Url looks suss. Seems kinda sophisticated for the usual ups fishing scam. Here’s the text message I got leading here.
“Wishing you a bright and sunny day!” Lol, I almost want to help this guy by explaining that UPS and American companies in general have disdain for their customers and would never wish them to have anything that would not benefit the company.
your first clue was the link in the text - no shipper is going to miss having its branding in the url. the second was that the url it redirects to its obviously random bs and if you do a whois you see its def not owned by usps.
got a few of these phishing attempts myself over thanksgiving. holiday gift shopping season has begun, the scammers want to catch the less savy among us.
Aside from all of the red flags already listed in other comments…are you even expecting a package to be delivered? I almost never receive a package that I don’t expect
Hope you didn’t click that link. You probably downloaded a malicious payload.
It is 100% a scam. I get texts with this exact text all the time with shady links going to a fake USPS website.
They can’t figure out your address, but somehow they can figure out your email?
One thing to note, aside from all the other inconsistencies, that tracking number does not follow the standard tracking number format for a USPS package. The USPS website describes their different tracking numbers for their different services in the FAQ at the bottom of their tracking page. https://tools.usps.com/go/TrackConfirmAction_input
Look at the URL. Of course it’s a scam.
I got one of these today too.
Something tells me the USPS wouldn’t be using bit.ly.
100% a scam.
The USPS won’t text you, they’ll leave you a notice in your mail box. They’re the only people besides you allowed to open your mailbox legally so it’s their best avenue.
Well, they claim they couldn’t find your house. So that wouldn’t be an option. Still a scam though
They can’t find your house, but somehow they know your phone number…? I don’t know about you, but I’ve never had to use a person’s email address or phone number when I was mailing them a letter or package, just their physical address or post office box.
deleted by creator
Look at the domain name in the url. Not legit
This can even be checked at https://tools.usps.com. Try to track the number or use one of the drop downs to see what different USPS service tracking numbers look like.
I have received a legit “undeliverable package” status before but it will never be sent in a text like that. It will only display on the tracking history/status on the USPS tracking website for a given parcel.
If you want to be extra sure, just contact USPS directly.
In addition to everything else: for weeks our building has been receiving packages addressed only with a name, a number, S, and the zip. The name is someone who has never lived here and may not exist. There’s no apartment number. Our street doesn’t start with S, if anything the S is for South. It’s obviously some kind of fraud, because what’s in the packages are little metal clips to clamp the starting tape holding stuff on a pallet. Not anything for residential use. They ship from various Amazon warehouses but through USPS. We can’t get the mailman or Amazon people to return them and the Amazon return process only works if the unwanted package is addressed to you, not some random name.
But I’m now sure as hell that USPS isn’t going to let anything as trivial as an unclear address stop them from delivering the package SOMEWHERE. Anything to call it “delivered.”
That scam is called “brushing.”
Amazon does have a report process for it, but yeah it’s most likely to go into the Ai chipper.
Tried it, the first question is to confirm that the package is addressed to YOU. There’s nobody in the building who could do that.
I found This on the same site as @mosiacmango@lemm.ee. Doesn’t sound 100% like their intent (unless whatever is “next” is a place to fill out personal details). However loading a webpage is enherantly at least a little bit risky.
UPS and American companies in general
But this is USPS, which isn’t an American company, it’s a US independent agency.
Their mandate isn’t (AFAIK…) to make a profit, but rather to serve the mail requirements of a very large country.
Personally, my experiences with USPS have been generally positive, from passports for infants to free change-of-address forwarding service to tracking down quasi-scam products from Amazon. YMMV though.
Why the fuck did you click a link like that in the first place? That first message is basically screaming at you that it’s a phishing attempt.
Best opsec is to delete and block, ideally without opening it at all to avoid read receipts (if that’s a function in your phone). If you think it might be legit, go to the website on your own and find a way to confirm independently. If that’s still too much to follow through with, at the very least don’t click random links sent to you unprompted.
Could someone educate me on the possible damage clicking a link can bring, assuming I’m not interacting with the website any more than that?
Not doubting there’s damage, just curious. I’d think they’d get some maybe usable info from fingerprinting or something? Could javascripts lead to more serious problems?
There could theoretically be a vulnerability in your browser that would allow them to infect you with viruses, but such vulnerabilities are much much more valuable used elsewhere (or cashed in through security research bounties). One I’ve seen is that the page further phishes you into downloading and installing an “update” to your browser that’s really a virus, or they simply try to phish you out of money, for example by asking you to pay the shipping costs again.
It’s also a way to build lists of who actually clicks the links, that they resell to the next sucker (scamming is suckers all the way down, they all buy The Next Big Technique from some guy), ensuring you will get further spam in the future.
There’s actually a fun technique to do to avoid further spams when it comes to voice calls. A little know fact is that elevator call buttons are actually just phones that have a phone number, and if you dial the number, it will automatically answer and you will hear whatever is in the elevator (generally nothing). If you pick up but don’t say a word, their automated systems will flag you as an elevator phone number and they will stop calling in order to stop wasting resources on calling numbers that won’t lead to money.
The least it wil do is confirm your email to be in use for further scams.
If you do nothing but click the link and then close the resulting website without clicking anything else, all that will happen is that they’ll know you’re someone who clicks such links and you’re likely to get more of them.
Hey dude, you had an opportunity to educate someone and instead you belittled them. As someone who works in cyber, please don’t do that. People get stigmatised against cyber and IT professionals and they stop trusting us. Users don’t know what we do, so be kind to them the way you should be kind to anyone learning new things. https://xkcd.com/1053/
Just write in the nearest Subway/McDonald’s address.
