I’m an Idiot. Don’t Fall for the Phishing Scam I Just Fell for
Don’t be like me. Don’t be dumb.
I feel like a fool. After years of occasionally writing articles about scams and fraud, I fell for a simple phishing scam on my cell phone. I gave up my debit card information to a scammer — possibly one based in the tiny European nation of Montenegro.
It happened like this: Two days after I mailed a package, I got a text message saying the package was undeliverable. A link took me to an official-looking Postal Service website where I was prompted to enter a card number to “re-mail” the package.
I typed in my personal financial information, even though in retrospect I obviously should have known better.
This experience left me with two burning questions:
- How did these scammers know I had sent a package in the mail?
- Is this something that other people should be worried about? How should they handle it?
So I spoke with a bunch of online security experts. They disagreed about whether the scammers actually knew I had mailed a package.
But they all agreed on one thing: This kind of phone texting scam is becoming increasingly common. People need to watch out, the experts say, because the problem is only likely to get worse.
How the Scam Worked
This was a classic phishing attack.
“Phishing” is when someone poses as a reputable company or organization to get your personal information. They might pretend to be from your bank, or the government or a business you’ve dealt with before. They might ask you for your bank account number, Social Security number, passwords and other information that legitimate companies never ask for.
Here’s how the attack on me unfolded:
I recently mailed a package via the U.S. Postal Service. The important thing to know here is that I almost never do this. I rarely mail packages to people, but this was a special occasion.
Only two days later I got the following text: “[.USPS.] Your package is undeliverable, the address on file did not match the zip code, please update the address.”
Well! I stupidly clicked on the link provided, which brought me to a website that absolutely looked like an official U.S. Postal Service website. To “re-mail” my package, I typed in my debit card number, expiration date and three-digit verification number.
In my defense, I was a little tired and preoccupied at the time, so clearly I didn’t think this through. And I had been a little worried about the package I mailed, because it was important.
That’s why I missed a number of totally obvious red flags — such as the fact that this supposed “U.S. Postal Service” website I visited had an IP address ending in “.me,” which is the internet domain for Montenegro. It’s a smallish European country that’s next to Serbia and Kosovo, north of Greece.
Once I realized my mistake, I immediately called my bank and canceled my debit card before some scammer in the Balkans could use my information to drain my bank account.
Right now I have no debit card, which is inconvenient. But here’s what’s really bothering me: How did the scammers know I had mailed a package? I decided to ask some online security experts, including engineers, bank executives and attorneys who specialize in this kind of thing.
What the Experts Are Saying
“Mail delivery scams start with a seemingly official email or text about a package you’ve sent or a package being ‘sent’ to you,” said Washington, D.C., attorney Allan M. Siegel. “These texts or emails often urge you to click on a link to update personal information or payment methods.”
Siegel suspects a scammer got my phone number from “bots” located across millions of websites, and cross-referenced it with shipping data.
Martin Gasparian, an attorney with Maison Law in central California, agreed:
“Your data was likely taken by bots that prowl millions of sites on the internet,” he said. “In this case, your email or phone number was likely used on an official shipping website but was taken and used by scammers.”
“There are several ways for someone to get access to your USPS package information,” said network security engineer Andreas Grant, founder of security company Networks Hardware. “The most common one would be to get their hands on your package tracking information. A package travels a long way before reaching the destination, so a lot of people can be a suspect here.”
However, other security experts suspect that the scam text I got was probably a lucky guess by the scammer, not the product of inside information.
“It’s likely they had no way of knowing you were expecting a package. Instead, they will have sent exactly the same message to possibly millions of people,” said Colin Palfrey, chief marketing officer of the personal finance management company Crediful.
Chris Drake, a telecom security expert who’s the chief technology officer for a communications company called iconectiv, agreed:
“It is much more likely that they do not really know you are waiting for a package and instead they sent out a million of these and waited for responses.”
Here’s one thing all these experts agree on: These types of scams are becoming more and more common.
“People managing online shipping accounts need to be vigilant, as these scams are becoming increasingly sophisticated and difficult to detect,” warned Ben Michael, an attorney with Michael & Associates in Austin, Texas.
Tips for How to Protect Yourself
Again, don’t be like me. Pay close attention to every word in a text before you respond to it.
Here are tips from our experts and the Federal Trade Commission about how to avoid being scammed:
- Don’t click on links in unsolicited messages, as they may lead to phishing websites.
- Be aware of red flags, such as poor grammar and spelling, and unfamiliar internet domains.
- “Anytime you receive a text or email that asks you to reconfirm or reenter your credit card information, check the message carefully,” said Grant, the network security engineer. “Watch out for spelling errors in the URL, as scammers often use a slightly misspelled version of the original domain name.”
- Keep in mind that scammers want you to act now. That’s a dead giveaway. What’s the rush? It’s because they’re trying to con you into sending money before you find out who’s really on the other end. Resist the pressure to act immediately.
What to Do if You Sent Money to a Scammer
Here’s The Penny Hoarder’s step-by-step guide for what to do if you’ve been scammed. And here’s the gist:
- Lock down your bank accounts and credit cards.
- Contact the three major credit bureaus. You can also use a service called Credit Sesame, which will help you detect any errors on your credit report — for free. If you find any, Credit Sesame will help you dispute them.
- Change your passwords.
- Report the crime to your local police department, state regulators and the FBI.
Again, don’t be like me. Pay close attention. Don’t get fooled.
The scammers are more active than ever, and they’re not going anywhere. Use your head, keep your eyes open, and watch your back.
Mike Brassfield ([email protected]) is a senior writer at The Penny Hoarder.