Have you ever received items by courier from people overseas?
If so, you’ll know that sometimes – notably in the case of gifts, where the other person hasn’t told you what they’re sending – the courier company doesn’t deliver the item directly.
Sometimes you get an email saying that the item is delayed because the authorities want to inspect it; or there’s import duty; or there’s a supplementary delivery charge if you can’t collect it from the depot yourself.
And to help you get through the paperwork easily, there’s often a tracking code and a clickable link in the email.
You can see where this is going…
…because cybercooks love to copy real life, on the grounds that it’s easier to lull you into a false sense of security when you’re following a process that feels familiar.
Like this email that a Naked Security reader received this weekend:
A free MacBook Pro for just $1!
(Ironically, you could argue that this phish might work better if the “free gift” were a bit less valuable that a MacBook Pro laptop, and if the delivery fee were a bit higher than $1, because the value and the charge don’t quite seem to go together very well – but that’s a detail we shan’t investigate any further here.)
As we mentioned above, scams like this aren’t miles away from real life, because emails from courier companies that document unexpected import and delivery charges are not unusual.
As for gifts, well, they’re not unusual during the Christmas holiday season, either – and, being gifts, they’re often a surprise that you don’t find about until either you or customs officals open the package.
If you click though, you’ll see a landing page, in this case tailored to the same country as the recipient’s email address, which ended in .com.au:
Next, the crooks tell you that they have “found” your item from its “barcode”:
And then the crooks advise you that the item has arrived in your country, but is stuck at the depot, pending payment of a delivery fee:
If you fall for the scam and click through, you’ll see some realistic-looking pages that take you to a fake pay page.
We entered bogus data here for the screenshot:
(All the sites used by the crooks have been hacked or setup for the purpose of the scam, so they all have HTTPS certificates and show a padlock in the address bar – but the server name is unlike any courier company you’ve ever heard of.)
The crooks then present a plausible conclusion for the fake transaction by simply claiming that it didn’t go through:
As you can see, the crooks are still phishing for more, even at the end, brazenly suggesting that you try another credit card and thus giving them two-for-the-price-of-one.
Of course, if you get this far you’ve just handed over your card details to the crooks, including the CVV (security short code) from the back of your card that no legitimate merchant would store.
What to do?
- Beware free gifts. Seriously, there is no free iPhone, no free iPad, and definitely no free MacBook. Even if the link just takes you to a survey rather than to a full-on phish like here, don’t give out personal data to people you’ve never heard of.
- Beware courier emails. When sending or receiving items by courier, try to get in contact with the recipient or sender without using email – perhaps make a phone call in advance – to advise them of the courier company you’re using and to provide a tracking number you can both trust.
- Check the URL in the address bar. These days, most cybercriminals are using HTTPS websites, because everyone expects a padlock in the address bar. But the padlock doesn’t say you are on the correct site, merely that you are on a site with an HTTPS certificate.
- Avoid links in emails. If you know you’ll be dealing with courier company X, find out the right website to use in advance, and go there yourself. Don’t rely on links emailed to you, because those links say whatever the sender wants.
- Report compromised cards immediately. If you get as far entering any banking data into a “pay page” and then realise it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your actual card so you get the right phone number.)
PS. Don’t forget that just typing data into a web form exposes it to crooks because they can “keylog” what you type into a webpage even if you never press the [Submit] button.
QUICK-LOOK VIDEO
Check out this scam! (Er, not literally, obvs., look vicariously via the article below ✍️)https://t.co/0dSox8k5YY pic.twitter.com/XdGwdcq64a
— Naked Security (@NakedSecurity) January 6, 2020
MikeP_UK
It’s also NOT the start of a new decade. It’s the start of the last year of the second decade of this third millennium. This year is MMXX in Roman numerals, clearly shoiwing it is NOT a third decade but the tenth year of the second decade, hence the year is 20.
Paul Ducklin
Those of us who prefer the new-fangled “Indian notation” are happy to imagine the existence of AD 0 (think of it as another notation for 1 BC), and are delighted to have one millennium end in 1999 and a new one begin in 2000.
As for suggesting that Roman numerals are suitable for “clearly showing” anything…
…I would like to see your working for the long division CCCLV / CXIII, or to learn how you’d figure out how many binary digits you’d need to represent CC|ƆƆ|ƆƆMLXXXIII.
Bryan
Duck, I’ve not thought of my CCNA professor in a long time, but he at times spoke of his early career† and once told us that he and all his associates at a prior job had taught themselves to think in hexadecimal and do arithmetic in it. He demonstrated a couple examples for us–and if he was secretly first converting to decimal and then converting the answer back, he did it very quickly. I had to perform conversions to check his work.
Like you, the man was brilliant, and I’m only now noticing his name was also Paul–which I admit I may find more noteworthy than is warranted.
:,)
† he remembered a time when getting a computer to functionally boot meant writing one’s own video driver. yikes.
Paul Ducklin
Hex arithmetic isn’t too bad – if you’re old enough to have learned “times tables”, you probably learned up to 10×10 (12×12 in the UK, because things were still widely sold im dozens until fairly recently, and people still used the word “gross” to mean “a dozen dozens”, or 12×12=144). You just need to memorise your times tables up to 16×16 and hex multiplication using pen and paper is as easy as doing long multiplication in decimal.
I was fortunate in that my introduction to hexadeximal co-incided with the lifetime of the amazing ‘HP-16C Computer Scientist’ calculator, which still lives on in the form of a simulator (running the original HP ROM, with all the original bugs and pecadillos, at the original speed) that I use to this day:
https://www.hpcalc.org/details/2813
My own HP-16C died many years ago. I couldn’t resurrect it… can’t remember what happened to it now. Probably still in the bottom drawer of the desk I used to sit at in our Sydney office :-)
Magyver
Lol @ the Duck – Paul, you’re still a young puppy in my book! …*grins*
Bryan
MikeP, as long as we’re waxing pedantry:
Unix and descendant OSes use character range sets to simplify describing, well… ranges of characters. The numerical range is [0-9], which suggests a predilection for “commencement at zero, culmination at nine.”
January 2000 fielded similar assertions that the millennium still awaited our arrival–yet most folks find the transition from 1999 to 2000 feels more like transcendence than from 2000 to 2001.
Also:
*showing