Beware the Smish! Home delivery scams with a professional feel…

Home delivery scams, where the crooks falsely apologise to you for not delivering your latest parcel, have been around for years.

However, as we have unfortunately needed to say many times on Naked Security, these scams seem to have become steadily more professional-looking during the pandemic, as more and more people have got into the habit of ordering deliveries for everyday shopping instead of heading into stores.

For example, here’s a contemporary SMS-based scam (phishing that is kicked off by a text message, or SMS, is wryly known as smishing) that makes a good “picture story” of how these cybercrimes unfold.

In this criminal campaign, the scammers were targeting a home delivery company in the UK called Evri.

Unfortunately, and perhaps entirely deliberately on the part of the criminals, “Evri” is a recent UK-specific rebrand of the German company “Hermes”, so that UK customers may very well still be getting used to the new look and feel of the rebranded website, and to the new domain name.

Officially, the company’s web presence is at evri.com, so these crooks have grabbed a domain of the form evri-xxxxxxx.com to make things seem believable:

By the way, the domain used in this attack was first registered just yesterday, probably for use in this scam only, and at the time of writing, the content was served up by a hosting company based in Moscow, Russia.

Hosting companies typically provide ready-to-go web server templates, complete with HTTPS certificates that put a padlock in the address bar, and even if the service provider is responsive to complaints and turns off the website within a day or two, the crooks may well have got everything they were after from their fake server already.

When we tried the URL in this scam, we routinely experienced HTTP 404 errors (page not found) when visiting from a regular browser, meaning that the website was alive and responding, but effectively ignoring our requests.

As soon as we used a mobile browser, however, as you are likely to do when receiving a link directly on your mobile phone, the site sprang to life:

As you can see in the top left corner, underneath the popup asking for your postcode, the crooks have inserted a realistic Evri logo, even retaining the official text The new Hermes to “remind” visitors about the brand change.

You should baulk at the next page, of course, because delivery companies don’t ask for personal ID merely for parcel tracking purposes, but there are no obvious visual or spelling errors to warn you off:

Next, there’s a fake charge for a modest amount that doesn’t sound too much to lose if the transaction turns out to be fraudulent…

…except that the “redelivery charge” is there merely to give the the criminals an excuse to to ask for payment details:

If you put your credit card number and bank details into this page, you aren’t going to lose £1.45 (just under $2)…

…you’re going to lose your personal details to the crooks, who will probably use your card or bank account details themselves for a much more ambitious scam, or will sell them on to other crooks who specialise in that aspect of the cybercrime “business sector”.

Finally, there’s a short delay while the site pretends to “verify” your payment, after which the bogus site sneakily transfers you to the real one, so things appear to have ended normally:

What to do?

  • Check all URLs carefully. Learn what server names to expect from the companies you do business with, and stick to those. Bookmark them for yourself in advance, based on trustworthy information such as URLs on printed statements or account signup forms.
  • Steer clear of links in messages or emails if you can. Legitimate companies often provide quick-to-click links to help you jump directly to useful web pages for online accounts such as utility bills. These links save you a few seconds because you don’t need to find and type in your own tracking code or account number by hand. But you’ll never get caught out by fake links if you never use in-message links at all! (See point 1 above.) Those few seconds are a small price to pay for not paying the large price of handing over your personal data to cybercriminals.
  • Report compromised cards or online accounts immediately. If you get as far entering any banking data into a fake pay page and then realise it’s a scam, call your bank’s fraud reporting number at once. Look on the back of your actual card so you get the right phone number. (Remember that you don’t have to click [OK] or [Continue] for a web form to capture any partial data you have already entered.)
  • Check your bank and card statements. Don’t just look for payments that shouldn’t be there, but also keep an eye out for expected payments that don’t go through. Be alert for incoming funds you weren’t expecting, too, given that you can be called to account for any income that passes through your hands, even if you neither asked for it nor expected it.

And, of course, when it comes to personal data of any sort: if in doubt, don’t give it out.


EVRI’S SITE IN REAL LIFE

In real life, Evri’s site is at evri.com, not at any variations on that theme. The company has an official track-your-parcel page at this easily bookmarked URL:

https://www.evri.com/track-a-parcel

Find your own way there and you will see that the company doesn’t rely on personal data such as name and date of birth for parcel tracking – instead, the company uses one-off tracking or non-delivery codes:

These 16-digit and 8-digit codes are explained clearly at the site’s own help page:

https://www.evri.com/faqs/receiving-a-parcel/how-do-i-track-my-parcel

Find your own way to get in touch with the real sender to find out the 16-digit code if ever you need it.

And remember that the company’s 8-digit “calling card” codes are printed on physical calling cards you should find at your own doorway, thus gving you some confidence that a delivery really was attempted.

Don’t be fooled by emails or unsolicited electronic messages that could have come from anywhere:

go top