Mobile users are being warned against a new FedEx scam in the form of convincing SMS messages appearing to be from the delivery services company.
Users have reported receiving texts informing them that a package is waiting to be delivered, complete with tracking code, and prompting them to “set delivery preferences” via a link.
According to CNN, this then directs customers to a spoofed Amazon page including a customer satisfaction survey, with users then asked for personal information including payment card details in order to claim a “reward”.
FedEx has said that it never requests personal information via text or email.
“Smishing” attacks like the FedEx scam are on the rise
“Smishing” refers to a type of attack in which text messages are used to dupe victims into sharing personal information or clicking on malicious links, with attackers often posing as trusted organisations such as banks, mobile phone providers or e-commerce sites. According to the Federal Trade Commission, unwanted text messages rose 30% year on year in 2018.
According to Experian’s 2020 data breach industry forecast, this type of attack is expected to become more common over the coming year.
Girish Bhat, VP of Product Marking at MobileIron said that as a growing number of delivery companies offer the option to track deliveries, this type of attack will become even more common:
“The desire to track delivery status using mobile devices in today’s hyper connected economy makes every consumer a target for this scam.
“It uses SMS text messaging as the attack vector to siphon user data. With phishing attacks like this, users can be tricked into clicking on a link and then providing their credit card information. In other phishing attacks, they might be tricked into clicking on a link that downloads malware or an exploit kit onto their device. Mobile users are more susceptible to phishing attacks, as they are more likely to click on a malicious URL.”
Bhat offers the following advice to users looking to protect themselves from smishing attacks like this FedEx scam:
“Resist the urge to click on links in text and email, especially if you are not expecting packages.
“Only track packages from the e-commerce website. For example, if you are wondering where your Amazon delivery is, log into your Amazon account and track your order. And, remember to turn on [two-factor authentication] for all your accounts.
“A mobile-centric, zero trust platform with native mobile threat defence capabilities would also protect users from these types of attacks.”