momius - stock.adobe.com
With many retailers closed amid the second wave of the Covid-19 pandemic, delivery-related phishing scams more than quadrupled in volume across Europe during November 2020 amid record-breaking levels of pre-holiday online shopping. DHL accounted for 77% of the total volume of shipping fraud, followed by Amazon (37%) and FedEx (7%), according to Check Point.
In a new alert issued on 1 December, Check Point warned shoppers of a likely continued surge in phishing campaigns in which cyber criminals impersonate trusted delivery services to commit financial fraud.
Delivery scams will generally be designed to trick their recipients into disclosing their personal details by pretending to involve some kind of delivery issue or to offer shipment tracking, both playing on widespread fears around missed or lost deliveries.
Check Point also warned that malicious actors are targeting both ends of the online purchasing experience – having previously documented an 80% increase in phishing campaigns targeting online shoppers with bogus special offers. The Israel-based security firm reckons that one in every 826 emails delivered worldwide is currently a phishing attempt.
Omer Dembinsky, manager of data intelligence at Check Point, said: “Hackers are going after the entire online shopping experience, before and after people have made purchases. First, hackers will send ‘special offers’ to people’s inboxes from their favourite brands.
“Then, hackers will send an email about the delivery of purchases, even if you have bought from a trusted source. Now that Black Friday and Cyber Monday are over, we are turning towards the other side of the equation, which is deliveries.’
Dembinsky added: “Think twice as you open up any post-purchase emails this holiday season. The email could be from a hacker. Take a closer look at any email that alleges it is from Amazon, DHL or FedEx. Watch for misspellings. Beware of lookalike domains. It’s clear to us that hackers are targeting online shoppers at every step of the online shopping experience, where the danger is very real before and after you make a purchase.”
Globally, Check Point said it had recorded similar rises in phishing scams in both North America and Asia Pacific (APAC). It logged a 427% increase in phishing attempts in the US in November compared to October, with the leading impersonated brand in that geography being Amazon, which accounted for 65% of attempts. The increase in APAC was a less pronounced but still significant increase of 185%, with DHL accumulating 65% of the total number of scam emails.
The guidance on protecting yourself against a phishing scam remains largely unchanged. Users should: protect their passwords and never share or reuse credentials; be suspicious of any unsolicited password reset email; verify any URLs from an authentic website, never clicking on links in emails but running a search and visiting from there; check for lookalike domains that include spelling errors, different top-level domains (.uk, .com, and so on) or email addresses that do not match the purported sender – Amazon will never contact you from a Gmail address, for example; and note emotive language in an email designed to create a sense of urgency or uncertainty to lure you into clicking.
Read more about phishing
- MSPs need a solid phishing prevention strategy for protecting clients against evolving threats. Learn about the key pieces of anti-phishing arsenals: tools, policies and training.
- The NCSC has racked up a million suspicious email reports from the public just two months after launching a reporting service, but the lucky sender won’t be receiving a grand prize.
- Phishing is the most common type of social engineering attack. Here is a list of the most common phishing attacks, how they wreak havoc on a business and how to protect against them.