Delivery Notification Scams

Holiday Shopping Season Brings Out
the Delivery Notification Scammers

Do NOT Get Phished by a Bogus Delivery Notice

Black Friday and Cyber Monday set online ordering records this year.  US shoppers spent over $1.59 billion on Cyber Monday alone. Millions of online orders were placed during the past week. And of course, that means millions of packages will be delivered by UPS, USPS, and FedEx. That also means these companies will be sending out millions of delivery notification e-mails.  But does that mean all of these delivery notices are legit? Of course not. 

The scammers do not discriminate. They pretend to be from UPS, The Us Postal Service (USPS), FedEx, and even DHL.  They may claim to need more information from you in order to deliver a package, or they may claim to hold tracking information.  They may claim there is postage due, and you need to click on a link to arrange payment. They may use official looking graphics, or they may be sent in plain text.  And they may or may not be caught by a junk mail filter.

These scams are so ubiquitous that FedEx, USPS, UPS, and even DHL warn against them on their own websites.   UPS offers an 83 page PDF with examples of fraudulent e-mails.  Today, we're going to look at some of these bogus e-mails, so we can learn what to look out for and avoid getting scammed.

Bogus Package Tracking E-Mails

Scammers love to send out bogus tracking e-mails.  Generally, these e-mails have subject lines reading "Package Status Update," "Tracking Information for Package #XXXXXX," "Order Update,"  Several examples are posted below:

(Click on images to view them larger.)

Clicking on a link contained within the e-mail may bring you to an "Official looking" log-in screen, designed to steal your information, and/or it may install malware on your system.

How to Avoid Getting Phished by a Bogus Tracking E-mail

All of the normal "anti-phishing" rules apply here: hover over every link to see where it goes, double check the sender's real e-mail address, etc.  However, if you'll note in some of the examples above, these phishing e-mails often spoof the legitimate sender's address.  It's gotten to the point where you should NEVER click through a tracking e-mail, no matter how legitimate it looks.  Instead, use Google to track your packages.

Did you know you can copy/paste any tracking number into a google search box, and google will track that package for you?  In many cases, all you need to do is select/highlight the tracking number, right-click, then select "search the web."  Alternately, you can log in to the shipper's website and track your package from there.

1Z 999 AA1 01 2345 6784 is a sample UPS tracking number.  If you search this number with Google or Bing, it will offer to track a package via UPS.  Since this is a sample number, the result will say that UPS is unable to locate that package.  But it still works as an example of the process.

The other thing to know is how the various tracking numbers are composed. DHL tracking numbers are normally 10 or 11 digits long and do not contain letters. For FedEx, the most common tracking number format is 12 digits (e.g. 9999 9999 9999) or 15 digits (e.g. 9999 9999 9999 999). Some other less common formats may also exist, such as 20 digits and 22 digits. USPS Tracking numbers are normally 20-22 digits long and do not contain letters. USPS Express Mail tracking numbers are normally 13 characters long, begin with two letters, and end with "US".  A UPS Tracking number is eighteen alpha-numeric characters. It starts with '1Z' and ends with check digit.  (The check digit ensures there is no typo in the tracking number.)  So if you receive a tracking notice, and it varies from these formats, most likely it is not legit.  Any supposed tracking number that contains less than 10 digits is a sham.  

Many spammers fail to observe tracking number protocol.  They will pretend to be with UPS, yet give you a tracking number composed of all numbers. A fake USPS e-mail might contain letters interspersed among the numbers.  Learning to spot a bogus tracking number can protect you from a bad click-through.

Scam "Delivery Failure" Notices

These usually state that [shipper] attempted to deliver a package, but were unable to do so.  Then, the e-mail will either ask you to click a link to update your delivery information or to open an attachment for some reason.   Of course, if you open the attachment, you will be infected with malware; if you are brought to a log-in screen, it most certainly will not be valid.  The graphics below show a few examples of this type of e-mail.

(Click on any picture to view it larger.)

Again, these e-mails may look legitimate, or they may be obvious spam.  They may spoof a legitimate sender's address, or they may make up an address that is close to that of the sender.  They may have "official looking" text in the body, or they may have boilerplate text.  The one thing they all have in common is an attempt to defraud the recipient.

