WASHINGTON — Holiday shopping lists can be overwhelming–so can the avalanche of boxes that arrives on your doorstep with the fulfillment of your online orders.
While signing up for text alerts to keep track of package arrivals can be a good way to ensure you receive your items, carriers and security advocates warn against being too trusting with "delivery"-related messages.
The Better Business Bureau has seen an increase in scam text messages in which a recipient is sent links to “update delivery preferences,” or “schedule a re-delivery.” In a practice sometimes called “smishing,” or SMS-phishing, these messages are actually just solicitations of personal information, or can initiate a malware download onto the device.
"The criminals want to receive personally identifiable information (PII) about the victim such as: account usernames and passwords, Social Security number, date of birth, credit and debit card numbers, personal identification numbers (PINs), or other sensitive information," warns the United States Postal Inspection Service. "This information is used to carry out other crimes, such as financial fraud."
The delivery companies you’re probably seeing the most of this holiday season have all had to warn against scams like this. FedEx, the United States Postal Service, UPS, and Amazon all say they wouldn’t require payment or personal information to receive packages they’re moving, and the companies all caution against clicking unsolicited links from them.
Here are some things to look for if you receive a suspicious text message that could confirm it’s a scam:
- Suspicious sender: the message comes from a number that’s longer than an average phone number, or an email with a jumble of numbers and letters
- A sense of urgency: a recipient is given a narrow window of time to respond, or is led to believe a package will be lost if the message isn’t acted upon.
- Deceptive URLs: the link may be disguised to look similar to a carrier’s website, but will contain different spelling or hyphenation than the company’s real name
- Spelling/grammatical errors throughout the message
- Not attached to a specific order: the text doesn’t include an order or tracking number, or references a delivery you aren’t expecting
- Specific carriers also share guidance on how to tell if they're the ones sending a delivery alert:
- UPS posted examples online of actual scam messages reported to the company. They also share the numbers from which the company sends official communication:
- Phone calls: 1-833-242-1931
- Texts: 94601, 69877, 48515 or 52892
- Emails: accountconfirm@ups.com, mcinfo@ups.com, pkginfo@ups.com, customer-notifications@ups.com, auto-notify@ups.com, emailinfo@ups.com, invoice-notification@ups.com, donotreply@ups.com, ups@emails.ups.com, ups@upsemail.com UPSAdministrationSupport@ups.com, or no.reply@upsbilling.ups.com
- USPS says they will not send customers text messages or e-mails without a customer first requesting the service with a tracking number, and these messages will not contain links. Any SMS messaging will come from a 5-digit short code, not an email address,
- FedEx says the company "does not request, via unsolicited call, mail, text or email, payment or personal information in return for goods in transit or in FedEx custody."
- UPS posted examples online of actual scam messages reported to the company. They also share the numbers from which the company sends official communication:
- Amazon tells customers that legitimate Amazon websites have a dot before "amazon.com," such as http://"something".amazon.com.
If you are waiting for packages and aren’t sure if a warning is legit, go check on your order status yourself with shipping information provided by the retailer or by entering a tracking number into the carrier’s website.
The FTC lists several ways to report a nefarious message:
- Copy the message and forward it to 7726 (SPAM), to help your wireless provider flag future similar messages.
- Report the message as “junk” or “spam” in your messaging app
- Report it to the FTC at ReportFraud.ftc.gov.