From groceries to gadgets, everything can be delivered to your doorstep these days with just a few clicks. In this e-commerce world, logistics and postal companies have become critical players in the retail sector, with brand names that everyone recognizes. But this has also made them goldmines of PII that attackers would do anything to get their hands on.
Forty million people were targeted by scams last year, and 49% fell victim to parcel delivery scams, making this the most common attack faced by the public (by far). Next in line are banking scams, which only accounted for 29% of fraud.
Consumers may be aware that these scams exist, but they continue to fall for them year after year. So, is there a way to stop postal scams in their tracks? Let’s start by understanding how these scams work.
Last Mile Delivery: What’s the Endgame for Logistics and Postal Scammers?
Logistics and postal scams target the customers of shipping companies, postal services, and government agencies transporting goods. These scams often exploit consumer haste, sense of urgency, trust in the logistics company, and eagerness to see orders arrive as soon as possible.
Scammers often impersonate legitimate courier companies by creating fake websites or customer support channels that appear authentic.
The ultimate goal of these scammers is to trick victims into making payments to them or into providing personal information such as social security numbers, credit card details, or social media logins. They can then directly steal money from victims, use their personal information to access their online accounts in account takeover attacks, or install malware, making their devices vulnerable to other attacks.
Why Are Logistics and Postal Scams Getting Out of Control?
The fact that the whole world went online during COVID lockdowns — and then stayed online — is an essential factor in the growth of e-commerce in recent years. With the e-commerce boom, it’s only natural that logistics and postal scams become more prevalent.
The scammers now leverage social engineering tactics like smishing (SMS-based phishing) and impersonation, where they pose as authorities or trusted logistics companies. They augment these efforts with meticulously crafted fake websites and spoofed emails that they create en masse, far outpacing the capabilities of traditional security tooling.
Another reason these scams are so successful is the lack of awareness among users. Many individuals interacting with logistics systems remain undereducated about the latest scam tactics and don’t know how to scrutinize digital communications properly. This knowledge gap allows even relatively unsophisticated scams to slip through.
Top 5 Logistics and Postal Scams of 2024
Logistics and postal scams work by creating a false sense of urgency. The main goal is to lead victims to act quickly without verifying the legitimacy of the communication. Here are some common types of scams:
1. Phishing and Smishing from Impersonated Logistics Partners
Postal and logistics services are indispensable to people all over the world. This makes them excellent targets for attackers looking for PII.
One of the oldest postal services in the world is the UK’s Royal Mail. Owing to its vast reach, brand reputation, and quality of delivery, it is an unfortunate victim of many scams related to phishing and smishing. You can find an entire page of phishing and smishing examples on the Royal Mail website. Here is one example:
The website linked here is a fake website that very closely impersonates the original Royal Mail website. Fraudsters have become very proficient at creating exact replicas of company websites and doing this at scale. Clicking the link would lead to a page prompting the customer to enter personal details like their name, address, and phone number and maybe even make a small payment—all with the purpose of harvesting and misusing the customer’s PII.
These scams kick into high gear during the holiday season when shopping is at its peak. One Reddit user took to the platform to check about an SMS they received from DHL, asking them to pay a meager 1.65NZD shipping fee. While the amount requested is paltry, the fraudster is after the customer’s PII (such as full name, address, etc.) – and credit card details.
To mitigate risks, companies should enhance their verification processes for delivery notifications and educate clients about the dangers of unsolicited messages. Implementing advanced tracking systems that provide real-time updates can also help ensure package integrity and security throughout delivery.
2. Account Takeover (ATO) via Fake Websites
An account takeover is when a fraudster tricks a user into divulging their account logins and uses these logins to make unauthorized transactions from the account. This is usually preceded by a phishing email and a fake website used to steal customer logins.
UPS customers have taken to Reddit to ask for help with the takeover of their UPS accounts. Their account logins were compromised, and the fraudsters sent various packages to Amazon warehouses in Texas. They used the ‘Bill a 3rd party’ option in the UPS account to make the victim organization pay the shipping fee. The ordeal lasted many months and fractured a long trustful relationship customers had with UPS.
The key to fighting ATO is to combat phishing and fake websites proactively. The challenge here is to detect the creation and propagation of these digital assets in real-time, before they are used to target customers.
3. Fake Missed Parcel Scam
Another technique used in logistics scams is installing malware onto customer devices that spy on user activity, steal data, and cause damage to data on the device.
The wait for that shiny new gadget you ordered off Amazon can be long and agonizing. But it’s frustrating to miss a parcel and wait another day or two. Cybercriminals, aware of the impatience of online buyers, target them precisely at this time. Customers of DHL and UPS were sent text messages informing them that they’d missed a parcel and needed to click a link to reschedule the delivery.
Simply clicking this link would open a connection to a remote server that installs malicious code on the mobile device, with the aim of stealing information such as contact lists, bank details, card data and more. The bad actor can use this information to steal funds or reach out to the entire contacts list, trying to steal their data, too.
Along with measures like improving delivery notifications and educating customers, logistics companies need to enhance their ability to spot fake websites and respond to this threat sooner.
4. Fake Customer Support Numbers and Websites
Along with fake websites, a powerful tool in the scammer’s hands is to have a fake customer support number. They may even use a toll-free number which is very similar to the original number.
Many DHL customers have reported being troubled by such calls and have shared the numbers of the scammers. While the attacker may come up with creative stories about what the customer might or might not have done, the end goal is to squeeze money out of the victim. People may fall for this scam because of the involvement of a human agent, which helps make the scam look more legitimate. As these scams become more common, people are becoming aware of them. But just as many fall for these fake customer support calls. With the advent of deepfake technologies, “human agents” can be created by AI, making the scammers work even easier.
It’s important for logistics companies to publish customer service numbers, email IDs, and social media handles clearly on their website and communicate to customers regularly that they should never use any other communication channels apart from the ones mentioned. These organizations should avoid frequently changing these numbers and email IDs. They should also routinely call out known fraud numbers, email IDs, and websites to keep their customers informed.
5. Package Rerouting Scam
In this scam, fraudsters pose as genuine customers and attempt to steal goods from companies that use logistics providers.
For example, a company that uses UPS to send goods to its customers experienced rerouting of shipments and lost $6,000 in a single order. They received an order to ship products to the wrong address. The customer then called UPS to add a new shipping address for the delivery or to pick up the parcel at a different UPS warehouse.
One way to prevent this fraud is to disable the rerouting of packages once an order is created. UPS has this feature.
Detect Impersonation Fraud in Real-time With Memcyco
Scams targeting logistics companies are evolving into new, sophisticated forms every day. Traditional impersonation detection tools are no longer sufficient for protecting against these scams, as they often rely on periodic scans or manual reviews that fail to detect threats in real-time. These tools leave companies vulnerable to fast-moving attacks that can cause significant damage before they’re identified.
Memcyco’s Digital Risk Protection (DRP) solutions include a proprietary ‘nano defender’ technology: an active tracking sensor embedded directly into your company’s authentic website. This sensor continuously monitors and detects cloned websites in real-time. Meanwhile, customers are notified via Red Alerts if they visit a fake website. Additionally, Memcyco protects customers by using decoy data, ensuring their data is safe even if they unknowingly submit it to a fake site.
With real-time detection and protection, and enriched insights into the attack, you can save money on incident remediation, protect your brand, and avoid customer attrition. Schedule a demo to see these features in action.
Director of Product Marketing