If you didn’t get a message suggesting a delivery had missed you this week, you were one of the lucky ones. Fortunately, there are ways to pick up that this is just another scam.
You glance down at your phone with a message staring back at you.
“We were unable to deliver today, please tell us when to retry”
There’s a link and you’ve been expecting something.
Later in the day, you get another.
“Notice: your package will be returned to the sender”
The message suggests you should have received something, but didn’t. Your order didn’t come through. Maybe you get one or two more since that, all telling you that something is coming.
It’s lockdown in much of Australia, and we’ve all been expecting something, because most of us are staying home and ordering online, and so stuff is coming in.
But the urgency of this message and others like it suggests a courier tried delivering something and you didn’t get it.
Whatever the reason, don’t click that link, and be sure to question everything, because delivery scams are in, and they are hitting Australians in abundance.
Scams kick up a storm in lockdown
We’re all at home and that’s giving scammers a way in with their messaging, and even though Telstra’s Cleaner Pipes project is making a dent on the number of scams for Telstra customers (or people using another operators that uses Telstra’s connection), the number of messages and scam attempts are going up, up, up.
It’s not just delivery scams, but rather every type of scam, it seems. Blackmail extortion scams are up, phone calls pretending to be from major subscription services, fake voicemail messages with malware lurking behind them, and so on and so on.
However it’s the SMS “smishing” scams that may be more difficult to work out. A variant of phishing, these are the messages that arrive with a link — any link — that takes you to a site engineered to look real. The game with smishing is that a scammer wants you to believe you’re at a real site, and will push urgency as a matter of course to get you to throw in your details.
In a delivery scam, that urgency is you receiving your package. Or potentially receiving one.
It’s why the Australia Post scams going out over email can be super convincing, because living in Australia means someone is going to send you something over Australia Post, making it more believable. Fortunately, there are ways to work out whether a message is actually coming from the real deal, or if your Australia Post message is a scam, and the same is true for a delivery message you might receive, as well.
The telltale signs of a delivery scam
While home delivery scam can seem legit, there are some dead giveaways that this isn’t the real deal, and the first one is that phone number.
We clocked three different phone numbers of SMS delivery scams sent our way, and suspect that any you receive will come with different phone numbers, as well. They’re local numbers we’re seeing, with Australian mobile “+614” numbers sitting as the send recipient, but these are not local at all.
Rather, scammers are using phone number spoofing to make their texts look legit, relying on an Australian number to convince you their SMS is legit and that you should click the link.
The dead giveaway that these are fake is the number itself: with no company or user ID in the phone number, there is no way these delivery text messages are coming from a legitimate company, as no only SMS company would let them use Australia Post or FedEx. Crafty scammers can get close, but these scammers are anything but.
The other major sign that something is wrong is in the link.
You’d expect to see a familiar website name in a link for a delivery, but in these delivery scams, you’re going to see random website addresses that aren’t connected at all to name brand couriers or postal services.
Ignore the use of HTTPS because it’s a big of a red herring; any website can get a secure certificate, and the use of an “S” doesn’t mean the site is legitimately secure.
Instead, pay close attention to the website link and question whether it’s legit. If you’re supposed to be getting something from Australia Post, StarTrack, FedEx, or any other service, ask yourself why they would use a random website link you’ve never heard of, and don’t click. These links will just take you to a phishing website and hope you enter in details, falling down a rabbit hole of lies and the con.
Delivery scams won’t stop
The frustrating part of this is that even if you know what to look for, scammers won’t stop.
Australians are losing very large amounts of money to scammers, and as long as it works, criminals will not stop, making it vitally important that you learn what not to do and don’t click.
Studying the messaging is one way you can stay on the lookout, often because scams are typically written outside of the country where an English language mightn’t be as strong as someone writing from inside the country. Companies typically won’t release an email or text without having it seen some form of spellcheck and grammar, and so this can be a giveaway, though it’s not always a viable approach.
“While attacks are becoming more sophisticated, they’re often conducted by scammers from other countries or non-English speakers who are more likely to make spelling and grammatical errors,” said Paul Ducklin, Principal Research Scientist at Sophos to Pickr recently.
However beyond that, you may want to treat messages with a level of trepidation. Specifically, be mindful or even suspicious of what you’re sent, and don’t necessarily trust texts and emails with blind faith.
“Make it a rule to treat all links, texts and emails with suspicion,” said Alex Merton-McCann, Cyber Safety Ambassador for McAfee in Australia and New Zealand earlier in the year to Pickr.
“By simply navigating the web with a level of caution, consumers will be in a much better position to stay on top of scams even as they evolve.”