These messages in fact repeat the worldwide wave of scam SMS, related to postal services and deliveries. Fraudsters apparently try to capitalize on folks’ temptation to get the ordered goods as soon as possible, and apply all the possible social engineering tricks to make the user share their information or even pay the money. Recently, there was a similar scam going on in India with their India Post service.

What are USPS Scam Text Messages?

USPS scam text messages are phishing SMS messages that pretend to be the official notification from the Postal Service. The message typically says about certain troubles with delivering a parcel to your address. Then, it offers the user to follow the added link and resolve the problem. Depending on the “generation” of the scam message, they may say about incomplete address information, unpaid taxes, or similar minor issues.

Examples of USPS Scam SMS Messages

Potential Risks

Following the link will throw the user at a phishing website that will try replicating the original USPS website. These copies are typically not of the highest quality, with the best looking elements being logos and menu styles. This is especially visible if you try going an extra mile and clicking through other menus of the site. However, for someone who does not visit the page very often, it may look rather convincing, and they will happily proceed with what the message says.

Here is when the key part of the scam rolls out. Regardless of the reasoning mentioned in the text message, the site will always contain a large form for personal information. Name, surname, detailed address, postal code, email address, phone number – site asks for all this, further transferring the result to the hackers. In certain cases, there may also be a payment form – it happens in particular with the messages that say about an unpaid tax or delivery fee. Any card info that gets into that form will get to the fraudsters as well.

The risks of such data stealing are in-the-face. Cybercriminals can use one’s data to perform identity theft, or impersonation attacks that put the guilt on an impersonated user. Alternatively, they sell this data on the Darknet or other places, where more adversaries can use it in their attacks.

And that is it – the scheme is not at all complicated, and is rather simple to replicate by other con actors. That is, exactly, one of the reasons why it has become so popular and widespread: frauds from different corners of the globe change USPS to their local postal service, alter the site to look correspondingly, and just send it.

Signs of USPS Scam Text

There are quite a few red flags in the message, despite it being short and indistinct compared to similar scam emails. Still, the main issue with all this is that USPS never contacts its customers through SMS messages. Its typical reachout channels are phone calls and, in certain cases, emails. And for all these communications they use their own addresses and numbers, that are well visible over the rest. That is in fact the point of the sign of this scam.

Usage of a random number or email address

Obviously, cybercriminals cannot get hold of the genuine profiles of USPS, and are thus forced to improvise. To operate the campaign at the lowest cost possible, they register iCloud accounts using third-party email services, and use it exclusively for sending out messages. And what the user ends up seeing is a strange, utterly generic email address as the only piece of info about the sender. Does not feel quite proper, does it?

In the cases of this spam sent to Android phones, the trick is a tad bit more expensive, though not much. A sole number may be used to spam thousands, if not tens of thousands of people, before the cell operator will shut it down. The object of suspicion is the same: just a random number that says nothing about the sender. Even when USPS sends out certain messages by SMS, they use an option to display the brand name that cell operators provide for companies.

Questionable URL

Another point that gives out this scam immediately is the URL of the website where the victim should be able to solve the issue. In certain cases, frauds can pick a somewhat believable naming, like usps-packages-issue[.]com. Though the majority of time, it is something screaming of a scam like “www-uspost[.]com” or “usps.packages[.]oeidus[.]com”. Under any circumstances, seeing such a link should raise suspicions for you, and its presence in any kind of message is a definite scam sign.

No package/delivery information in message body

Despite the differences in the text of the scam SMS, one thing that goes across all of them is absence of any details regarding the alleged package. No tracking number, no “unconfirmed address”, not even a mention of the package sender, that may help the user to understand what this is all about. And there is no reason for the genuine USPS to hide this data from SMS or emails. They have access to it and are allowed to use it to a certain extent in mailing.

The use of generic information and facts is a great indicator of an impersonation attack. That is, eventually, a weak spot of such attacks: frauds cannot know all the details, and thus stick to non-personalized info.

How to protect against USPS scams?

That’s not much you can do proactively against such a scam. Fraudsters use publicly-available databases of emails to send their spam messages. At the same time, they do not target their messages at all, meaning that your attention is what will eventually make this scam unsuccessful. Keep an eye on red flags that I’ve told about above, and check all the questionable links with Online URL scanner.

