Online shopping is in the midst of its biggest season ever, with Amazon reporting third-party sales of $4.8 billion in the days after Thanksgiving, up 60% from last year. Now, hackers are sending out fake shipping notification links to capitalize on the surge.
The fraudulent delivery messages appear to come from Amazon, FedEx, UPS and other major shippers, but they launch malware or mine for personal information. Cybersecurity firm Check Point Software Technologies found these messages impersonating shippers were up 440% from October to November, and 72% since November last year.
Long Beach realtor Tom Hoehn was expecting a package from UPS when he got one of these emails.
“It looked like it was from UPS and it said we were unable to deliver your package. However, if you click on the following link you can look up the tracking information on that package and then you can reroute it back to your place. At that point, I clicked on the link and my screen started flashing,” Hoehn said.
“The message said, ‘You have been hacked. We have encrypted all of your files. Send, I think it was like 150 bitcoins to this address.”
A fake shipping link can launch ransomware like it did for Hoehn, or it can redirect to a counterfeit branded page that asks for credit card or personal information to reroute a package, or tricks you into entering your username and password.
When Hoehn chose not to pay the ransom of some 150 bitcoins, the equivalent of more than $66,000 at the time, he lost everything on the computer including his family pictures and business contacts. Months later, the IRS informed him his identity had been stolen. Then his email was hacked, with phishing emails sent to thousands of his contacts.
“We have our mind on other things like pandemic and our kids getting remotely educated,” said Brian Linder, a threat prevention manager at Check Point. “And it’s a perfect time for these bad actors to prey on consumers that are not paying close attention.”
Check Point found that 65% of fake shipping messages in the U.S. impersonate Amazon.
“They’re successful because most of us are doing business with Amazon. We’re ordering on Amazon. And for us to get an email from Amazon about a package we ordered would be perfectly normal and expected,” Linder said.
Amazon told CNBC it works with the Federal Trade Commission or Better Business Bureau to go after scammers and said in a statement, “Any customer that receives a questionable email, call or text from a person impersonating an Amazon employee should report them to Amazon customer service. Amazon investigates these complaints and will take action, if warranted.”
The phishing messages also commonly impersonate UPS, FedEx and DHL, which all have their own dedicated reporting emails. The companies that make our devices are also on guard. Microsoft, for example, has a Digital Crimes Unit that works with law enforcement and claims to have “rescued” more than 500 million devices from cyber criminals since 2010. Apple,…