UPS Canada is warning customers in Canada of potential data exposure and the risk of phishing. People have started to receive letters like the one below from UPS, which some have assumed were “just” regular phishing alerts. As it turns out, the letter is specifically about the potential exposure of data via a look-up tool.
One example of the letter is below, via a tweet from threat analyst Brett Callow.
So @UPS_Canada sent me a letter about phishing and smishing. Turns out it wasn't simply intended to be educational. In the 4th paragraph, it became apparent that it was actually a data breach notification. 1/2 pic.twitter.com/lw7PI7HORI
— Brett Callow (@BrettCallow) June 21, 2023
You’ll notice why recipients assumed it was a generic phish warning straight away: There is no reference to any actual incident until halfway down the page. The whole first half is a generic description of what phishing and smishing involve, alongside a link to examples and where genuine UPS texts originate.
I would think many people looking at this would have already tuned out and thrown it into the garbage. In this case, that would be a mistake. Anyone who reads on will (eventually) discover that all is not right in the land of parcel deliveries:
UPS is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered. UPS has been working with partners in the delivery chain to try to understand how that fraud was being perpetrated.
The letter goes on to mention that an internal review took place to see if information it received from shippers was somehow contributing to these attempts taking place:
During that review, UPS discovered a method by which a person who searched for a particular package or misused a package look-up tool could obtain more information about the delivery, potentially including a recipient's phone number.
UPS states that access to this information has now been limited, and people whose information may have been impacted are being notified out of “an abundance of caution”.
In terms of the data potentially accessed:
The information available through the package look up tools included the recipient’s name, shipment address, and potentially phone number and order number. We cannot provide you with the exact time frame that the misuse of our package look-up tools occurred. It may have affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023.
This isn’t great, and it’s exactly the kind of data needed to get the phishing ball rolling. Bleeping Computer notes some other messages doing the rounds which may be tied to this campaign, which include delivery fee charges owed, and missing shipments of Lego.
Parcel Delivery scams are a big problem, and target firms like UPS and even the US Postal Service. Being able to grab personal details from actual delivery firms is a major boon for scammers so it’s essential to be on your guard where mysterious parcel texts and emails are concerned.
How to avoid fake parcel scams
- Check your orders. The email isn’t going anywhere, and neither is your order. You have plenty of time to see if you recognise parcel details, and also the delivery network.
- Avoid attachments. So-called invoices or shipping details enclosed in a ZIP file should be treated with suspicion.
- Watch out for a sense of urgency. Be wary of anything applying pressure to make you perform a task. A missing payment and only 24 hours to make it? A time-sensitive refund? Mysterious shipping charges? These are all designed to hurry you into action.
- If in doubt, make contact with the company directly via official channels.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.