How to Avoid Falling for a Delivery Failure Scam

Again, double-checking the sender's information, as well as where the links actually lead, is one good defense. A better defense is to NEVER click through a supposed "delivery failure" e-mail.  If you think the e-mail might be real, you can always pick up the phone and call the shipper's 800 number, asking the rep if the information in the e-mail is, in fact, legit.  But neither FedEx nor UPS generally sends "Delivery Failure" notices to a shipment's recipient.  Recipients are usually notified of delivery failures via a notice left on the door.  If a package is deemed "undeliverable," the shipping company will generally go back to the company who shipped the package to verify a delivery address, or will return the package to the original sender.  It is unusual for a shipping company to contact the package recipient for an updated address.

If you are expecting a package, and you get a delivery failure type notice, contact the vendor and ask them to give you tracking information for the package. Explain you received a delivery failure notice, and you want to check to ensure it is not their product that is lost in the mail.  The shipper should be able to provide you with package shipping information, as well as which shipper was used.  If you are expecting a UPS delivery, and you get a FedEx delivery failure notice, you can pretty much figure that the FedEx notice is spam.

DHL provides few direct deliveries in the United States anymore. In 2009, they suspended domestic pick up and delivery service in the United States, and since that time, final delivery is handled by USPS.  This means DHL will deliver your package to the local Post Office, and USPS will handle final delivery.  It also means that DHL will not send the recipient any kind of "Delivery Failure" notification.  If you get a delivery-related e-mail from DHL, you can safely junk-file it.

Sham Account Update E-Mails

A third type of delivery spam tells you you need to update your account in some manner. It may say your information is wrong in a shipper's database, or that you need to update your account with that shipper. It may say your account is in danger of suspension, or that you need to update your payment information.  None of these types of e-mails contain legitimate requests. All of these are examples of phishing e-mails, designed to steal your log-in information.

Now, many shipping companies, including FedEx, USPS, and UPS, offer accounts or programs for package recipients. "MyUPS" and "USPS Informed Delivery" are examples of these programs. Such programs allow recipients to be notified when deliveries are scheduled, and to change delivery instructions once a package is en route.  Phishers are also copying these type of notification details, as more recipients will be used to seeing these e-mails, and may be more likely to click through a cloned one.  These e-mails are more likely to make it through junk filters as well.

How to Avoid Falling for an Account Update Scam

It is even MORE important to check where a link is actually going in this type of e-mail.  The e-mail may contain legitimate links in the graphics or footers, but sham links inline.  Sometimes, the tracking number or log-in button may be the only sham link in the entire e-mail, but if you click on it, there will be consequences. 

If someone gets your MyUPS login, they can divert ALL of your holiday deliveries elsewhere, as well as lock you out of your own account to make it more difficult to resolve.  They will also have a good idea of where you shop, and possibly enough information to social engineer their way into accounts at your favorite online stores.

You are always better off logging into the actual MyUPS site than you are clicking through from an e-mail.  If the e-mail is actually legit, that information will also be in your actual MyUPS account, and you can verify or update any personal information on the actual site.  

If the update e-mail asks you to call a number, google that number to see to whom it actually belongs. Or skip googling the number in the e-mail, and just call the shipper's toll free number. If your information needs updating, any representative can help you. You do not need to call the person who supposedly sent the e-mail.  

Payment and Postage Due Scams

Finally, we have e-mails claiming you either owe money or are due money. In most cases, neither is true.  Sometimes you'll get spam claiming you owe the shipper money, either because of an unpaid invoice or because insufficient postage was applied to the package.  Often, the text in the e-mail is sparse, directing you to an attachment or link for more information.  Inevitably, these only lead to malware and viruses.  

Sometimes, the e-mail is more verbose, containing graphics and links to legitimate parts of the shipper's website, again, to make the email appear legitimate, and to increase the chance they'll snare you in their trap.  The graphics below show examples of the type of language used in this type of con.

(Click on images to view larger)

Because so many of these spoof the "from" address AND use official graphics, they are sometimes harder to spot. Often, they will bypass a spam filter, ending up in your Inbox rather than your Junk Folder.

