It was inevitable this would happen. As our isolated reliance on home deliveries soars, so cyber scammers have sniffed an opportunity to take advantage of us when we’re most vulnerable and our guards are down. You can add this latest warning to the myriad scams, fakes and attacks that have surged under the COVID-19 pandemic.
Home deliveries are under immense strain. Shopper are struggling to find slots for groceries, and the usual lead times for other products are stretched. We’re fast approaching the “it comes when it comes” stage. And so, understandably, we are watching our phones for shipments slots, updates and delays.
You know this, I know this, and, unsurprisingly, the scammers know this too.
Now the research team at Sophos warns that those opportunistic scammers have shaped a series of attacks around just such text messages—text messages laced with malicious links that will point you to card- and credential-stealing phishing sites.
Malicious text message
In the example above, the URL looks similar to those we see when selecting delivery slots or clicking for updates, “and given no one wants to see their lovingly awaited shipment of toilet rolls go astray for something as minor as an address glitch,” Sophos warns, “it’s tempting to click through to check what’s going on.”
Behind such texts are standard mocked up phishing sites. From there, you will see a variety of the usual scams. Confirming login credentials or even—as Sophos says in its report—asking for a modest delivery top-up payment to ensure nothing is delayed, thus capturing your full card details. It’s as easy as that.
There are other tricks Sophos has detected in these campaigns—redirects for payments—as you might see on a genuine website, directing to a card processing site, even declining payments to terminate the scam and phish you again.
The coronavirus pandemic has provided a uniquely powerful cover for every manner of imaginable scams. This one has an added dimension—whatever country you might be in, there will be a number of well-known delivery services that you’re likely using. By mimicking these, the scammers will score hits during their campaigns.
So how do you stay safe? Well, just as with emails, don’t assume text messages with familiar names and seeming links are legitimate—even if you are awaiting a delivery from that company. Ideally, don’t click through from the SMS but go to the site or back to the original order notification and click from there. And, obviously, if you think you may have been taken in by one of these scams call your bank right away.
Home deliveries have been targeted before—we’ve seen expensive items ordered and delivered from legitimate sites, then picked up by the scammers, and we’ve seen every possible variety of phishing lure. This warning is just the latest in the raft of “be careful” alerts that are raining down on us at this distressing time.
Don’t let your guards down, despite the circumstances.