A phishing email purporting to be from Australia Post, claiming your parcel is about to be returned. A DHL-themed email scam informing users of a ‘failed delivery attempt’. A simple HTML email leading to phishing pages employing FedEx TNT’s branding, citing issues with your delivery address.
Welcome to parcel provider email fraud – a type of fraud where cybercriminals use lures related to parcel delivery in order to trick users. And unfortunately, scams like these are proliferating in the current climate.
Nine recently warned Australians about scammers impersonating Australia Post, stating there were 140 reports of scams involving the postal agency in February 2021 alone. The news network also reported the same scam, but in SMS form, was circulating in March this year. “So far in 2021 Scamwatch has received 263 reports of scams impersonating Australia Post with losses of almost $3,700. In 2020, people lost more than $19,000,” Nine stated. It’s the same story worldwide, too, with the BBC covering the arrest of eight men involved in a similar SMS scam impersonating the Royal Mail.
Over the past month, our team at MailGuard has intercepted several email scams involving well-known shipping companies like DHL and Australia Post. While we typically witness a rise in parcel delivery themed email scams every End of Financial Year (EOFY), the likelihood of these scams being successful has increased significantly since the COVID-19 pandemic. It’s integral that we continue having strategic discussions with customers on the importance of remaining cyber- savvy during this period. Here are a few frequently asked questions relating to parcel-delivery scams that are particularly relevant this year, and their answers.
Why do parcel-delivery scams proliferate during EOFY?
As EOFY draws close, businesses have been busy making purchases before their books shut. This is one of the busiest times of the year for shopping & parcel delivery. On any given day, as either an individual or as a business, there may be numerous packages arriving from several different providers. Scammers are aware of the major brands operating across the Australian market as well as the type of automated, non-descript emails that come along with online parcel tracking. By imitating these emails, together with a threat that a parcel will be returned if an email is left un-actioned, scammers can easily work their way into our psyche. By doing so, they compel us to submit run-of-the-mill information so our parcel can be delivered.
Businesses are even more vulnerable during EOFY. The season can typically be characterised by a plethora of invoices, bills, payroll and finance related documents as suppliers, customers and accountants reconcile their numbers and file their tax returns. And consequently, most companies end up in a flutter of stress and panic to get relevant financials finalised and paperwork sorted according to the Australian Tax Office (ATO)’s requirements. Amid stringent deadlines and the responsibility to manage huge amounts of financial data, it’s not surprising if someone submits the company’s credit card details, for example, in a rush to receive an incoming ‘parcel’ as soon as possible.
Here is an example of a DHL-branded phishing email that our team intercepted recently:
As you can see, the email body uses high-quality branding elements from DHL, including its logo, and contains an HTML attachment that leads to multiple phishing pages designed to steal confidential data. In this case, cybercriminals are preying on the curiosity of DHL customers who may think a ‘package’ is actually on its way. This motivates them to open the HTML attachment and enter their personal details without hesitating.
Essentially, cybercriminals are trying to trick users - specifically targeting time-bound professionals who are dealing with a bigger than normal workload and critical deadlines.
Why are businesses more likely to fall victim to parcel-provider related email fraud this year?
COVID-19 has given the global parcel delivery market a huge boost, more so than the previous slow swing that we were seeing towards online shopping pre-pandemic. Due to the closure of many physical stores and with the need to stay at home due to multiple lockdowns, many have resorted to shopping virtually and placing orders online. In April 2020, Australia Post’s parcel volumes were 64% higher than the same time in 2019, while online grocery sales in Australia have shot up by more than 45% since the pandemic began. Over in the U.S. at UPS, weekend ground volume was up 161% when comparing 2021 to 2020. E-commerce is absolutely booming - and trends indicate that it will continue to do so.
While there are, literally, on-the-ground opportunists of the parcel boom, known as ‘porch pirates’ who steal delivered packages from front doors, there are also the online opportunists i.e., scammers who are likely to capitalise on the opportunity to trick professionals shopping virtually, especially those who may be more distracted and vulnerable following a particularly difficult year.
