Dave, I got an email message that indicated I have a package ready for delivery from UPS. I checked and there’s nothing I’m expecting. Is it a scam? I’m afraid to click on the link…
No, you don’t have a package, and yes, it’s a scam. But these sort of scams are surprisingly prevalent so let’s actually dig into the message and related Web page to understand how it all works. Generally, though, the first thing to examine is the actual notice: Does it include personal information? The most generic of phishing attempts or other email scams are very generic where it’s “Dear Recipient” or similar. If you have a real package, it’s going to have a recipient label, so the real UPS / FedEx / DHL knows your name and address.
Still, we’re all pulled in by the hope that today’s our lucky day and somehow, through perhaps a shipping error, we do have something valuable that’s poised and ready to be delivered. Even when it makes no sense at all. The lure is complex psychologically because it taps into our ego (desire to learn we’re special), greed (it’s worth a lot of money) and fear of missing out (respond immediately or you’ll miss out on this great deal). Slow down and think about the actual offer and you’ll realize it’s bogus 99% of the time.
THE EMAIL: PACKAGE DELIVERY PENDING
Here’s a very typical example of this sort of email message that I received in my Gmail inbox:
Suspended! It’s ready to deliver, they just need some sort of confirmation! Remember, our tracking code according to this email is ASO-U9192858. Also note that there’s no personal information here, no “To: Dave Taylor” or “Shipping to:” and an actual address. Why? That’s much harder to create than this sort of bulk generic spam.
In fact, if your email system is any good, it’ll have already been flagged as spam – as Gmail did – which is a reliable indicator that it is a scam. You see your inbox. Gmail sees billions of inboxes and can easily recognize duplication of messages in a completely different way.
Look closely at the subject and address information in the message too:
Wait, now the tracking number is US-66514779-14? But more importantly, I can guarantee that reputable companies like UPS and FedEx will never include emoji in their subject lines. Never.
And look at the sender’s email address: UPS®YUDH.CUXD@dacht.elangiectases.com ?? What happened to “@ups.com”? Why would UPS be using some random, unknown domain for its notification messages if they were legit?
Any one of these being questionable should give you pause and alert you that the message might be a scam, but when you add them all up (no personal information referenced, inconsistent tracking numbers, weird sender email address) it’s a certainty that it’s a scam.
But what if you did get fooled and clicked on the “Schedule your delivery” link?
DANGEROUS SITE ALERT FROM MICROSOFT EDGE
If you’re running a modern Web browser and have your security set properly, Chrome, Safari, and Edge can all notify you that it’s a bogus site:
This is Microsoft Edge and if it isn’t enough to convince you, well, you’re dogged in your pursuit of this mythic package! Want to check a different way? Go to UPS.COM (type in the domain to your browser, don’t trust links in email messages or on Web pages) then enter the earlier tracking number to see what it reports. In this instance:
Not a surprise, right?
THE SCAM SITE ITSELF
Okay, if you do persist and get through to the related Web site, here’s what you’ll find:
And now, a third tracking number! This time it’s IPHON-WDJ-79HO, which is definitely not a UPS tracking code. At this point, you’re on the site and its goal is to have you move quickly through the pages so that you give up critical personal information before you think about what you’re doing.
Click on “Follow your order” (no longer “release your pending delivery”) and you’ll go through a series of a half dozen delivery preference pages, including one that finally reveals what your “package” contains:
Ah, so it’s an Apple iPhone 14 Pro Max. Street value is $999.99, and you’re getting it for a $1 shipping fee? Such a deal. Such an… unbelievable deal. Why would anyone think this is legit?
But… you click on “Schedule delivery now” because you’re excited at the chance to upgrade to such a big, beautiful new phone. It happens. And here’s what you’ll eventually see:
Wait a minute… why is it asking for your shipping information if it started out by warning you that there was a pending shipment for delivery, implying that UPS already had your address and contact information? Because it’s a scam. Are you convinced yet?
The final page shows what the criminals actually seek:
In fact, everything leading up to this has been an elaborate hoax to get you onto this screen where it asks for your name, address, email, phone, and credit card information. Trust me, if you did fill this out, you’ll see a lot more on your next credit card bill than just a $1 shipping charge. In fact, within a few minutes, your card will likely be utilized to buy hundreds of dollars worth of gift cards to stores like Amazon, Target, and Home Depot. By the time you realize you’ve been scammed, your bank might have already shut down your account for fraudulent activity.
The long and short of it is that there really is no such thing as a free lunch, particularly on the Internet. It’s not hard for malicious hackers to assemble some basic information about you too, so even if it includes your home address or refers to you by name, double check through independent paths before you click, call, or respond. Be safe out there!
Pro Tip: I’ve been writing about online scams for many years. Please check out my spam, scams and security help area while you’re visiting. Thanks!