Smishing Alert: How Package Tracking Text Scams Threaten Your Security

Smishing Alert: How Package Tracking Text Scams Threaten Your Security

Robert J Kowalski

August 2024

The next scam that we’ll be investigating is a new one called “Smishing”: Package Tracking Text Scam. At the heart of this new attack, the potential victim receives an unsolicited text message or email with a web link that specifies a post office delivery requiring a response from you. If you receive one of these texts or emails like in the picture below, and you never signed up for this tracking service for a package from the United States Postal Service (USPS), then do NOT click the link! 

Smishing is a type of “phishing” attack that involves communication through a text message, email or phone call. You will typically receive a deceiving text message that is intended to lure you into providing your personal or financial information. The picture below is an example of such a text message.

These scammers often disguise themselves as a government agency, bank, or other reputable company you would normally conduct business with to lend validity to their claims. A legitimate message from the postal service (USPS) will use a 5-digit code that they will send only if you sign up for their tracking benefit.

The criminal entity wants to receive personally identifiable information (PII) about you such as: account usernames and passwords, Social Security numbers, date of birth, credit and debit card numbers, personal identification numbers (PINs), or other sensitive information. This information is used to carry out other crimes, such as financial fraud, with your credit, identity and/or money.

The USPS offers free tools to track specific packages, with the stipulation that customers are required to either register online, or initiate a text message, and provide a tracking number. An important note to remember in helping identify a potential Smishing scam is that the USPS does not charge for these services; if the message requests payment, this is a key indicator that you are being targeted by a scam.

The USPS also will not send customers text messages or e-mails without a customer first requesting the service with a tracking number, and the message will NOT contain a link. If you did not initiate the tracking request for a specific package directly from USPS and it contains a link: do NOT click the link! Not to be outdone UPS, FedEx and any other delivery services also have the same issues.  Again, unless you signed up for a notification service when you made your order do not respond to unsolicited text messages, emails or phone calls.

In connection to the Smishing Scams; Phishing scams also known as “Tech support scams” are becoming more common. Criminals in this type of crime pose as technology support representatives and offer to fix your computer issues, typically these are non-existent issues but the scammer preys on an individual’s lack of a deeper understanding of technology and computer systems. The scammers gain remote access to your devices and sensitive information by providing you instructions that allow them to gain remote access to your computer.

Let’s examine the different ways the scammers will get to you for these technology scams;

Phone calls: If you get an unsolicited phone call from someone you didn’t expect and they say there’s a problem with your computer, hang up. If you have an IT department that maintains your workplace computers, immediately report this incident to them so that they can initiate corporate safeguards.

Pop-up warnings: If you are on the computer and you get this kind of pop-up window on your computer from Windows Microsoft or Apple Mac, do NOT call the number. Legitimate security warnings and messages will never ask you to call a phone number.

Online ads and listings in search results pages:

If you’re looking for tech support, go to a company you know and trust. Use a reputable company for your IT support needs.

Two Key Factors to Remember to Avoid a Tech Support Scam:

1.Legitimate tech companies won’t contact you by phone, email, or text message to tell you there’s a problem with your computer.

2. Security pop-up warnings from real tech companies will never ask you to call a phone number or click on a link.

If you suspect you have been a victim of one of these tech scams, whether Smishing or Phishing, by receiving a suspicious text, email or phone call; do NOT click on any of the links or answer any access questions listed unless you can verify that it is a legitimate request. Any legitimate request will begin with you initiating the request. If in doubt, report it!

Below is a list of government resources that you can find additional resources.

For Identity theft contact the Federal Trade Commission at https://www.identitytheft.gov/

Or for general fraud contact the Federal Trade Commission at https://reportfraud.ftc.gov/

Any internet fraud contacts the FBI at the Internet Crime Complaint Center (IC3) https://www.ic3.gov/

Most importantly contact your local police department first so that you can get a report number, especially if you experience a monetary loss involved with the fraud.

For additional information or to conduct a risk assessment to identify potential vulnerabilities, contact us on www.IS-Concepts.com.