Site icon Sophos News

“Back to basics” as courier scammers skip fake fees and missed deliveries

We’ve been warning about fake courier scams on Naked Security for many years, even before the coronavirus pandemic increased our collective reliance on home deliveries.

These scams can take many different forms, including:

KISS – Keep It Simple and Straightforward

But some courier scams keep things way simpler than this, like this one we received ourselves over the weekend.

The email simply offers you a waybill for a delivery that’s headed your way:

This message was aimed at our business email address, and the company’s physical address is a matter of public record, so just confirming delivery details doesn’t sound as though it’s a major privacy risk…

…until the next stage of the process demands a password for the associated email account:

Note that the email address and the company name shown in the password phishing page are extracted directly from the URL specified in the original email.

In the example above, the URL was: https://[REDACTED]/index.php?​email=​yourname@​naksec.test, making it easy for the [REDACTED] website to present a login page with a company name in it, without needing a database of tracking codes shared between the crooks sending the scam emails and the crooks operating the scam web page page.

After you’ve put in your password and the crooks have harvested it, you’re redirected to the domain name from your email, typically the main page of your own company’s website, as a sort of decoy to distract you:

Interestingly, the fraudulent login site redirects via HTTP, but most web servers these days will then automatically redirect you to their HTTPS version, so you probably won’t end up on an insecure page as shown above.

Note that in this scam, there’s no fake payment demanded, no fraudulent credit card payment form, and no failed delivery to reschedule.

Just a “waybill” you can view and verify.

What to do?


Exit mobile version