Beware, Scammers Are Targeting Holiday Shoppers With A USPS Phishing Scam
We have received multiple reports of users receiving fraudulent text messages informing them that a package cannot be delivered because the shipping address could not be verified. The messages then direct recipients to resubmit their addresses for verification by following a hyperlink at the end of the message. The image below is a screenshot of one of these messages sent from a phone number serviced by T-Mobile with no associated name.

Based on the reports received by HotHardware, the scammers are using multiple domain names to carry out this phishing campaign, likely switching to fresh domains on a frequent basis, rather than sticking with a set of domains that would likely be flagged for malicious activity. According to WHOIS records, the domain name linked in the message shown above was newly registered only a day before that particular smishing message was sent. Now, just a day later, visiting the domain returns a 403 forbidden error, rather than displaying the fraudulent USPS website. Reports of these smishing messages received today specify different, and likely newer, domain names. We gather, then, that the threat actors behind this campaign are fast moving in the hopes of staying ahead of scam reports.
Anyone who believes they may have fallen victim to this phishing scheme should contact the issuer of their debit or credit card right away to have the card canceled and re-issued. Taking immediate action may prevent the scammers from imposing any faulty charges. Going forward, users should know that the official USPS website is located at usps.com. Users should avoid visiting any websites that appear or claim to be the USPS site but are located at different domains than the official site.
Users can also increase their chances of successfully disputing faulty charges and receiving full reimbursements by using credit cards online, as, unlike debit cards, charges applied to credit cards don’t directly pull funds out of card holders’ bank accounts. For cybersecurity purposes, a credit card with auto-pay enabled functions effectively like a debit card with a significant buffer period before funds are withdrawn.