SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 211: Avoiding a Scammy New Year

Posted on December 17, 2020

The holidays! A time of love, warmth, and good cheer. Also, prime time for scammers. This week, we’ll take a look at:

Four types of package delivery scams

The COVID-19 pandemic drove a record number of people online to do their holiday shopping this year. But with everyone waiting around for those packages to be delivered, the bad guys have ramped up their seasonal package delivery scams.

In this section, we’ll go through 4 common variants on these scams, and in the next one, we’ll give you some tips on how to keep yourself safe. First, the scams:

The phishing email scam

Checklist listeners know that phishing emails are a constant threat, but the ones flogging delivery scams are especially common around this time of year.

Scammers will send out emails purporting to be from Amazon, Target, FedEx, UPS, or the like. Since so many people use the same online shopping platforms, and since most deliveries arrive via a handful of big delivery companies, these random email blasts have a reasonable chance of finding their way to a person who really is expecting a FedEx delivery, or who just bought something from Amazon or Target.

The scammers claim that there’s an issue with the order or the delivery, and ask the email recipient to download an attachment or click on a link to learn more, or to provide “missing” information. The goal here is to get the victim to infect themselves with malware, visit a malicious website, or to give away sensitive personal data or credit card details.

The text message scam

These scams are similar to phishing emails in terms of content, but they arrive in the form of a text message, either via SMS or through a messaging application. Scammers will send out texts at random to large numbers of mobile users, and then claim that there is some issue with a package or with an order.

To give one example of what this looks like in practice: Police in Ireland recently warned the public about an ongoing scam in which people received text messages claiming that an order from overseas couldn’t be delivered due to unpaid customs fees. The recipients were given a link to click that directed them to a fraudulent website where they could “pay the customs fees”, but of course this was just an attempt to steal their credit card data!

The voice call scam 

Just like with the annual tax scam calls, the holidays bring their own seasonal flavor of voice phishing (or “vishing”) scam year after year: delivery scam calls. Again, the basic content is fairly similar to what goes on via email or text: a scammer calls or leaves a voicemail telling the target that there is some issue with an order or a delivery (if the scam arrives by voicemail, they’ll also leave a call back number). 

If the victim engages the scammer, they’ll find themselves on the receiving end of an attempt to extract sensitive personal information, credit card information, or other sensitive data — this is often presented as an attempt to “reconfirm” some missing detail needed to complete an order or delivery.

The “missed delivery” tag scam

In this decidedly analog version of the package delivery scams described above, the bad guys have started to leave fake missed delivery tags on people’s doors. They include a phone number to call in the hopes that the target will believe the tag to be genuine and call them back.

If the victim does call the number, the scammer begins using the same tactics and tricks that they use in a voice call scam, often trying to get some kind of information that they shouldn’t have in order to use it for malicious purposes.

Protecting yourself from delivery scams

Now that you understand how these delivery scams work, we’ll give you some do’s and don’ts to help you avoid them!

First, let’s go over all the stuff you shouldn’t do…

Don’t click or download

If you get an email or text claiming that there’s some issue with your order or delivery, be aware that it could well be fraudulent — and that the links or attachments that come with it could contain malware or take you to a malicious website. Don’t click on any of those links or download those attachments!

Don’t talk to strangers

Good advice for kids, and also for grownups … at least during package delivery season: If you receive an unsolicited call about a “problem” with your order or delivery, thank the caller, tell them you can’t talk at the moment, and let them know you’ll check out the issue on your own. Don’t engage them or give them any information over the phone.

Don’t be intimidated

If a caller becomes aggressive or insistent, telling you that you absolutely have to resolve a delivery issue with them over the phone right away, don’t be swayed by them — just hang up. This kind of bullying behavior is a common tactic used by voice call scammers, and a strong indication that the call is not legitimate.

Don’t call back

If you get a voicemail or door tag with a call back number, don’t call it, since it’s very easy for scammers to set up and answer fake customer service numbers! Similarly, don’t go to any website given to you by an unknown party, since that website could well be fraudulent.

That covers the “don’ts”. Now we’ll tell you what you should do instead:

Check things out for yourself

If you want to know whether or not there’s really a problem with your order, just investigate it on your own. Log in to your account area if you have one, or enter your order’s tracking number on the delivery company’s website. And remember, don’t click on links given in an email or text message to get there! Instead, navigate to the company’s website independently in your web browser to make sure you’re actually going to the right site. If there’s an issue with your order or shipment, you’ll be able to see it on the company’s site.

Call customer service 

If you get a call and you’re not sure whether it’s legit or not, just do a quick web search for the main customer service number of the company in question (or of your local post office in the case of a questionable door tag) and call the number to ask about your order directly. You can use the package tracking number or the order number from your receipt as a reference. If there really is a problem, then someone will be able to help you.

Use official apps

If you want to get mobile notifications about your orders and deliveries, just install the official app from the company on your phone or tablet (bonus if you’re using iOS 14, this is now less of a privacy issue than before). These apps can be linked to your account or loaded with tracking numbers, which will allow you to get status updates quickly and safely.

Report suspected scams

If you think you’ve spotted a scam, take a second to report it to the company that’s being impersonated by the scammer, or, in the case of text-based scams, to your mobile carrier.

FedEx, UPS, DHL, and Amazon all have dedicated email addresses that can be used to report phishing emails:

FedEx: abuse@fedex.com
UPS: fraud@ups.com
DHL: phishing-dpdhl@dhl.com
Amazon: stop-spoofing@amazon.com

In the US, you can forward a suspicious text message to 7726 (SPAM) to alert the carrier — it works on all cell networks. 

If you get a suspicious email or door tag from the US Postal Service, you can use their online reporting portal to let them know about it.

Spread the word

Last but not least, you can help to keep others safe by spreading the word about these scams. This week, take a moment to mention them to some of your friends and loved ones, or simply share this podcast with the folks in your network.

The vaccine is here … and so are the scams

The first of the long-awaited COVID-19 vaccines are now being administered to the public, and many people are eager to get the coronavirus jab as soon as possible. The bad guys know this … and as you can probably guess, they’re already finding ways to take advantage of the situation.

Some scammers are offering early access to the vaccine in an attempt to extract sensitive personal data or money from their victims; others are simply selling fake COVID-19 treatments (as they have been since the early days of the pandemic).

The best way to avoid these scams is to only accept information from reliable sources (i.e. not some random ad on Facebook or an unknown caller on the phone):

  • Get vaccine info from your doctor 
  • Fact check any information you find online
  • Get medical information from credible authorities (WHO, CDC, Mayo Clinic, etc.)
  • Ignore any call or offer requesting “immediate action”

Many of us are eager — even impatient — to get vaccinated. But as you’re no doubt aware, vaccine supplies are limited, and are likely to remain so for some time. Don’t let some scammer take advantage of your anxieties by pressuring you into giving away personal information with a false promise of access to the vaccine. And in the meantime, take all of the basic precautions recommended by healthcare professionals: stay in when you can, mask up when you have to go out, practice social distancing, and wash your hands!

That’s all for this week’s Checklist. Have an idea for a future show? Please write and let us know! And while you’re waiting for next week’s episode, take some time to peruse our archives, where we have audio and full show notes for every Checklist podcast going back to the very first one.

Join our mailing list for the latest security news and deals