A. M. Phishing is a cybercrime technique in which criminals impersonate known entities to deceive users and obtain sensitive information. These attacks can come through emails, WhatsApp messages and other digital means. They usually appeal to a sense of urgency such as “Your account will be suspended”, “Last chance to confirm your information” or “Action required immediately” to make the recipient act thoughtlessly. ESET, a leading company in proactive threat detection, warns about this attack that seeks to steal personal information and offers advice on how to avoid falling into this scam.
Below, ESET analyzes some current examples of email phishing cases, in which cybercriminals simulate a notification from known courier companies, in which the excuse for the contact is the supposed need to solve a problem with a package being sent to the home address.
“As in most phishing emails, they use social engineering and appeal to people’s feelings, such as anxiety, urgency or fear. In general, they try to appeal to people with quite persuasive email subjects, such as: “Your package is being held”, “Delivery information is missing” and “Package delivery suspended”, comments Camilo Gutiérrez Amaya, head of the ESET Latin America Research Lab.
The impersonated courier companies identified by ESET are very well known, such as FedEx, DHL, UPS and Correo Argentino, just to name a few. The body of the message has the aesthetics of the real brand, with a high degree of similarity.
Real examples of fake emails
ExpressService: In this case, the malicious actors use the name of a supposed courier company called “Express Service”, and appeal to the sense of urgency, with a supposedly suspended package delivery. Upon clicking the button to supposedly resolve the problem, the user is taken to an apocryphal form where the data they enter will only be for the cybercriminals.
FedEx: Another example is the one that impersonates FedEx, asking the potential victim to confirm their data so that the supposed package can be sent.
Shipping companies: Another widely used lure is that of a supposed shipping update. There, it urges people to see the details, to know the status of the delivery.
“In these last two cases we see how a customs charge is what would be delaying the delivery of the supposed package. So, in addition to stealing information in fake forms, it also leads to making a payment that will only go to the cybercriminals’ account”, says Gutiérrez Amaya of ESET Latin America.
This context did not go unnoticed by mail and courier companies. FedEx, for example, shares on its website the most common warning signs of online fraud, while providing several security tips. It states: “FedEx does not solicit via unsolicited email or conventional mail, payments or personal information in exchange for goods in transit or in FedEx custody. If you receive any of these or similar communications, do not respond or cooperate with the sender”. In the same line, UPS adds: “Please note that UPS does not ask for payments, personal information, financial information, account numbers, identity document or ID, passwords or copies in an unsolicited manner by e-mail, mail, telephone or fax or specifically in exchange for the transport of goods or services”
ESET about recommendations to know how to identify a malicious mail from a real one and not fall into deception:
- Stop and think about whether you are really expecting a shipment. If the answer is “no”, it may be fraud.
- Check if the sender is legitimate. Generally, these types of scams present a sender that differs clearly from the legitimate one, so it is always a good first step to keep an eye on it.
- Be alerted if there is a request for sensitive personal or banking information. This should set off alarms.
- Check where the link in the e-mail is directed to: it is always important to verify if it leads to the official site.
- Observe if there are spelling or writing mistakes, although Artificial Intelligence has significantly improved this type of emails.
At the same time, ESET points out that there are several points to keep in mind that are key to significantly reduce the risk of falling into this type of scams. Among them:
- Pay special attention and be wary of those communications that arrive unexpectedly and with a very marked sense of urgency. Do not click on or download attachments.
- Communicate through the official channels of the courier and parcel service about the veracity of the mail received and the supposed package in question.
- Always verify the page you enter to provide personal data: it must be safe and the URL must correspond to the real one.