The post USPS Scam Text 2024: “Your Package Could Not Be Delivered” appeared first on Gridinsoft Blog.

1. Phishing attacks

According to FBI statistics, phishing is the most common form of social engineering. This is when fraudsters use any form of communication, usually email, to get personal information. Phishing typically exploits the trust of companies’ employees or family members. These attacks are ten times more successful than any other form of social engineering. The fraudster may send you an email stating that it is from your bank – that’s what is called banking phishing. Crooks claim that your account password has been compromised, and requires that you immediately click the link or scan the QR code. Then you enter your personal information, which is immediately passed on to the fraudster. If you doubt the legitimacy of the site,you can check whether the site is secure by checking that their URL uses HTTPS instead of HTTP.

2. Whaling

The term whaling refers to an attack that targets a specific celebrity, executive, or government employee. Typically, these individuals are targeted by a phishing scam. When it comes to scams involving victims of whaling attacks, financial incentives or access to valuable data are typically big deals for criminals. They consider these victims of big fish – because of the large monetary and data payoff they offer – perfect targets.

Scammers seek compromising photos of celebrities they can use to extortionate high ransoms. Criminals use fake emails to fool senior employees into thinking they come from the organization. The messages detail information about a colleague and claim the creator is afraid to report the situation to a supervisor. They share their evidence as a spreadsheet, PDF, or slide deck.

Victims clicking the provided link are redirected to a malicious website that tells them to visit the link again. If they try to open the attached file, malware resides on their computer and gains access to their network.

3. Smishing (SMS phishing) and vishing (voice phishing)

Under this term, people refer to phishing via text messages. Crooks buy the branded number from a cellular operator and use it to send out messages containing malicious links.

Phone phishing is called vishing, and it’s the same as phishing done over the phone. Vishing is a scam that affects businesses more than any other type of organization. In this scam, an impostor will contact the front desk, human resources, IT or a company’s customer service. They will lie about needing personal information about an employee and claim to have information on mortgages or executive assistants.

4. Baiting

It’s a kind of social engineering that’s a lot like phishing. The only difference is that the attackers lure their victim with a product or an object during the attack. This happens as follows: the attacker offers the victim a free download of a popular movie or a new game. With such a disguise, the criminal installs malware into the victim’s system. Attackers can also use the opportunity to spread malware on the victim’s device. If we talk about the physical distribution of malware, here, the crooks do it through a USB drive with a tempting label. After the curious employee sticks this USB into his device, he infects his PC or other devices.

5. Pretexting

Whenever someone creates a false ID or abuses their current position, this is closely related to the data leak from within. Because people trust their work, these scammers trick victims into sharing personal information. They build this trust by using titles and gaining access to victims through their legitimacy. Because of the victim’s over-reliance on the authorities, they are unlikely to question suspicious activities or put pressure on impostors.

6. Watering hole attacks

This attack works by identifying the website the victim visits most. In this case, the victim may be not only a single user but an entire sector, such as government or health care, where the same sources of use are used during work. Here, intruders seek vulnerabilities in cyber security, through which they can infiltrate the system and distribute their malware. Although the case is small, the fraudsters continue to infect users’ devices through already infected sites.

How to prevent Social Engineering Attacks

The following tips will help you warn yourself against attacks. But this is only possible if you use it in practice.

• Carefully check emails, including names, addresses, and copy.
• Do not believe everything you see in the letter, especially if it causes you violent emotions.
• Verify the identity of the sender before providing him with any information.
• Do not pay ransom to strangers. Instead, it is best to contact law enforcement.
• Use the password manager.
• Set two-factor authentication, which will double-check who is trying to log in to your account.
• Install reliable GridinSoft Anti-Malware Protection, which will protect you from malware.

The post Most Common Types of Social Engineering Attacks appeared first on Gridinsoft Blog.

You’ve probably heard the word ‘phishing‘. Today not only specialists from the cybersecurity field are actively talking about it but also ordinary users often are looking on the internet how to know if the email they received the other day could be a phishing attempt.

But before you jump right into research you should know exactly what type of online fraud you’ve encountered.

Because apart from phishing there are also smishing and vishing; what those are and how they different we’ll explain below.

