Overview of phishing techniques: Order/delivery notifications
Introduction
One thing no one can deny is that online shopping is a common practice these days. With this, of course, comes order notifications and delivery notifications when packages arrive. Phishers are aware of this and have been using a phishing technique to exploit it.
This article will detail the order/delivery notification phishing technique and will provide an overview of what it is, how it works, how you can spot it and what you can do to protect yourself.
Phishing simulations & training
What is the order/delivery notification phishing technique?
The order/delivery phishing technique is when phishers send you a notification of an order or delivery that you did not make. They then request that you confirm your identity or reschedule a non-delivered package, or use any other method to spur user interaction. It could say you have a delivery waiting for you that requests confirmation of your personal information, or that you have placed an order that failed (again requesting personal information), or that you have a failed delivery (also known as a non-delivery notification) and that you have to click on a link to confirm the package so you can receive it. They also can contain an attached file that is infected with malware.
These are typical examples of this technique, but it is by no means an exhaustive list. Phishers are creative and always thinking of new ways to scam victims, and this includes using new variants of this technique to exploit victim’s fear or greed.
The holiday season normally sees an increase in the use of this phishing technique, taking advantage of the lowered cybersecurity defenses that seem to affect people during this time. A public health crisis also sees rising levels of this technique, as online shopping is the only way that many non-essential products can be purchased.
How does this phishing technique work?
This phishing technique works on more than one level to exploit its victim. The first, and most obvious, is by taking advantage of lowered attention to cybersecurity during the holiday season or other time of relatively higher stress. Whether it is out of laziness, stress or hope that a secret Santa is sending you a present, individuals are susceptible to this phishing technique. And for people who make a lot of purchases online, they might not recognize the package only because they receive so many and simply click through out of habit.
Part of the success of this technique relies on using a legitimate-looking email format and official-looking company logo. A commonly used format is the Amazon Order Confirmation email with the order number in the email subject. However, this deception leaves breadcrumbs of its illegitimacy with typos and misspelled domains and URLs.
The email or message contains malicious links. If you click on them to confirm your identity or other personal information, you will expose yourself to malware and/or identity theft. These links may ask you to confirm your personal information or to confirm that you received the email.
Regardless of the premise of the link, clicking on one will download malware, presenting you with a fraudulent web form asking for your personal information that will steal your information.
Asprox is an example of malware that could be lurking within a malicious link or file attachment. This particularly malicious Trojan can harvest credentials from infected machines, including email and other identifiers, turn your computer into a zombie in a spam botnet and perpetuate future Asprox attacks.
How do you spot this phishing technique?
This phishing technique can be spotted in more than one way, but in any event, you need to remember that at no time should you drop your cybersecurity shield. This is necessary in order to avoid becoming a victim.
First, the easiest way to avoid this is to remember if you have ordered something recently, and if you think it may be a gift, check who the sender is. If it is a phishing scheme at work, you will not know who the sender is and it will possibly be from a sketchy looking email address.
The second way is to check for typos and misspellings. Legitimate emails will not contain typos, and phishers have to use misspelled URLs and domains because they redirect the user to a malicious website.
How do you protect yourself from this phishing technique?
Keeping in mind that phishers using this technique are operating on an assumption that your cybersecurity shields are down, use the tips below to protect yourself:
- Check your records to see if you ordered something but forgot
- If you know the sender and are in doubt, confirm if they sent you something
- Check for misspelled URLs and domains as well as typos in the email
- Never click any link in the email
- Never download any attached files
- Refresh your mind with any notes you may have from your past cybersecurity training
Conclusion
The order/delivery notification phishing technique is designed to take advantage of a reduced sense of cybersecurity. These emails prey upon the stress, fear and increased willingness to interact with order/delivery messages that are higher during certain periods of the year, such as the holidays.
By remembering your cybersecurity training, being mindful of what you have ordered (and from whom), keeping an eye out for the signs of phishing explored above and not clicking on links or downloading files from these emails, you can keep yourself safe from this technique.
Phishing simulations & training
Sources
- Be Wary of Order Confirmation Emails, Krebs on Security
- Amazon Order Confirmation Phishing Scam, Infosecurity Magazine
- PSA: Watch Out for This New Text Message Package Delivery Scam, How-To Geek
- Package Scams, AARP Fraud Resource Center
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- Overview of phishing techniques: Order/delivery notifications
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