As businesses continue navigating the unprecedented challenges brought on by COVID-19, many workforces are continuing to work remotely in 2021, while others are adopting a hybrid working model. Consequently, many employees may be continuing to use corporate devices on home or public networks to indulge in some retail therapy, amplifying the cyber risks facing their companies.
Likewise, with EOFY in sight, employees’ social networks and personal & professional inboxes will be flooded (if they aren’t already) with special deals and incentives advertising cars, computers, clothes, television sets – you name it. However, remote working professionals can no longer seek quick answers and guidance from colleagues by leaning across the table when, for example, they receive an email claiming a package that had supposedly been ordered by the company failed to arrive due to incorrect shipping details. Cybercriminals know this, and therefore continue exploiting these business disruptions to trick users.
Here’s another parcel-delivery themed phishing email we intercepted this year that purports to be from Australia Post:
This email redirects users to several Australia Post-branded phishing pages that are designed to harvest sensitive details like users’ credit card information. The inclusion of specific details, like a ‘Priority Mail Express Confirmation Number’, a display name like ‘Post Center’ and the company’s logo, suggest the email is sent from an official source belonging to Australia Post, boosting its credibility,
If you suspect that you have received a scam email pretending to be from Australia Post, the postal service advises that you forward it to firstname.lastname@example.org.
How to stay protected from parcel-provider email fraud?
Be it because of the rush to finalise purchases before the EOFY, or because of COVID-19, we have all developed a greater appetite for deliveries – a fact that cybercriminals are exploiting. Here are some reminders about how your customers and their teams can stay protected from parcel delivery themed email scams:
Education is key
A well-educated team is one of the most powerful security assets a company can have.
Starting with senior management, encourage your customers to instigate a company-wide security education program making team members aware of the different types of parcel-provider email fraud and how to stay protected. It’s important that every single person who uses the company’s systems knows what threats to look out for.
Teams should also be encouraged to contact known delivery companies, organisations, and associated contacts through their legitimate websites, known emails and numbers. This is especially in situations when they have received an email purporting to be from a shipping or postal company, supposedly about a ‘ package delivery’. While it can seem overly cautious to call back or type the address for a company website directly into your browser rather than clicking on a link, it can save a lot of pain in the long run.
Training staff how to spot malicious emails is also particularly important since everyone in the company has active email inboxes, everyone is in the firing line. We have to give them the understanding of the threat that could be hidden in what seem like innocent emails so they can play their part in keeping the business secure. However, knowing how to spot a malicious email can undoubtedly get tricky – cybercriminals are, in fact, coming up with new, innovative ways every day to deceive you into thinking a hoax email impersonating a shipping or postal company is a real one. Their techniques range from using high quality graphical elements through to ironically using safety features (such as safety questions) to trick users into clicking on malicious links.
As a precaution, users should not click links within emails that:
- Are not addressed to them by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that they were not expecting to hear from.
- Take them to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
Ensure customers’ email security is up to scratch
We also recommend proactively assisting your customers in reviewing their email security measures to mitigate the risks of parcel delivery fraud. Taking a multi-layered approach is fundamental.
We know that nine out of 10 cyber-attacks start with an email, even when most businesses have an email security solution in place. No one vendor can stop all threats, so it’s crucial to remind customers that even if they are using Microsoft 365, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a third-party cloud email solution like MailGuard.
Parcel delivery themed email scams have been around for a while, but their continued success shows that much more can be done to proactively review & enhance our customers' cyber defence measures – especially in a period of heightened cybercrime.
Let this also be a good opportunity to re-evaluate how prepared your customers are to defend their businesses from any fraudulent schemes or scams as the EOFY approaches. If you need more support protecting your customers from cybercrime, feel free to reach out to us at email@example.com.
Talk to us
MailGuard's partner blog is a forum to share information and we want it to be a dialogue. Reach out to us and tell us how we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 282 2
UK partners call 0 800 404 8993