What Is Smishing

Smishing is similar to the phishing technique of online fraud but instead of exploiting email fraud possibilities explores those of texts ( mainly via various message apps or SMS).

For example, user may receive a notification in WhatsApp messenger saying that they need to reschedule their package delivery.

To do this they need to follow the link given below. But what happens when the notification comes from fraudsters is that user can have some malware installed via that link.

Another example is when thousands of people around United Kingdom received fraudulent text messages saying that the payment is needed to be made in order for a package to be delivered.

Those who received these fake text messages were instructed to click on an attached link that will lead them to a fraudulent website where criminals would collect victims’ personal or financial information.

What Is Vishing

Unlike phishing and smishing where fraudsters use text as a medium of malicious action in the case of vishing it is voice. Criminals may pretend to call you from your bank or another trusted company and try to obtain from you your passwords, addresses, login credentials, etc. They will try very persuasively to make targeted person answer their calls’ questions. In such a case victim can feel like they have no other option than to answer the questions.

Sometimes to reinforce the successful fraud criminals will accompany their calls with emails asking person urgently to call them by the given phone number. The third vishing tactic by which fraudsters also go to leave threatening in tone voicemails like warning that the recipient should call immediately explaining that in other case they risk being arrested, have their bank account blocked or some worse things may happen.

What’s The Difference Between Vishing And Smishing

Both terms mean specifically designed social engineering attack where criminals pretend to be someone to exploit a victim’s trust in such a way. It’s because more than 96% of social engineering attacks happen via emails the term ‘Phishing’ is exclusively used only when speaking about email based fraud. But, of course, social engineering attacks also include other mediums of social engineering attacks like social media phishing, vishing and smishing.

Regardless of how the fraudulent message is delivered it appears to come from trusted sender and may ask a recipient to do the next:

• To do some explicitly stated action. Criminals may ask victim to buy vouchers or transfer because of some important matter different sums of funds;
• Give a reply to the message. Fraudsters may want you to reply to their message with some sensitive or personal kind of information;
• Click on a link. You will be asked either to download a file or submit via attached link your personal information.

How To Identify Vishing Attack

Vishing attacks in some way resemble smishing but there is one exceptional way we can identify that it’s specifically is vishing. Vishing fraudsters can pretend to be the next persons to defraud you:

• Tech support. You may receive a phone call from a person saying they are IT support and thus they notify you over virus infection that happened to your computer. Usually you will be asked to buy a ‘needed’ software ( which can be some malware or spyware) or give attacker a remote control over your computer to fix the issue;
• Government institutions. These fraudulent phone calls usually is accompanied with legal threat action if a recipient won’t respond. You may be notified that you are owed tax refund or you need to pay some fine;
• Banks. These bank phone frauds try to give an effect of some alarm like something’s happening with your bank account; possibly someone took an unauthorized control over it and the bank support noticed it and now they offer you their ‘urgent help’;
• Charities or businesses. Fraudsters inform you via phone that you have won some exclusive prize, offer you ‘lucrative’ business investment or ask you to make donations to some charity.

How To Identify Smishing Attack

Smishing attacks are similar to phishing emails but in a case of a smishing fraudsters need to rely on much less text space to get their victim hooked.

But nevertheless smishing fraudsters have also developed their own unique approuches to how create authentic looking catch text message. The sighns for smishing you should be looking for are the next:

• An urgent request. You received a message with an urgent call for action to verify your personal information, for example, that should be completed via attached link or automated phone number;
• Text message from your bank or other institution you are familiar with. A victim of smishing may receive text message that appear to have been sent from companies or organizations victim may be familiar with;
• Congratulations on winning some contest. It can be message that congratulates you on having won in some contest wnd as a result notifiyng you that now the winner can claim the prize;
• Money help. Someone asking you for help via text message should definitely be a red flag for smishing. Most likely you don’t know who the person is and out of nowhere they ask you for money;
• Unexpected links and downloads. Sometimes messages with some downloads and links can be accompanied by text but on the whole the task is to make you click on it.

The post Smishing And Vishing: Differences To Know About Phishing Attacks appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/smishing-and-vishing-differences-you-need-to-know-about-these-phishing-attacks/feed/ 0 8511