You’ve likely heard of phishing by now. (We’ve written many articles about phishing, including this recent one by Dan Callahan.) Essentially, bad actors contact you via email in an attempt to trick you into providing personal details, such as your financial information. A different form of phishing is smishing, where digital fraudsters use text messages (i.e., SMS-based phishing) to trick users into clicking on a malicious link or handing over personal information. And these guys can be pretty clever.
The latest scam
Smishers pose as various entities to get what they want. The latest entity they are impersonating to target mobile users is the United States Postal Service. (As if the USPS doesn’t have enough on its plate these days.)
On September 15, security expert Eric JN Eliason tweeted out two examples of the operation:
As you can see, both text messages claimed to contain important information about a USPS package. And both attempted to trick the recipient into clicking on a link containing the domain “m9sxv[.]info.” Eliason decided to find out what happens if you clicked on any of those smishing links. It turns out different links lead to different behaviors. One link redirected the user to a secondary domain. Another led to a fake casino game. But the majority appeared to try to steal victims’ credentials for their Google accounts.
Previous smishing campaigns
And this isn’t the first time a smishing campaign has used a delivery services to scam people. Back in February, for instance, the U.S. Federal Trade Commission warned users to be on the lookout for SMS messages that appeared to originate from FedEx. I actually received one of these smishing text messages myself a couple of months ago. Fortunately, I “just had a feeling” and didn’t click on the link. (Well, let’s call it an educated feeling. After all, I do work for a company that has trained me to be naturally skeptical about such things. AND I wasn’t expecting any packages via FedEx at that time.)
Speaking of skepticism…
That is the key to not getting scammed in these situations. Listen to that voice in your head that makes you think something might not be right. Ask yourself the logical questions:
- “Was I expecting a package delivery?”
- “Did I send a package to someone?”
- “Did I ask for text notifications?”
USPS would not send you SMS notifications if you did not specifically request them from the usps.com website. If there is any doubt at all, use the carrier’s website to check on whether or not you are expecting a package or to see if there have been any legitimate delivery issues. Or call them. In any case, do not click any links that look suspicious or unusual.