Quick Links
Key Takeaways
- Shipping scams impersonate delivery companies to trick you into paying for fake packages with convincing websites.
- Scammers may send verification codes to your phone, a level of sophistication rarely seen before.
- Protect yourself by checking business names with smartphone caller ID, examining URLs, and contacting the company directly for verification.
I’m really interested in cyber security, so every so often, I go through the steps of “falling” for a scam. Of course, I’ll never hand a scammer real information—that’d be silly.
But I do like to go through the steps and see how scammers operate. The other day, I came across a scam that was scaringly convincing, and I’d like to break it down so you don’t fall for the same thing.
What Are Shipping Scams?
The scam I received was a kind of shipping scam. Shipping scams impersonate legitimate delivery companies and message you about a fake package.
They come in all shapes and sizes but usually ask for a payment so the scammer can profit. The scam may claim your package was withheld and requires a free to “unlock” it, or it may state that your package has additional customs charges. Regardless of the method used, the result is the same: the scammer makes off with someone’s money.
Check out our pieces on the BHL parcel shipping scam or the fake USPS “failed delivery” text scam to understand how these scams work.
What Made This Shipping Scam Especially Scary?
My story began when I received a text message claiming an issue with my package. From the start, it seemed fishy; the text didn’t read like a delivery message, and the link had been obfuscated. Plus, the phone number didn’t look like an official business. But I wanted to see what scammers are up to these days, so I gave it a click—though I strongly advise you not to start clicking any old links in random emails you receive!
I was taken to a website claiming to be Evri, a delivery company in the UK. There was a dead giveaway that I wasn’t where the website claimed I was, as the URL was not an official Evri address. However, the website itself looked like the real deal, down to the little details like the tracking number at the top.
The scammer claimed the address on my package was wrong and that I had to update it to receive my imaginary parcel. The website also claimed I had to pay a fee because Evri was holding my package. Again, this is another red flag, but it’s still pretty believable. So, I started filling in fake data.
Here’s where things get to get a little creepy. Scam websites don’t usually check the data you’re entering. As long as you enter something, it’s happy. However, the form started calling out my fake data and asking for proper formatting. Even when I entered a fake credit card number, this fake website identified that it wasn’t constructed properly and wouldn’t let me continue the scam until I made a believable one. Fortunately, it wasn’t smart enough to catch that I entered a card that expired in 2099, but it did know when I entered an expired date.
Then came the kicker. When I continued the process, the website stopped me and told me that it had sent me a verification code to my mobile phone and that I had to enter it to continue. In all the scams I’ve ever tested, they’ve never sent me a verification code. Unfortunately, I couldn’t receive the code because I entered a dud phone number (entering my real one would be a risk too far). But the very notion that they added one was stunning.
It may not sound particularly scary, but imagine if someone without tech expertise received this text message. The scam was presented so professionally that I’d forgive anyone who didn’t catch the URL and fell for this scam.
If I’d entered that verification code, it’s almost certain that my banking information would have first been charged and then used for other purchases.
How to Stay Safe From Similar Shipping Scams
This is usually the part where I say that you should look out for any websites that seem suspicious or poorly made, but that’s gone out the window. Fortunately, there are still ways you can protect yourself from these convincing attacks.
The moment I received the text message, we saw some cracks in the armor. These days, smartphones are pretty good at assigning a business name to a number, so seeing a plain number was a little converting. Plus, the link had been shortened to hide the real URL. Neither of these things on their own would have been an instant giveaway that this was a scam text, but combined, they certainly raise a few eyebrows.
The URL was also a huge warning and a classic red flag to identify a phishing website. Usually, scammers will use an address that tries to mimic the real deal or at least come off as believable. For instance, this Evri-based scam could have come from a URL reading “Evrii.co.uk” or “Evridelivery.co.uk” to trick people. Fortunately, the URL wasn’t disguised at all in this case, which was an instant tip-off. Always double-check to see if the URL is legitimate, and cross-reference with the company’s website if you’re unsure.
If you receive a text message like this and you’re unsure if it’s real, close the window and access the company’s support section. Don’t use the scammer’s website, as any links to support may be fake. Once you’re on the line with someone, let them know what number/email you received the message from, the URL, and what they were asking. Customer support should then let you know if it’s fake or not.
This scam taught me how believable delivery scams can get, and how complex they can be under the hood. Fortunately, if you keep your guard up, you shouldn’t fall prey to this scaringly-realistic scam.