The UPS/FedEx 'Delivery Failure' Scam
Con artists try an old phishing tactic
We first reported the UPS/FedEx phishing scam in September 2008. The scheme has never completely disappeared, and it's recently been circulating again, probably because the upcoming holiday mailing season makes it more likely that people will open the email and click on its attachment.
The emails are variations on the basic theme of "package delivery failure." Some may include a false "tracking" or "packet" number to add verisimilitude and help trick the unwary.
UPS and FedEx aren't the only companies affected. In March 2009 and September 2010, similar emails purporting to be from DHL and the U.S. Postal Service (USPS), respectively, began to appear. The USPS version reads as follows:
Unfortunately we failed to deliver the postal package you have sent on the 19th of September in time because the recipient's address is erroneous.
Please print out the shipment label attached and collect the package at our office.
United States Postal Service
If you receive such an email, don't be tempted! Clicking on the attachment, which looks like a harmless Word document, opens an executable file that installs malware on your computer. The USPS is also aware of attempts to collect personal information via the phone:
Customers may be receiving email messages or phone calls that allege to be from the U.S. Postal Service that contain fraudulent information about attempted or intercepted package delivery.
For emails: If opened, the messages instruct customers to click on a link to find out more about when they can expect delivery of their "package." Simply delete the message without taking any further action.
For phone calls: Please do not provide any personal information and let the caller know you're not interested and hang-up the phone.
The Postal Inspection Service is aware of the problems and are working hard to resolve the issues and shut down the malicious programs.
We regret any inconvenience this may have caused our customers.
UPS, FedEx, and DHL have all issued warnings to immediately delete these emails and to never click on links contained therein. UPS writes that it “may send official notification messages on occasion, but they rarely include attachments.” FedEx says emails it sends with tracking updates for undeliverable packages “do not include attachments.”
If you receive one of these emails, just delete it if you haven't sent a package. If you have sent a package and receive one of these messages, but question its authenticity, contact the customer service department of whichever service you used.
Don't open email attachments until you're certain they're from a legitimate party. In addition, remember to update your antivirus software often, and back up your hard drive regularly.
Let's be aware out there!
Published October 27, 2010