InvestigatorsMatter for Mallory


Suspicious package delivery texts popping up on phones

Experts warn not to click the links
Posted at 4:26 PM, Sep 07, 2020
and last updated 2021-03-17 18:53:10-04

BALTIMORE — Mail and packages may be taking longer than usual, but if you receive a text with a link to tracking information, don’t click it.

WMAR-2 News Mallory Sofastaii has heard from dozens of viewers who have received these messages.

The sender claims to be a shipping carrier, USPS, or an attorney with information about settlement money. They have your name and number, and it seems kind of important. Could it be that bad if you click the link?

“The most vulnerable part in any computer system is the user. So, if you can craft a message that can convince a person clever or not to click that link then the attacker, the bad guys have won,” said Dr. Richard Forno, assistant director with the UMBC Center for Cybersecurity.

Dr. Forno said this texting tactic isn’t new. And the influx of messages, particularly now, could have something to do with election season, or scammers staying on top of recent news such as package delays and turning it into an opportunity.

“Your package is missing is classic social engineering. Finding ways to trick a user, I mean they could say your property tax bill is overdue, click here to pay now,” Forno said.

And it works. A UMBC student tested her peers.

In the study, she sent three different kinds of phishing emails to 1,350 students. The emails were fake billing statements, offers of free gift certificates, and one threatening account suspension. Of the students who opened the phishing emails, 59 percent clicked on the suspicious links.

And a surprising finding -- students unaware of phishing attacks performed better than students who were aware or understood phishing attacks.

As far as the texts people have received recently, it’s called “smishing,” or cyberattack through text message. Senders are attempting to steal sensitive information by acquiring a victim’s personal details, such as names of friends, hometown, employer, locations they frequent and recent online purchases. Attackers then use that information to disguise themselves as a trustworthy source typically through email or other online messaging.

According to How-To Geek, the missing package texts may take you to a fake Amazon listing offering you a free reward for completing a survey, but you’ll need to hand over your credit card number and address for "delivery fees."

Depending on your security, you may receive a warning if you try to click the URL.

Bottom line, don’t click the link, but if it’s too late, Forno said not to panic.

“Be vigilant. I mean monitor your email and check your credit cards and see if any charges have been made in your name things like that,” said Forno.

And send smishing texts to your phone carrier by copying the text and forwarding it to 7726 or SPAM free of charge.

Sofastaii sent USPS some of these messages, an investigator confirmed they were fake.

The Census Bureau said they have sent texts to a limited number of people, but it’ll only come from the three phone numbers below:

  • 833-972-2561
  • 833-969-2724
  • 833-972-2579

And if you’re not sure if a text or call is real, google the phone number for the entity and call them directly and ask if they’ve been trying to reach you.

There are ways to block these messages. just like there are robocall blocking apps, you can download a service for spam texts.

Or check your phone’s preferences. Apple, for example, will let you block or filter out messages from unknown senders. Click here for more information.

Comparitech has created a guide on how to tell whether your phone or computer has been hacked. Here are 10 clear signs.