivery issue” and giving them a number that they are supposed to call in order to resolve the matter. These scams are often just run-of-the-mill voice phishing (e.g. a fake company employee attempting to get you to “reconfirm” your credit card number in order to steal it). However, the FCC has been warning people that some of the call back numbers used in these scams are actually international numbers from locations with three-digit country codes, presumably chosen in order to look more like a domestic U.S. number. If you call one of these numbers back, you may get hit with high connection fees and per-minute charges.

   Tip: If you receive a call from someone telling you that there’s a problem with your delivery or order, thank them for their concern, tell them that you can’t talk at the moment, and say you’ll check on the issue yourself. If the caller won’t take no for an answer, and demands that you handle the “issue” with them and only them, hang up: this is a dead giveaway that you’re talking to a scammer. Remember not to use any contact number that an unknown caller gives you: it’s very easy for scammers to set up and answer their own fake phone numbers! Similarly, never use a call back number provided in a voicemail. Instead, call the company’s main customer service number and ask for a status update using your order number or tracking number.

4. 4

   Fake missed delivery tags

   According to the FCC, scammers are now resorting to physical tactics as well: they leave fake “missed delivery” tags on people’s doors, and include a call back number which, of course, is equally fake. If the target of the scam calls the number on the tag, the bad guys will attempt to trick them into paying fraudulent fees, or convince them to give out financial details or other sensitive information.

   Tip: First and foremost in this age of COVID-19, go wash your hands if you’ve handled that delivery tag — you don’t know who’s been touching it! In terms of how to deal with the security threat, the most important thing is not to call the number back directly. Instead, follow the same procedure that you would for handling an email, text, or call from someone telling you that you’ve missed a delivery: navigate to the company’s website directly and check things out for yourself, log in to your account or app and investigate there, or call your local post office using their publicly listed number and ask if they’re trying to deliver a package to you.

Follow these tips to keep yourself safe from delivery scams in the next week or so, and make sure to share this information with others. You can also help delivery companies, merchants, and mobile carriers stop the scammers by reporting them through the proper channels.

In the United States, you can report a suspicious text to any cellular carrier by forwarding the offending message to 7726. The U.S. Postal Service also has a reporting portal where you can alert them to scams involving USPS deliveries.