With the holiday season just around the corner, it’s a time for celebrations, travel, and shopping, but it’s also prime time for fraudsters to prey on unsuspecting consumers. Amidst the hustle and bustle of planning and festivities, people become easy targets for scammers.
THE SCAM: With the holiday season just around the corner, it’s a time for celebrations, travel, and shopping, but it’s also prime time for fraudsters to prey on unsuspecting consumers. Amidst the hustle and bustle of planning and festivities, people become easy targets for scammers. A common holiday scam involves fraudulent “Delivery Notification” text and email messages from reputable delivery services like FedEx, DHL, UPS, Amazon, and even the post office. Eager to receive their package, consumers often click on malicious links and even voluntarily provide banking information, resulting in loss of money or personal data.
THE SCHEME: Hilary Chapple [Calgary] unexpectedly received a text from the local post office claiming she had a package ready for delivery. Assuming it was a gift from her brother, she clicked the link, which instructed her to fill out forms and provide banking information to process the delivery. Unfortunately, Ms. Chapple proceeded to fill out all the requested information, and by the next morning, scammers had withdrawn nearly $2,700 from her account. Chapple realized the mistake and immediately contacted her bank. The financial institution (FI) initiated a fraud investigation and reimbursed all the money to her. In this case, Chapple acted quickly, and her FI refunded her money regardless of the fact that it was her error; however, other victims have not been quite as lucky with their outcome, and it wasn’t money they lost.
Tom Hoehn (Long Island, NY) was actually expecting a package delivery, so when he received an email from UPS stating that the package was “undeliverable,” it didn’t even occur to him that it was a phish. The email directed him to click on a provided link to obtain tracking information and reroute the package. The moment that Mr. Hoehn clicked the link, an ominous flashing began on his computer screen with the following message: “You have been hacked. We have encrypted all of your files. Send 150 bitcoins to this address.” Hoehn refused to comply to the request for bitcoins, which was valued at more than $66,000, and his computer was wiped of everything. Like a domino effect, one click to a malicious link resulted in losing everything on his computer, his identity stolen [as confirmed by the IRS], his email hacked, and phishing emails distributed to his entire contact list – which numbered in the thousands.
FRAUD GEEK EXPLAINS
Both of these cases were fraudulent “Delivery Notification” messages and seemed to come from a reputable company. In the first case, Chapple was a victim of a common scam called smishing, which refers to a cyberattack where fraudsters use text messages to trick individuals into divulging sensitive information. Smishing texts often contain deceptive or urgent messages with a request to confirm personal information or credentials to access accounts. According to the Federal Trade Commission (FTC), “Americans reported $330 million in losses to text scams last year, more than double the reported losses from 2021.”
In Mr. Hoehn’s case, the phishing email contained ransomware – a type of malicious software that encrypts a victim’s files or locks them out of their computer or data until a ransom is paid to the attacker. Often, fraudsters will request payment in cryptocurrency, like Bitcoin, to maintain a degree of anonymity. If the victim fails to pay, they face the loss of their data.
Both stories share a common theme where the victim trusted the text or email source due to the perceived legitimacy of the message. This trust was built on the fact that either they were anticipating a package or the message appeared credible. As we approach the holiday season, we tend to receive a higher volume of packages from our loved ones and various online retailers such as Amazon, which makes it easier to fall for such scams. According to new research from Citizens Advice, “Parcel delivery scams are by far the most common scam faced by the public so far this year . Almost half of people (49%) targeted by scammers had been on the receiving end of a malicious parcel delivery scam, with scammers attempting to get hold of personal information or bank details.”
FRAUD GEEK’S ADVICE
Consumers can protect themselves by remembering the following:
When in doubt, don’t click or reply!
Financial Institutions: Keep Your Customers Protected
The DefenseStorm Difference
With DefenseStorm GRID Active Fraud Detection, FIs can proactively detect fraud before funds leave the organization, but a powerful approach to combating fraud also includes education and awareness. At DefenseStorm, we recognize the growing threat of fraud and want to help you stay protected. In addition to our Fraud Squad on the Case series, we also offer two other resources to help you learn about fraud and other potential threats.