Scammers might have found a new way to be convincing, as a recent AusPost text scam seems to suggest. How do you tell?
It arrived on a Saturday evening, a message to tell us a package hadn’t been delivered. And it came from Australia Post, or at least it seemed to.
The message said it was from “AusPost”, and it was found in the same stream of texts previously found from Australia Post. Except this one was different.
While Australia Post phone alerts almost always direct to the postal service website, this SMS was going somewhere else.
And it seemed legitimate because it came in under the same ID. What’s going on? Have scammers broken into Australia Post?
How is this scam arriving in the same list as real AusPost alerts?
Not quite. Don’t worry, scammers haven’t found a way to bypass Australia Post security.
What’s happened with this evolution of an Australia Post SMS scam is that a scammer has found a text delivery service that is allowing it to use “AusPost” as its sender ID.
Typically, online text services have specific companies blocked out so that scammers can’t use them. They may not be able use “Microsoft” or “Telstra”, because those are off limits, but they can often use variants that are close enough to trick people. In this instance, the scammers appear to have found a service allowing it to use “AusPost”.
When you get a message from Australia Post, it can come from multiple phone numbers, and probably will. They’re online and sending through several phone numbers, but are compiled under whichever company ID is being sent out. It’s one reason why if you look under Australia Post’s contact information, you won’t always see a phone number; these are just collected under the company ID.
With this scam, cyber criminals have basically found a way to join the regular AusPost list of messages, which makes their message seem more legitimate.
It’s not, but it certainly looks legit, so how can you tell that it’s a scam?
How do you know it’s a scam?
Education is often the best way to disarm a scam, as there’s only so much security software can do. In the case of SMS scams, there’s often very little security software can do, because it doesn’t always run on a phone or tablet, which is precisely where this one is meant to be picked up.
So the best way to work out what’s going wrong in this scam is to know what to look for, and work out what’s wrong with the message.
The first indication that this is a scam is the website itself.
Australia Post officially uses mypo.st as its website, and if you’re sent a message from its system, you’ll get a series of numbers and letters that send you to your personal location tracking your actual parcel. We’ve blurred them in our images above, but they’re included to direct you to the right location about your parcel.
This message and website not only doesn’t have that personal location, it also isn’t Australia Post’s mypo.st website.
It’s something else: redeliverysite.com. That’s not really Australia Post. That’s your first giveaway.
If you click on the link — which you shouldn’t do, but if you do — you’ll be taken to a phishing site, which has all the hallmarks of a phishing site crafted by someone who isn’t from Australia. This type of scam is called “smishing”, because it’s phishing over SMS.
One indication that it’s a total scam is a reference to “zip code”, which we wouldn’t use in Australia, but the next is that the links in the webpage don’t actually work. You can’t click to login, you can’t click on the about page or even the menu. Nothing works because the scammers only wants to make you feel like you’re in the right place, not send you back to Australia Post’s site.
If you start to enter information, you’ll find once you enter your postal code — any postal code, even a fake one — you’re suddenly told your parcel tracking number and that it’s on hold.
Think about it for a second: there’s no way a parcel could be found solely on postal code alone. There would be hundreds of thousands of parcels coming through any postal code, so this is clearly a scam, but it reveals itself even more obviously after this.
Enter your “details” and any details will take you through to the crux of this scam. We managed to enter a 55th month in the date, and it still pushed us through to the goal: enter your credit card details asking for VAT, a type of tax we also don’t use in Australia.
Scammers are getting better, but you can still outwit them
Clearly, this scam is a little more proficient than the usual garbled English we see, and because this one came from an “AusPost” ID and managed to push itself in with the rest of the Australia Post messages, it is a touch more convincing.
But there are still clear indicators that this Australia Post scam is as bad as the rest. The shoddy work on the cloned website, the different website address, and the fact that Australia Post doesn’t charge for delivery fees when they’re attempting a redelivery.
We’re likely going to see more of these, but if you remember that Australia Post always uses mypo.st as its website and nothing else, regardless of what comes in, that’s the first step to preventing this scam from doing any damage to your bank account.
