Fake postal service websites: A gift that keeps on giving (for hackers)

What is a fake postal service website scam?

Fake postal website scams are a type of social engineering, aiming to lure unsuspecting victims to pages mimicking those of legitimate postal carriers and trick them into revealing sensitive details. This is usually accomplished with phishing messages disguised as alerts about postal fees, unclaimed packages, or even requests to update your current address.

For example, you might receive an email that a carrier is holding a package that it can’t release to you until a fee is paid using the link provided. Tapping this link opens an official-looking website that asks you for your login credentials and payment details. Unfortunately, entering this information won’t make the parcel materialize at any time in the future — you not only just got scammed out of the purported fee, but also gave valuable ammunition for criminals to use in the future.

Be careful not to confuse fake postal service website scams with mail fraud. The former has criminals masquerading as the delivery service to lower your guard — leading you to the fake website is the whole point. When it comes to mail fraud, on the other hand, the criminals merely abuse legitimate postal services as a medium to commit their crimes. 

What is smishing and why is it so effective?

Smishing (a portmanteau of “SMS” and “phishing”) is a type of phishing that involves SMS texting. The contents of smishing messages are very similar to those found in other media (like emails), but the nature of phone messaging renders some traditional phishing countermeasures ineffective:

• Shortened URLs are expected in an SMS. Text messages have very strict character limits, so many people (and companies) use URL shorteners to save space. Unfortunately, it is much more difficult to see where shortened URLs lead, making it harder to avoid entering a fake website.
• Text messages are just easier to fake. Criminals don’t need to create official letterheads or signatures, or even work too hard to copy a particular company’s style — due to strict character limits, it’s harder to grasp nuance and distinguish real alerts from phishing attempts.   
• People aren’t as careful with text messages. Where suspicious emails are often ignored outright, nearly all (in some cases, as much as 98%) SMS messages are at least read by the user. Being in a rush or simply distracted also makes it more likely that you’ll miss the telltale signs of a scam.
• SMS filters are not as advanced as email ones. Most email services have gotten pretty good at detecting spam. It’s why you don’t wake up with a million new items in your inbox every morning. SMS filters aren’t quite as powerful yet and, often, all a hacker needs to do to circumvent a blocked number is to spoof a new one.

Why do hackers create fake postal websites?

Hackers like fake postal websites because they simply work — especially at a time when millions of people are expecting mail. Like all social engineering attacks, fake postal websites exploit your expectations and general absent-mindedness during a very busy time to slip through your guard. Checking every message takes time, and criminals are counting on your frustration eventually forcing you to err on the side of convenience.

Another reason for the surge in popularity of fake postal websites is the advent of generative AI, which significantly lowered the barrier of entry for scammers. It is now possible to develop a fake website and accompanying phishing message with just a few prompts — and even if they look shoddy to expert eyes, the sheer volume of scam attacks virtually guarantees that eventually, someone somewhere will bite. 

How can I protect myself against fake postal service website scams?

The good news is that a little bit of patience, extra caution, and some new cybersecurity tools under your Christmas tree go a long way to protect you from phishing and fake website scams. 

• Preview each link before clicking. If you’ve received an email message about a delivery while on your PC, hover your cursor over the link provided to see where it leads. Check the address separately (for example, by finding the delivery company’s web page through a search engine) and pay attention to any inconsistencies, including using similar-looking characters (like a lowercase “l” for an uppercase “I”) to spoof URLs.
• Check the sender’s information. Open the delivery company’s official website and check its public contact details. If in doubt about a particular phone number or email address, always reach out to the carrier using official channels to confirm.
• Check spelling and grammar. If you’ve interacted with the carrier before, scan the message for mistakes or deviations from the company’s usual tone of voice. In some cases, criminals may deliberately introduce errors into their phishing messages to weed out users that are unlikely to fall for the scam.
• Don’t click on tracking links. Each message about a parcel should also contain a valid tracking number. Don’t click this link if you have doubts — it can be disguised to lead to a fake page. If you’re worried about your package, it’s much safer to open the carrier’s official website and enter this number yourself.
• Really don’t click on shortened URLs. Shortened URLs can lead anywhere — even to a fake website designed to steal your credentials.
• Use Threat Protection Pro™. NordVPN’s Threat Protection Pro™ feature offers a suite of cybersecurity tools against many common online threats, including phishing, malware in downloads, and malicious websites. Threat Protection Pro™ compares each URL you visit against a database of known dangerous pages, then uses machine learning technology to check for warning signs in real time. Thanks to Threat Protection Pro™, NordVPN was the first VPN to be classified as reliable anti-phishing software by AV-Testing.