Home delivery scams, where the crooks falsely apologise to you for not delivering your latest parcel, have been around for years.
However, as we have unfortunately needed to say many times on Naked Security, these scams seem to have become steadily more professional-looking during the pandemic, as more and more people have got into the habit of ordering deliveries for everyday shopping instead of heading into stores.
For example, here’s a contemporary SMS-based scam (phishing that is kicked off by a text message, or SMS, is wryly known as smishing) that makes a good “picture story” of how these cybercrimes unfold.
In this criminal campaign, the scammers were targeting a home delivery company in the UK called Evri.
Unfortunately, and perhaps entirely deliberately on the part of the criminals, “Evri” is a recent UK-specific rebrand of the German company “Hermes”, so that UK customers may very well still be getting used to the new look and feel of the rebranded website, and to the new domain name.
Officially, the company’s web presence is at evri.com, so these crooks have grabbed a domain of the form evri-xxxxxxx.com to make things seem believable:
By the way, the domain used in this attack was first registered just yesterday, probably for use in this scam only, and at the time of writing, the content was served up by a hosting company based in Moscow, Russia.
Hosting companies typically provide ready-to-go web server templates, complete with HTTPS certificates that put a padlock in the address bar, and even if the service provider is responsive to complaints and turns off the website within a day or two, the crooks may well have got everything they were after from their fake server already.
When we tried the URL in this scam, we routinely experienced HTTP 404 errors (page not found) when visiting from a regular browser, meaning that the website was alive and responding, but effectively ignoring our requests.
As soon as we used a mobile browser, however, as you are likely to do when receiving a link directly on your mobile phone, the site sprang to life:
As you can see in the top left corner, underneath the popup asking for your postcode, the crooks have inserted a realistic Evri logo, even retaining the official text The new Hermes to “remind” visitors about the brand change.
You should baulk at the next page, of course, because delivery companies don’t ask for personal ID merely for parcel tracking purposes, but there are no obvious visual or spelling errors to warn you off:
Next, there’s a fake charge for a modest amount that doesn’t sound too much to lose if the transaction turns out to be fraudulent…
…except that the “redelivery charge” is there merely to give the the criminals an excuse to to ask for payment details:
If you put your credit card number and bank details into this page, you aren’t going to lose £1.45 (just under $2)…
…you’re going to lose your personal details to the crooks, who will probably use your card or bank account details themselves for a much more ambitious scam, or will sell them on to other crooks who specialise in that aspect of the cybercrime “business sector”.
Finally, there’s a short delay while the site pretends to “verify” your payment, after which the bogus site sneakily transfers you to the real one, so things appear to have ended normally:
What to do?
- Check all URLs carefully. Learn what server names to expect from the companies you do business with, and stick to those. Bookmark them for yourself in advance, based on trustworthy information such as URLs on printed statements or account signup forms.
- Steer clear of links in messages or emails if you can. Legitimate companies often provide quick-to-click links to help you jump directly to useful web pages for online accounts such as utility bills. These links save you a few seconds because you don’t need to find and type in your own tracking code or account number by hand. But you’ll never get caught out by fake links if you never use in-message links at all! (See point 1 above.) Those few seconds are a small price to pay for not paying the large price of handing over your personal data to cybercriminals.
- Report compromised cards or online accounts immediately. If you get as far entering any banking data into a fake pay page and then realise it’s a scam, call your bank’s fraud reporting number at once. Look on the back of your actual card so you get the right phone number. (Remember that you don’t have to click
[OK]or[Continue]for a web form to capture any partial data you have already entered.) - Check your bank and card statements. Don’t just look for payments that shouldn’t be there, but also keep an eye out for expected payments that don’t go through. Be alert for incoming funds you weren’t expecting, too, given that you can be called to account for any income that passes through your hands, even if you neither asked for it nor expected it.
And, of course, when it comes to personal data of any sort: if in doubt, don’t give it out.
EVRI’S SITE IN REAL LIFE
In real life, Evri’s site is at evri.com, not at any variations on that theme. The company has an official track-your-parcel page at this easily bookmarked URL:
https://www.evri.com/track-a-parcel
Find your own way there and you will see that the company doesn’t rely on personal data such as name and date of birth for parcel tracking – instead, the company uses one-off tracking or non-delivery codes:
These 16-digit and 8-digit codes are explained clearly at the site’s own help page:
https://www.evri.com/faqs/receiving-a-parcel/how-do-i-track-my-parcel
Find your own way to get in touch with the real sender to find out the 16-digit code if ever you need it.
And remember that the company’s 8-digit “calling card” codes are printed on physical calling cards you should find at your own doorway, thus gving you some confidence that a delivery really was attempted.
Don’t be fooled by emails or unsolicited electronic messages that could have come from anywhere:
ramcclain
I think I got one last week and was suspicious when they asked for a $3 delivery. I subscribe to USPS Informed Delivery, and appeared to be from USPS, USA. Glad my fears are confirmed.
Paul Ducklin
Those modest “redelivery charges” only exist to give the crooks an excuse to put up what looks like a payment page. At first glance you might assume that your risk is therefore limited to $3, and you’ll probably get your money back anyway if you complain to the card company. But the crooks are after *your data*, not the measly three bucks. The $3 is refundable but your birthday is not…
JAR
I experienced the same thing from a legit-looking USPS site, twice. However, I used a known USPS tracking site to research the tracking number sent to me via the text, and USPS told me it was not a proper tracking number. I also noticed that none of the other menu items in the fake website worked. Using web resources to research, the site was not flagged as being a bad site, but was a brand new one – suspicious. The urls were https://uspxxxxxxx.com
Jay
Is it worth reporting scam text messages (in the UK) to NCSC?
You can just send them a copy of a text, then you get a reply saying ‘thanks, what was the number it came from?’ … and you get to feel good about yourself for a few seconds :)
Paul Ducklin
You might as well. In the UK, for example, rogue SMSes can be forwarded to the short number 7726 (which spells SPAM :-).
Sonam
First, Thanks for this great information. This post is very helpful to all users.
Thanks a for sharing this awesome article.
AntA
I can’t help but think there’s a little more to this. I received this scam (and batted it away not quite immediately as it was pretty good) the timing of receipt was interesting, as in within a few hours of receiving a parcel from evri.
Most services I use do not use evri, the postal and other couriers in this area have it all nailed down so exposure to evri is little if not non existent.
I’m not one of these skies falling type of guys but my spider senses were certainly tingling after the follow up.
Paul Ducklin
Given that the UK has a large population and a large number of home deliveries each day, I doubt that the co-incidence is statistically significant. (You also need to factor in the number of times you have received scam SMSes or emails that do *not* tie in with real life.
(In the past six or seven years I have received exactly one fake SMS that “hit the spot”, because it related to an Argos refund and it arrived the day after I made a rare purchase there. But I must have had 1000s of other messages and calls in the same period that have had no connection with reality, relating to companies I have never bought anything from, online services I have never used, delivery companies that have never been to my place, banks I have never even heard of let alone done business with. But it is that perfectly-timed Argos message I remember best, simply because it was the most memorable :-)
Vivek
Thanks Paul for this, and many other similarly informative and interesting articles! Keep fighting the good fight!