Saturday, December 24, 2022

USPS Postal Service Phishing Text Scam

A sophisticated professional computer programmer I know recently found himself victimized by a phishing scheme targeted at USPS (US Postal Service) customers.

The text he got read:

[USPS Tracking]: Your shopping address does not match the zip code, we cannot deliver,please re-enter complete information  Https:/s.id/1ttSP.  

As it happened, he received the text a few minutes after having left the Post Office, where he had just given them his phone number.

He had gone to the Post Office because he had been away from his second home longer than the USPS was willing to hold his mail, so he needed to stop the Post Office from simply returning the mail. Reestablishing his address was particularly urgent because he was expecting an important delivery that would otherwise be returned to sender.

He immediately spotted the typos ("shopping" instead of "shipping," and the lack of a space after the second comma) and even mentioned them to his son as an example of increasing incompetence within the Post Office. 

But because he had such a strong and pressing need to prevent his expected shipment from being returned to sender, and since he had just given the Post Office his phone number, he clicked the link.

That took him to a page that looked exactly like a USPS page, and even provided a tracking number.:



He provided the requested name and address information, and clicked "continue."  It then informed him that he needed to verify his identity by providing a credit card number, which the "Postal Service" would then run a $1 temporary charge through, as verification.  He entered a credit card number, including the special code on the back, but received a message saying that the card couldn't be processed, and inviting him to enter another one.  He did so, and that one was accepted.

It was only after he got home that it first occurred to him that he might have been phished.  He retraced his steps and saw that the name of the site that the link had taken him to was  https://susps.cc/#/, which seemed a bit suspicious.  He then looked at the phone number from which the text had come -- 914-531-3510.  A google search of that yielded 5 hits all of which seemed to associate the number with various unusual-sounding names, and 3 of which associated it with the village of Mount Kisco, New York.  Not the Post Office, in any event.  

He immediately cancelled the credit cards and presumably has emerged from the episode unscathed.  

My point in writing this up is that while it's easy for us to laugh at the typos in scam texts and assume that nobody would fall for them, each of us has moments when we let our guard down, and if the text comes in at one of those moments, even the sharpest among us can become victims.  

Assuming that the scammers sent out 10 million such texts, and had only a "success" rate of one in a thousand, that's still a thousand successes, and potentially two thousand stolen credit cards. As artificial intelligence and other technological developments makes scamming more sophisticated, the success rates and numbers of compromised careds will only go up.

No comments:

Post a Comment