Overview of phishing techniques: Order/delivery notifications
One thing no one can deny is that online shopping is a common practice these days. With this, of course, comes order notifications and delivery notifications when packages arrive. Phishers are aware of this and have been using a phishing technique to exploit it.
This article will detail the order/delivery notification phishing technique and will provide an overview of what it is, how it works, how you can spot it and what you can do to protect yourself.
See Infosec IQ in action
What is the order/delivery notification phishing technique?
The order/delivery phishing technique is when phishers send you a notification of an order or delivery that you did not make. They then request that you confirm your identity or reschedule a non-delivered package, or use any other method to spur user interaction. It could say you have a delivery waiting for you that requests confirmation of your personal information, or that you have placed an order that failed (again requesting personal information), or that you have a failed delivery (also known as a non-delivery notification) and that you have to click on a link to confirm the package so you can receive it. They also can contain an attached file that is infected with malware.
These are typical examples of this technique, but it is by no means an exhaustive list. Phishers are creative and always thinking of new ways to scam victims, and this includes using new variants of this technique to exploit victim’s fear or greed.
The holiday season normally sees an increase in the use of this phishing technique, taking advantage of the lowered cybersecurity defenses that seem to affect people during this time. A public health crisis also sees rising levels of this technique, as online shopping is the only way that many non-essential products can be purchased.
How does this phishing technique work?
This phishing technique works on more than one level to exploit its victim. The first, and most obvious, is by taking advantage of lowered attention to cybersecurity during the holiday season or other time of relatively higher stress. Whether it is out of laziness, stress or hope that a secret Santa is sending you a present, individuals are susceptible to this phishing technique. And for people who make a lot of purchases online, they might not recognize the package only because they receive so many and simply click through out of habit.
Part of the success of this technique relies on using a legitimate-looking email format and official-looking company logo. A commonly used format is the Amazon Order Confirmation email with the order number in the email subject. However, this deception leaves breadcrumbs of its illegitimacy with typos and misspelled domains and URLs.
The email or message contains malicious links. If you click on them to confirm your identity or other personal information, you will expose yourself to malware and/or identity theft. These links may ask you to confirm your personal information or to confirm that you received the email.
Regardless of the premise of the link, clicking on one will download malware, presenting you with a fraudulent web form asking for your personal information that will steal your information.
Asprox is an example of malware that could be lurking within a malicious link or file attachment. This particularly malicious Trojan can harvest credentials from infected machines, including email and other identifiers, turn your computer into a zombie in a spam botnet and perpetuate future Asprox attacks.
How do you spot this phishing technique?
This phishing technique can be spotted in more than one way, but in any event, you need to remember that at no time should you drop your cybersecurity shield. This is necessary in order to avoid becoming a victim.
First, the easiest way to avoid this is to remember if you have ordered something recently, and if you think it may be a gift, check who the sender is. If it is a phishing scheme at work, you will not know who the sender is and it will possibly be from a sketchy looking email address.
The second way is to check for typos and misspellings. Legitimate emails will not contain typos, and phishers have to use misspelled URLs and domains because they redirect the user to a malicious website.
How do you protect yourself from this phishing technique?
Keeping in mind that phishers using this technique are operating on an assumption that your cybersecurity shields are down, use the tips below to protect yourself:
- Check your records to see if you ordered something but forgot
- If you know the sender and are in doubt, confirm if they sent you something
- Check for misspelled URLs and domains as well as typos in the email
- Never click any link in the email
- Never download any attached files
- Refresh your mind with any notes you may have from your past cybersecurity training
The order/delivery notification phishing technique is designed to take advantage of a reduced sense of cybersecurity. These emails prey upon the stress, fear and increased willingness to interact with order/delivery messages that are higher during certain periods of the year, such as the holidays.
By remembering your cybersecurity training, being mindful of what you have ordered (and from whom), keeping an eye out for the signs of phishing explored above and not clicking on links or downloading files from these emails, you can keep yourself safe from this technique.
Phishing simulations & training
- Be Wary of Order Confirmation Emails, Krebs on Security
- Amazon Order Confirmation Phishing Scam, Infosecurity Magazine
- PSA: Watch Out for This New Text Message Package Delivery Scam, How-To Geek
- Package Scams, AARP Fraud Resource Center