Diving into a SMS Package Tracking Scam

I received a text that my package had a tracking number. That's weird, I didn't order anything. At a glance, the SMS is obviously a scam with a weird website and misspellings. We're all in trouble if scammers ever learn how to use spell check. To better equip everyone to handle these scams, though, I powered up one of the computers in our cybersecurity lab so I could take us through this scam.

Confidence Scams

This scam had several interesting methods of hooking someone and getting their information. Unfortunately I had to record it twice because my mic decided it hates me so I didn't get to show some of the confidence scam methods they used. So you'll know what to look for, here's what I saw:

  • Investment - The scammer isn't trying to get you to invest financially (not this time) but through build-up and effort. By making you go through multiple steps they psychologically invest you into the scam. Even though you know something isn't right, you've put effort into this now and you'll want to see it through. Much like buying a car, you should always be willing to walk away.

  • Game of Chance - The scammer had a rather technical and neat game of chance on the site where you would click on prize boxes. The first two were empty, of course. The third contained a PS5! I ran through it several times to see if anything changed and it always won on the third (and last) try. This is another step in investing you in the scam. That bit of dopamine rush for maybe winning something.

  • Fear of Missing Out - The site had several countdowns that showed X many of Y slowly running out. No one likes to be left out or miss their chance at something great. This is a common way for marketing, sales, and scammers to make you take action without thinking it through.

  • Credibility - The scam site had a Twitter style feed showing other lucky winners of the items. Of course, these people don't exist and no one actually won anything. It's a good way to make their scam look legitimate though.

Identifying Traits

While the scam websites were technically well made with cool games, animations, and layout, they were still obviously scams.

  • Did you actually buy something and expecting a package? Are you expecting a package from a random website, or UPS/Amazon/FedEx? If the message comes from somewhere random, it's probably a scam.

  • Misspellings and grammar issues are always a problem for scammers. Businesses take the time to make sure their automated messages are well formed and don't have spelling issues.

  • Why does the package tracking link take you to a Verizon branded site with a shipping company domain? All sorts of issues with that. Soon as that comes up, bail out.

  • It's too good to be true. Paranoia is usually a bad thing, but on the Internet it's totally legitimate and warranted. If something sounds too good to be true, it's probably a scam.

As always, stay safe out there. Until the risk/reward equation skews towards higher risk and less reward, the scammers will keep doing what they're doing. We, Internetek, will do our part and stay vigilant against these scammers. Whenever we see a site like this, we hand off the information to the web hosting companies to have their site taken down, block it from our clients, and dig into the methods used by the scammers so we can prevent them later.

in News