A smishing campaign is impersonating the UK-based delivery company Evri with text messages informing recipients that their package couldn’t be delivered, according to Paul Ducklin at Naked Security. The messages state that a driver tried to deliver a package, but no one was home. The texts contain a link for the recipient to reschedule their delivery. If a user clicks on this link, they’ll be taken to a phishing site that attempts to harvest their personal and financial information.
Ducklin offers the following recommendations for users to avoid falling for these types of scams:
- “Check all URLs carefully. Learn what server names to expect from the companies you do business with, and stick to those. Bookmark them for yourself in advance, based on trustworthy information such as URLs on printed statements or account signup forms.
- “Steer clear of links in messages or emails if you can. Legitimate companies often provide quick-to-click links to help you jump directly to useful web pages for online accounts such as utility bills. These links save you a few seconds because you don’t need to find and type in your own tracking code or account number by hand. But you’ll never get caught out by fake links if you never use in-message links at all! (See point 1 above.) Those few seconds are a small price to pay for not paying the large price of handing over your personal data to cybercriminals.
- “Report compromised cards or online accounts immediately. If you get as far as entering any banking data into a fake pay page and then realise it’s a scam, call your bank’s fraud reporting number at once. Look on the back of your actual card so you get the right phone number. (Remember that you don’t have to click [OK] or [Continue] for a web form to capture any partial data you have already entered.)
- “Check your bank and card statements. Don’t just look for payments that shouldn’t be there, but also keep an eye out for expected payments that don’t go through. Be alert for incoming funds you weren’t expecting, too, given that you can be called to account for any income that passes through your hands, even if you neither asked for it nor expected it.”
New-school security awareness training can enable your employees to follow security best practices so they can avoid falling for social engineering attacks.