Just heard from a client last week who had their credit card compromised and while waiting for their new card to arrive via mail, had more of their cards compromised by a USPS phishing text. The scam was basically a text that said "there was a problem mailing your new credit card" which lead to a USPS cloned website that asked for $0.30 to resolve the issue. My client tried two credit cards (each "failed") before finally realizing what was happening.
I'm continually astounded how many people will be asked for a credit card through no direct action of their own (e.g. an unsolicited text not part of a conversation they initiated) and will just do it. And multiple times!
Edit to be clear: I don't think these people are dumb, and I'm sure there is some scenario in which I could fall victim to a similar claim. This is more a comment on people generally as opposed to "those people."
This was direct action of their own. They had a problem that the usps would be involved in. That it wasn't really the usps and that specific problem didn't exist is a differenc issue.
It's a very common scam in my neck of the woods as well. I'm constantly receiving emails with text like "your package is held up at customs, please pay $2.50 to release it".
Are enough people buying online AND losing track of their orders that they will just blindly take the bait? I fail to see how this vector is more lucrative than the "your computer is infected" route.
Anecdotally for me, roughly once every ~10-20 orders does the attack coincide with an order that I'm waiting for. But then I know where the order is coming from, I know which courier is handling my package, and the store 9/10 times have an online tracker and the shop itself will alert me if there are any delivery shenanigans going on.
That's a good point I guess - I am married. But the first thing that I'll do if the email is not immediately suspicious is ask my spouse if they are expecting anything and why the message came to me and not them.
Maybe I'm not the target market for these operators.
lol yea, most couple aren't great at communication, so that already puts you in the 1% just by texting your SO when you have a question instead of blindly assuming.
The networks did such a good job for so long keeping spam out that people almost inherently trust sms, I've had to help multiple people with fallout from these types of texts.
I agree it surprises me how much people keep trusting SMS in general and how companies keep using SMS for two-factor auth, although it shouldn't at this point, but you're saying networks did a good job protecting against SMS spam and this is the reason why people trust it?
Its a learned trust, most people don't realize that their phone service provider blocks something like 90% of all messages they receive, they made a conscious decision to not show the users their spam folders, so we don't see what's not getting through like you can when you check your email.
Spam delivered over SMS and the security (perceived or real) of SMS-based 2FA are entirely different subjects, though.
But to kibitz on the second: a validated phone account remains by far the easiest 2FA mechanism to deploy and rely on, and 2FA remains by far more secure than simple password authentication. Advocate for apps and hardware keys all you want, don't dump on an extemely valuable technology, please. The worst possible situation would be for someone to "take your advice" and refuse to use any 2FA at all.
It's an attractive nuisance. And the SMS request that's actually part of the problem can be misunderstood by users (whose model is understandably less technical) as a validation that this is authentic.
"Ooh I'm not sure about these texts from Big Bank, maybe I should call them instead... Oh it did the 2FA code text, I guess it's legitimate"
> Advocate for apps and hardware keys all you want, don't dump on an extemely valuable technology, please. The worst possible situation would be for someone to "take your advice" and refuse to use any 2FA at all.
It was your interpretation that I advise people to not use any 2FA at all. I won't honor the request to not dump on SMS, as I am perfectly happy to dump on an "extremely valuable technology" on technical demerits, on the grounds of security while simultaneously acknowledging highly debatable, highly questionable positive merits on grounds of user-experience, which more often than not oppose each other. Why do you construct a single-faceted single-shot ability for us to evaluate SMS? It sucks and it also doesn't, and saying it sucks isn't going to entirely destroy its already-terrible reputation amongst technicals. I would much rather have a message sent to my email address since that is harder to lose than a text message or phone number, and it costs me far less per month.
> It was your interpretation that I advise people to not use any 2FA at all.
No, to be clear, it's the obvious interpretation of a non-expert user, which is why your advice is so dangerous. They don't have a yubikey, don't understand how the apps work, and are faced with a decision to either enable SMS 2FA or not. And you're telling them not to, so they won't. And we'll all suffer.
Again, work the other side of the problem if this is important to you. Make the other solutions better and educate people about them. Don't tell them not to use something that might very well save their bank account.
> They don't have a yubikey, don't understand how the apps work...
But they almost certainly do have a phone, any vaguely modern phone is also a valid hardware credential - and given how much time people spend using a phone it might even be more practical for them.
I would argue that the problem is we've made the inconvenience symbolic - people see me sign in at work (with a Yubico Security Key 2 typically) and assume that's some sort of get out or workaround rather than, in reality, the much more secure option that my employer was too cheap to provide. They intuit that the thing they're doing is annoying and takes more effort so logically it must be more secure not less, right ?
Once more, I'm not saying that SMS 2FA is the best choice. I'm saying it's a vastly better choice than "1FA", and that telling people not to use it is hurting and not helping.
As I stated above because it can cause people to believe they're doing the right thing when they aren't I am actualy not convinced it's necessarily better than nothing.
I heard about this scam a couple months ago, but finally got a text myself last week. I didn't click the link for obvious reasons, but looking only at the text itself, it was hard to tell if they were mimicking USPS or UPS. The domain they were using was just some random string like "USPUSU" or something like that.
