Fraudsters Impersonate USPS in Phishing Campaign to Steal Your Credit Card Data

Bitdefender Antispam Labs has intercepted a fraudulent United States Postal Service (USPS) phishing email that seeks to steal targets’ personal and financial information under the pretext of missing delivery details and payment.

The scam email claims that a “package delivery is on hold” and recipients have only three business days to confirm payment or risk losing the package.

Interestingly, the “Confirm My Package” website redirects users to a bogus USPS landing page that tells a different story:

“Your package delivery has been stopped in transit due to several failed attempts to log into your account. Please fill this verification form so we can resume your delivery as soon as possible.”

The fake website, which closely mimics an official USPS page, is used to harvest a information from victims, including:

  • First and last name
  • Phone number and email address
  • Address and ZIP code
  • Credit card information

This scam campaign was active for just one hour, hitting inboxes in the US, the UK and Ireland. Most of the fraudulent emails were sent from IP addresses in the UK and Germany.

Fake delivery emails are a highly popular scam among cyber thieves who continue to capitalize on the increased use of delivery services during COVID-19. Even though this campaign was short-lived, our researchers expect similar phishing campaigns to pop up in inboxes across the globe.

How to spot and protect against bogus delivery scams

It only takes a second of carelessness to fall victim to data thieves. You can avoid becoming another identity theft and fraud statistic by sticking to rules below:

  • Never click on links or attachments you receive in unsolicited emails unless you can verify the validity of the sender or organization
  • Look for grammar mistakes and inconsistences within the email body
  • If you’re not expecting a package, disregard any correspondence that states otherwise
  • Check the email header and email address
  • Go to the official website of the company by looking it up in your browser if you have any questions
  • Report attempts at fraud to the company via official channels
  • Never provide personal information or sensitive data via suspicious links you receive in unsolicited emails
  • Install a security solution on all your devices to fend off fraud, malware and phishing attacks