How to Avoid Falling for Payment Scams:

Few shippers use e-mail to collect insufficient postage; most try to collect it directly.  In most cases, FedEx and UPS will just charge the shipper's account.  USPS will leave one of those orange cards in your box, indicating you have an item with postage due, and what you'll need to pay to get it released.  Your Postal Carrier may knock on your door, asking for the money due so s/he can release the item.  UPS and FedEx tend to communicate with door knocks and/or post-it type notes.  Just knowing that the major shippers never collect from recipients via e-mail will help to keep you secure.  Just remember, that means NOT opening the attachment that claims it's a bill or invoice, or clicking on a strange link to enter payment information into an insecure form.

If an e-mail from a shipper says it needs you to contact them, NEVER open an attachment or click through without FIRST calling a Customer Service number you obtained from a source OTHER than that e-mail. If FedEx really has a check they need ID to release, the Telephone Agent at 1-800-GO-FEDEX  can confirm that.  

EVERYTHING we've previously said about e-mails from Shipping Vendors applies here. NEVER click on a link without hovering to see where it goes.  Always double-check the true "from" address, but do NOT trust that that address is not spoofed.   And remember, all the tell-tale signs of spam apply to delivery notifications.

Tell-Tale Signs It's Spam

Spam e-mail, in general, shares certain characteristics, and delivery notification scams are no exception. As with ALL e-mail, watch for these warning flags:

• Non-Personal Salutations: Anything addressed to "Dear Customer," "Dear User," etc. is suspect.  Just think, if they have something to deliver, then shouldn't it have my name on it?  If they're here so often I'm on a first name basis with the driver, why would they need to verify my address?  I know BOTH my name AND address is in their database, so why are they e-mailing me impersonally, when MOST "MyUPS" e-mails are addressed to my username?
• Spelling, Grammar, and Language Issues: A hallmark of scam mail is broken English and text that has obviously been run through a translator.  UPS, FedEx, and USPS have spent billions improving their automated systems, and that includes spending money to perfect their boilerplate.  Whenever any major corporation makes a mistake in any public communications, that mistake goes viral immediately.  You will NEVER receive form mail from one of the major shippers that is riddled with errors.  Additionally, corporate boilerplate is rarely riddled with exclamation points, another characteristic of spam.
• Empty Subject Lines: Multi-million dollar automated systems do NOT send e-mails with empty subject lines.  In fact, many corporate e-mail archiving systems depend on that subject line for proper filing.
• Requests For Personal Information: In this day and age, NO ONE asks for sensitive personal e-mail via replying to an e-mail. Most legitimate shipping communications ask you to log into a website in order to update information, redirect a delivery, or submit credit card information. 
• Strange E-Mail Addresses or URLs: You may reach all of the major shippers by adding a dot com to the brand name: FedEx.com, UPS.com. USPS.com, or DHL.com.  E-mail will come from one of those domains as well. If the domain has a dash or a hyphen, has extra words or letters, or varies at all from the brand.com format, it DOES NOT belong to that brand.  Likewise, these companies DO NOT send mail from yahoo, GMail, hotmail, outlook, or AOL dot com.   
• Links to Non-Secure Sites: Tracking links and log-in links should ALL point to https:// protocol type sites. When you click through an e-mail, and land on a log-in page that does NOT use https:// and show a lock, that is a sure sign it is a scam website. NEVER enter log-in credentials on an http:// site; always make sure that trailing "s" is there.
• Mixed References: If an e-mail purports to be from FedEx in the "from" address or subject line, but uses UPS graphics in the body, that's a sure sign it's a scam. Likewise, if a USPS notification has a tracking number in UPS format, it's a scam.  

Remember, if it LOOKS unprofessional, chances are it is. Corporations are NOT in the habit of sending out unprofessional e-mails.  And especially when those e-mails are basically form letters.

What If I'm a Shipper as Well as a Recipient?

If you do business as a shipper rather than the recipient, ALWAYS manage your account through the vendor's website.  Copies of ANYTHING that the vendor might send as an attachment will be available in your e-account as well.   

If you ship products frequently, you probably have accounts with at least one of the shippers.  Again, use their web tools to keep your information up to date, and check your credit card statement before believing an e-mail claiming a charge did not go through.  When in doubt, pick up the phone to verify an e-mail's legitimacy.  And if you get a notification from a shipper with which you do not do business, it's almost certain to be fraudulent.