As a person whose address was marked as undeliverable for a period of time, I can confirm that the USPS doesn't text you or contact you in any way if they can't deliver. Your mail just gets returned to sender (sometimes) and hopefully it's not time-critical.
I get at least 5 of these a day between SMSes, iMessages from compromised iCloud accounts, and emails. And it does suck, because I do a lot of shipping and receiving for my business, and I DO get emails from the USPS for owing various amounts of overage on my outgoing shipments. When my scale weighed something as 4oz, but theirs as 5oz, that is the next level up in shipping cost (at least for Ground Advantage and Priority Large Envelope).
I have been getting phishing texts pretending to be USPS for a few months. I actually almost fell for one because I was expecting a package but the text said they couldnt deliver w/o info, and when I looked at the URL i realized it was fake (I assume just a coincidence, that is the scam, send enough, people that are really expecting packages bite?).
We also have somewhat similar fake web sites for our national post operator Ukrposhta in Ukraine. Scammers send you a text message saying that you may receive a shipment, but need to pay for it to be delivered to your address.
Doesn't surprise me. The USPS is doing some idiotic things with their Informed Delivery emails that I get every morning.
Sometimes they contain inbound and outbound tracking links. If I click on a tracking link, I land on a webpage that requires me to log in. That's annoying. So I copy-and-paste that tracking code into Google, and Google gives me a link that does not require me to log in.
The USPS has trained people to happily provide authentication information whenever someone pretends to be the USPS. No wonder scammers are abusing it.
It makes sense. You want to pick something that more people are customers of. These are numbers of US based people. Just about everyone at these numbers interact with the USPS. I recently received a few Wells Fargo txt messages. They didn't fool me. This was thanks in part (a large part!) to the fact that I'm not a Wells Fargo customer.
Fuck the USPS for allowing advertisers to bulk send junk mail to everyone for a couple dollars. It’s a daily chore to take out the mailbox trash before it’s so full they start returning important letters back to sender for not being able to fit it in.
maybe you should instead fuck your legislators so they can make that practice illegal (getting adverts per mail without consent).
Where I live it's opt out, so not ideal either but at least I don't have to put up with the trash after adding a sticker to my post box.
It's been 20 years now, but I tried opting out of a prolific grocery coupon mass mailer. But the carrier was so used to everyone getting them that I just got the ones addressed to my neighbor.
What I despise is the old marketing materials that portrayed the letter carriers as American heroes because they deliver stuff. Yet the vast majority of what they deliver is ads.
Yeah one of the biggest (if not the biggest) sources of paper that I throw away is junk mail. I throw away bags of it every month, 98% of it unopened. The environmental impact of the paper, the printing, the fuel burned to deliver it, must dwarf the impact of the single-use plastic bags I get at the supermarket.
They get to send each house 30 lbs of crap per year at tremendous discount, but if you want to send a Christmas card to Grandma, you have to pay full price.
I wish they would ban mixed media envelopes. So sick of ripping off the plastic windows on junk mail so I can recycle it, it's a such a waste of time and resources.
I've done it, and in a matter of weeks the junk just disappears for the most part. Lasts ten years, and I think we're about due for a re-up at our house, as the junk is leaking back in.
True. It’s surprisingly effective, though. Another route is to fish around for their return envelope and send them a pretty leaf or whatnot, but that could just spur them into paying more attention to you.
I used to gather up the credit card application forms for Brand A and mail them to Brand B in their prepaid envelope. I did so many times that Citi finally send me an intimidating letter from their fraud department asking me to stop. I didn't, of course, but they eventually phased out the prepaid envelopes altogether.
Yep, as a last resort I tried doing this with an apparently unstoppable catalog and got about a month before the postal worker scrawled a nastygram back on one threatening delivery embargo.
Is this because Americans are easier to dupe or that there are so many online Americans it pays off to target them the most? All the other brands are used in multiple countries whereas USPS is only for the US.
> It's because US cell phone networks refuse to implement basic authentication,
Like other countries.
> and because USA population has the most excess money to steal.
No, it doesn't. Many other countries have a lot more wealth in their general population. There are many people in the US with higher salaries than other places however don't think they have the most excess money to steal.
I think everyone is missing a major factoid. Microsoft is second, it'll be used in every language in almost every country. Yet, it's piped to the post by a large amount by a US only target. People do things for a reason especially when it comes to money. The US market is clearly the most profitable. But my question remains is that because there are so many or that they're dumb?
US is basically below the EU for wealth with a smaller population. Your response appears to be ignoring the basic facts. So while the US is a big target, targeting the EU on money and population wise would be better, yet they choose to focus on USPS because that converts well.
Since we can assume the US does not have as much disposal cash as the EU since they earn less yet have more wealth. They have less people than the EU. It's that USPS converts specifically well. It looks very likely the reason it's USPS is that folks from the US are very easy to trick.
While I understand it's unpleasing for US citizens to admit that their population is easier to trick. But if they improve their education and stop being so far down in the charts this might not be the case.
What is EU's common language and postal service?
I get a lot of email from European vendors, intended for Europeans who don't know their own email address, and that email is not all in the same language.
US destination SMS is very cheap; less than 1 cent in bulk, same with phone calls to US numbers. English gets you access to most if the population. The population is large, and most of them have ready access to payment methods that works globally.
That makes the US a good target, regardless of success rates, as long as they're not extremely low.
