While waiting for your last holiday purchase to arrive, it may be tempting to open a text inviting you to check new tracking information.
Don’t do it, warned Florida Attorney General Ashley Moody, unless you’re sure the text really did come from your shipper.
Scam “robotexts” about package shipping updates are a common way crooks get people to unwittingly give up their personal or financial information, Moody said.
The tactic is called “smishing” and is one of the latest ways internet criminals trick victims.
The fake texts offering shipping updates often appear at first glance to be helpful messages from the United States Postal Service (USPS), FedEx, UPS, or other big-name shippers.
But most shippers, including USPS, won’t send a text with package-tracking updates unless you’ve signed up to receive those, Moody said.
Clicking on the link in the fake update may allow crooks to put a damaging virus on your device “linked to malware or a scam designed to steal personal information,” the attorney general said.
And though these tricky texts happen throughout the year, “scammers may capitalize on the glut of deliveries” during the holidays, Moody warned.
One clue suggesting a text about a package is a phony is its failure to provide the name of a specific store or shipper.
If it’s phrased without those details, it’s likely a fake.
And would-be scammers often inadvertently leave other clues, such as spelling or grammatical errors.
What’s more, retailers ask for a shipping address when an order is placed. They won’t send a text later and ask for an “updated shipment address,” Moody said.
To avoid becoming a victim, don’t click on links in texts from unknown senders, no matter how tempting, Moody advises.
If you get a text that fits the description of a fake, block the number so you can’t receive texts from it in the future.
And if you’re not sure, and you’re expecting a package, check directly with the retailer for information, rather than risking it by opening a suspicious text.
Another tip to avoid future scam attempts: Don’t respond to the text, Moody advises. That may increase the chance your phone number will be added to a list to receive more robotexts from would-be scammers.
Fake texts are just one popular way crooks try to steal personal information.
Another tactic is called “phishing,” according to the 2021 Threat Report by Webroot BrightCloud, a Broomfield, Colorado, firm that protects companies from cyber threats.
Phishing is the practice of sending an email or setting up a website designed to look like a reputable company. Clicking on a link in an email or on the fake website may download unwanted viruses to your device that can allow crooks to get your personal information, such as a password or credit card number.
The total number of new phishing sites this year dropped by 83 percent from January to April compared to the previous quarter, Webroot reported, but in May, there was a 440 percent spike in phishing sites.
The top target was the online gaming platform Steam, accounting for 50 percent of the threats detected on user devices from January through May 2021, Webroot analysts found.
Scammers using Steam-related phishing sites were unusual in that 99 percent set up their site to use “https” in the web address, usually an indication that a site is authentic and secure.
“This is extremely rare and unique to Steam,” Webroot analysts wrote in their report, adding that it’s getting more common.
“Forty-six percent of all phishing pages are using ‘https’, up from 32 percent in 2020.”
Making a website secure with “https” is as simple for the website designer as buying and installing what’s known as an SSL (Secure Sockets Layer) certificate, a digital authentication of a website’s identity that enables an encrypted connection.
Big brands and financial institutions are top targets for phishing scams, Webroot analysts found, and while PayPal only accounted for 1 percent of the top 200 phished brands, there was a 1,834 percent spike in phishing scams involving PayPal in May.
“Unfortunately, inexpensive and easy-to-use kits being sold on cybercrime forums for as little as a few hundred dollars enable low-level scammers to conduct effective template-based phishing campaigns,” noted Nolen Scaife, senior manager in Webroot’s Advanced Threat Research.
Moody sent out a pre-Christmas warning about websites designed to look like a company’s legitimate website.
Traffic to fake websites spikes by about 20 percent during the holiday season on some of the most popular shopping days, according to Webroot, and over the past six years, the impact of phishing attacks quadrupled.
So it’s important to be on the lookout for websites that are not what they seem to be, Moody said.
“All it takes is a simple letter change, extra space, or a wrong click for a consumer to visit a fraudulent website,” Moody warned. “Make sure to only give financial information to trusted sites.”
Fake websites designed to look like a legitimate retailer’s website can reel in consumers who then may accidentally give financial information to scammers. For instance, scammers may set up a fake site designed to look like the real PayPal site, where users and send and receive money. The real site is found at paypal.com. A fake site may use the name pay-pal.com or paypals.com.
Companies should search online for websites with addresses similar to their own, Moody suggests. Look-alike websites should be reported to the FBI’s Internet Crime Complaint Center at ic3.gov.
Businesses can decrease the likelihood of having their customers tricked by a phony website by registering domains with slight differences to their correct company web address. That way, crooks can’t register the name and try to lure in would-be customers who accidentally type in the not-quite-right website address.
Another tip to avoid being victimized by a phishing scam when shopping online: Use a credit card rather than a debit card, Moody said.
Credit cards give consumers the opportunity to dispute a charge more easily if an item never arrives or a if fraudulent charge appears.
It’s still important to check bank and credit card statements regularly, though, she said, to ensure there are no fraudulent charges or withdrawals.
And stay away from businesses that demand payment in the form of a gift card, Moody said. “This is always a scam.”
Other common scams offer brand-name merchandise at surprisingly low prices through phishing emails or texts, according to warnings issued in December by the FBI.
Scams aimed to steal personal information may also lure in social media users asked to complete surveys, or by offering lucrative work-from-home opportunities or gift-card deals, the FBI warned.
And “some mobile apps, often disguised as games and offered for free, are designed to steal personal information,” according to an FBI news release. “Before downloading an app from an unknown source, consumers should research the company selling it or giving it away, and look online for third-party reviews of the product.”
With our ever-increasing use of online shopping, it’s more important than ever to “beware of scams and stay vigilant of fraudsters who may try to steal your money and personal information,” said Wayne Jacobs, special agent in charge of the FBI’s Washington Field Office Criminal Division.
“The simplest tips can save you a lot of money: verify the legitimacy of websites before providing financial or personal information.
“If the deal from an unknown seller looks too good to be true, it probably is. So do your due diligence, and do not click on email or text message links from unknown senders.”