That email about your delivery could be fake: Phishing scammers increase their attack on online shoppers

Cyber criminals are looking to take advantage of the holiday shopping season. That could put personal and corporate data at risk.
Written by Danny Palmer, Senior Writer

There's been a huge rise in one particular form of phishing attack as cyber criminals look to exploit the combination of the holiday season shopping rush and the move to e-commerce

More online shopping means people are receiving more emails about the shipment and deliveries of their orders and cyber criminals are actively looking to take advantage of this with phishing emails impersonating internationally known shipping companies. And while these campaigns predominantly target consumers, they're also dangerous to businesses too.

Researchers at cybersecurity company Check Point say there's been an over 440% increase in shipping-related phishing emails over the past month. There's been a spike in these attacks around the world, with Europe seeing the biggest surge, followed by North America and the Asia Pacific region.

SEE: Identity theft protection policy (TechRepublic Premium)

The emails are designed to look like they come from shipping companies and retailers, and feature messages claiming that there's been a "delivery issue" or urging users to "track your shipment".

Shoppers who've ordered items online are likely to be concerned about any potential problems around delivery, so could easily open the emails and end up falling victim to cyber criminals.

In some cases, the phishing emails – which have all the appropriate branding of the delivery firm that they're mimicking – will claim that potential victims need to make an additional payment to secure their item, directing them to a page that is used to steal their personal information, including name, address and credit card details.

Malicious hackers can either use the stolen financial data and other personal information directly to commit fraud and raid bank accounts themselves, or alternatively they could sell the stolen details onto other cyber criminals on underground forums.

Cyber attackers also design phishing emails that ask users to click on a link to login to their account to solve an issue. This malicious link directs victims to a fake version of the delivery company's web page that sends the email address and password to the attacker.

Once again, cyber criminals can either exploit this for themselves by raiding accounts or for harvesting personal details, which they use themselves or sell onto others to users on the dark web.

While it might first appear that this form of phishing attack is predominantly a risk to consumers, some people could have online shopping accounts tied to their corporate email addresses, and use the same passwords, something which is a very bad idea.

That means malicious hackers could potentially use these attacks as a gateway to gaining entry to corporate networks – and approach that could me much more lucrative than stealing bank account information.

"These phishing campaigns are a risk to businesses as well as consumers, as people may share passwords or other credentials across both personal and work-related accounts and inadvertently give them away," Ian Porteous, regional director for security engineering at Check Point, told ZDNet.

"It only takes a few moments of inattention for a user to be tricked by these scams – especially as they play on peoples' expectations of receiving goods they may have ordered – and given the large numbers of people still working from home, this is exactly what hackers are relying on. For them, it's just a numbers game to try and steal as much sensitive data as they can," he added.

SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened

In order to help protect against shipping email and other phishing attacks, users are urged to be suspicious of unexpected messages, particularly those that claim to require some sense of urgency as it's a common psychological trick used by cyber criminals.

If users are concerned that a request could be legitimate, they shouldn't follow links in the email, but they should visit the retailer or shipping company page directly.


Editorial standards