Search This Blog

Tuesday, January 31, 2012

Beware the Fedex Shipment Notification Scam

The Package Delivery Scam

As I said, I didn't remember shipping a package. Further raising my suspicion was the instruction to click on an attached ZIP file to view my "invoice" for the shipment. As we all know, clicking on files attached to unsolicited emails is a great way to catch a computer virus. But this email was very official looking, with a tracking number, and all the correct verbiage you'd normally see on such a delivery notification.
"Maybe I did send a package," I thought. "Or maybe someone is trying to send me a package." I have to admit, my mouse pointer hovered over that link for just a moment. But instead of clicking on the attachment, I used my email client's "view email headers" feature to see the details of the email's routing. Sure enough, the email was sent not from FedEx.com but from an email address in Beijing. So I deleted that message and its poisonous attachment.
Fedex Shipment Notification Scam
If I had clicked on that attachment, undoubtedly bad things would have happened to me and/or my computer. Someone *was* trying to send me a package, but it wasn't something I'd enjoy opening. Cybercriminals from China, Russia and other countries use this technique to plant viruses, trojan horses, and other malware that can lead to identity theft, espionage, and data loss. It's also a common technique that has been used to enslave millions of computers into botnets.
See my related article Has Your Computer Been Hijacked? and learn how botnets can turn your computer into a weapon that can be used to send spam and attack websites. Or worse.

Don't Get Phished

This was a classic phishing scam, an attempt to get a user to do something dangerous that relies on mimicking a trusted brand name. (See my related article Phishing - Are You Protected? to learn more.) Actually, it was a pretty lame effort because many intended victims would remember whether they had shipped a package. And of course the tracking number was bogus.
A more effective ploy would be a "notification of delivery." It's not terribly unusual to receive a package unexpectedly, and curiosity about the sender's identity would incline many users to click on the fatal attachment. But FedEx, UPS and other shipping services do not send delivery notifications to the recipients of packages.
Shippers do send notices to shippers who request such things and provide a valid email address. To be safer, it's best to create an email address that is used only for such delivery notices, i.e., shipments@myemail.com, and to keep that address just between you and FedEx.
And just to be clear, FedEx did nothing wrong here. This sort of "delivery notice" scam has been around since at least 2008, and just about every major shipping service has been implicated in it. FedEx has a warning about this scam posted on its Web site.
Other scams involving shipping services include requests for payment information: credit card details and bank account info. Legitimate shippers never request payment information via email. You should also be wary of emails which instruct you to download a shipping invoice, or those that request your username, password or account number for an online shipping service. Those credentials could be used to ship contraband in your name, and you'd be stuck with the bill. Again, legitimate shippers will never request such sensitive info via email.
You may even get a "C.O.D. notice" purportedly from FedEx or another shipping service. This variation on the phishing scam tells you that a package is awaiting delivery but you must pay in order to receive it. Payment options may include credit or debit card, bank account, or a wire transfer. Don't be fooled; no shipper does business via email in that way.

No comments:

Post a Comment