Reporting Scam Delivery E-Mails

All of the shipping vendors accept complaints regarding shipping e-mail spam.  You can report these phishing attempts, but it doesn't do a lot of good.  If you do want to report the e-mail, it is important that you include all of the hidden headers, so the actual path can be determined.  If you do not include these headers, the source cannot be traced.

But even with the headers, the scammers have fled into the dark web by the time the vendor gets around to investigating, in most cases.  Even if the true source of the scam is found, there is little they can do but close the scammers' e-mail accounts or websites.  They cannot get your information back, and few of these cases result in any real consequences for the crooks.  So in other words, do not feel like you NEED to report the spam.  It really will have little effect.  Should reporting make you feel better though, the appropriate addresses are listed below.

• FedEX: abuse@fedex.com
• UPS: fraud@ups.com
• USPS: ABUSE@usps.gov.
• DHL: http://www.dhl.com/en/contact_center.html

Summary

The Holidays are an especially busy time for the e-mail hucksters.  First, they try to cheat you on Black Friday and Cyber Monday. And if you get through those unscathed, you're still not in the clear. The scammers know we've ALL been shopping online, so now they're trying to trap us through bogus delivery notifications.  And because we've all been busy shopping online, we're expecting to receive shipment information for all our purchases.  The Bad Guys like to take advantage of this by sneaking in as many bogus delivery notifications as they can.  Sometimes, they're trying to steal our information by getting us to log into spoofed shipping accounts.  Other times, they are trying to plant malware or viruses on our system to they can continue to plague us.  Often, they're trying to do both.

Everyone who shops online must be vigilant about carefully reading ALL shipping and delivery notifications.  Many spammers have become so sophisticated, it's hard to distinguish their junk from legitimate notifications.  However, generally it is the vendor who sends a customer package tracking information, rather than the shipping company.  It is rare for a shipping vendor to communicate directly with a recipient, especially via e-mail.  More often, these companies communicate delivery issues through notes on our doors.

Each shipping company has a distinct format for tracking numbers.  The Search Engines all know these formats, and they can track a package for you as well as a vendor's site.  If you have an account with a shipping vendor, you can usually track packages through their account tools as well.  There is little reason to ever need to click through a delivery notification type e-mail at all.  Toll free numbers are another way to verify information delivered through a sketchy looking e-mail.  

NEVER click through a shipping e-mail without hovering to see where the link goes, and double-checking it goes to a shipper.com hosted URL.  If the URL contains any hyphens, dots, or dashes, it probably does NOT belong to the shipper it claims to be.

We've looked at many sample e-mails, courtesy of UPS and FedEx, as well as linked to a warning from the Postal Inspector General.  These show examples of the type of verbiage, format, grammar, and links these types of e-mails contain.  (All graphical samples come from UPS and FedEx.)  Additional examples are available at the shippers' websites, as well as links to report these sham e-mails, should you feel the need.  But even if you do NOT take the time to report them, you need to junk them at the very least.  Marking these e-mails as junk will help your spam filter learn to filter them out in the future.

There is little you can do to stop this type of spam from plaguing  your inbox.  Even if you don't shop online, you'll probably receive a few sham delivery notices. Phishers rarely tailor their bait to the type of pool they're phishing in.  Phishers just blindly cast nets, hoping they'll catch something with very little effort expended.  

You may wonder what the value is in hacking a MyUPS type account. Well, if they have my package delivery history, they have a list of the vendors from whom I order, as well as a way to divert packages already on the way. Your account will give them all the information they need to pick up your loot at the local depot, as well as lock you out of your own account so that you do not see the changes. Once they update the associated e-mail, they will get notices of all new packages that are on the way. If they manage to steal your credit card information, they can probably use your shipping history to  figure out where to shop so their purchases "blend in" to your spending habits, taking you longer to notice that extra Amazon charge.  

Sending bogus e-mails, spoofing the major shipping companies, is an effective way to trick folks into handing over their sensitive information.  And in the rush of the holidays and adrenaline-fueled online shopping, these types of phishing attacks increase.  

Have you received bogus shipping notifications or delivery notices? Have you received other types of Shipping Spam that we did not discuss here? Hit us up in the comments and let us know.  And we wish all of our readers a safe and secure Shopping Season.