Along with holiday decorations and lights, FedEx, UPS and DHL trucks adorn American streets at this time of the year. And that provides the perfect opportunity for scammers to deliver trouble — with phony notifications that there's a package waiting for you.
Walter Hodges/Getty Images
Usually the word arrives by e-mail, which should be your first clue it's a con: Shipping forms used by the major carriers list the names and addresses of senders and recipients, but not their e-mail addresses. So it's unlikely that delivery companies would e-mail you about an issue with a package.
But that doesn't stop scammers, who buy e-mail lists or target people who fell for other spamming schemes.
In the most common ploy, an e-mail purporting to be from a well-known courier service — or even the U.S. Postal Service — contains a link that supposedly will bring up information about a package that cannot be delivered or that will let you print a copy of the delivery order.
If you click on the link, you may download any of a number of malicious Trojan computer infections. Some slow your computer's performance and trigger phony security alerts, followed by pop-up offers to sell you fake antivirus protection — what's known as scareware. Others are far more dangerous, unleashing keystroke loggers that allow the hackers who sent the mail to capture your passwords and online banking and credit card information.
FedEx issued a warning several months about e-mails from an "@fedex.com" address that included a link called "FEDEXInvoice" containing such malware.
UPS does occasionally send out e-mails containing links, but generally only to regular clients who have online accounts. Here's how to recognize these legit messages: Their links always begin with https://epackage1.ups.com.
A newer version of the delivery ruse, which recently triggered a warning by Binghamton, N.Y., police, are e-mails that make the same phony claim of an en route package, but with a request that you purchase insurance on it, via a credit card or money order. "Once citizens give their credit card number," police say, "they may lose money, and there is little chance of recovering it." And scammers can make more fraudulent online charges on that account.
In another ploy, postcards are left at your front door bearing a "sorry we missed you" message and instructions to call a phone number to arrange delivery. But call the number and you may be told you won a free vacation or some other prize — and be asked for a credit card number to pay a "small fee" to deliver your tickets or winnings. (Last Christmas, a Better Business Bureau chapter president received one of these bogus notifications at his home, triggering a nationwide warning.)
Be especially on guard if the call-back number has an area code of 876, 809 or 284. These may seem all-American but are actually for Jamaica, the Dominican Republic and the British Virgin Islands. Make those calls and you can expect long waits and transfers intended to rack up your phone bill — the per-minute rate may be $4 or more, some of which flows to foreign phone companies and the scammers. Other area codes used in offshore calling cons include 441, 473, 664, 758, 784 and 868.
To protect yourself against delivery scams:
- Keep in mind that legitimate courier services don't ask for payment or personal information via e-mail or phone. Authenticate any delivery notification by contacting the company on its website or by calling FedEx at 800-463-3339, UPS at 800-742-5877, DHL at 800-225-5345, or the U.S. Postal Service at 800-275-8777.
- If you receive an e-mail that appears to come from one of those companies, do not click on any attachments or links. Examine the e-mail closely, keeping in mind that UPS occasionally does send out e-mails, with links that begin with https://epackage1.ups.com. If you suspect an e-mail is fraudulent, forward it to FedEx at firstname.lastname@example.org, UPS at email@example.com or DHL via its website. The Postal Service, meanwhile, accepts e-mail at a special web page. You can also notify the FBI's Internet Crime Complaint Center.
- To remove Trojans and other malware, scan your computer at least weekly with updated antivirus software that you've already purchased (as opposed to buying it from a pop-up scareware warning). If you're shopping around for antivirus software, consider buying a security suite — newer programs from McAfee and Norton that some experts say offer better detection and protection.
Sid Kirchheimer is the author of Scam-Proof Your Life, published by AARP Books/Sterling.