Fake USPS package notifications harvests your MFA tokens

Post hero image

Table of contents

Beware of this recent phishing attack campaign which claims to be from USPS. This sophisticated scheme involves an email claiming that a package has arrived but requires urgent attention from the recipient. The email informs the recipient that their shipment has arrived on the same day the email was sent, January 24, 2023, and that the house number is missing from the package label, making it impossible to deliver the package to their door. The recipient is then prompted to click on the "Send my package" button, which directs them to a well-designed webpage that appears legitimate.

The webpage requires the recipient to input their address and credit card details in order to track their package. It even harvests Multi-factor Authentication (MFA) tokens, asking the recipient to verify their payment method by entering a password sent by SMS to their mobile. Going through with the verification can then enable the attackers to gain access to a service requiring MFA token authentication.

Several red flags make this phishing email suspicious. Firstly, the sender's email address is unrelated to USPS, which is a clear warning sign. Secondly, the email creates a sense of urgency by threatening that the package will be returned if the recipient does not take immediate action. Thirdly, the "Send my package" link leads to a website that does not make sense in the context of the email. The domain itself is also unrelated to USPS.

Off the hook – How to detect the attack and protect your organization from it

To protect yourself from similar phishing attacks, there are several simple but effective steps that you can take. Firstly, it's essential to check the sender's email address and whether it makes sense in the context of the email. Many phishing emails use fake sender addresses, so it's important to be vigilant and not trust them blindly.

Secondly, always hover over links before clicking to see where they lead. If you have any doubts, it's always better to manually navigate to the website of the service instead of clicking on links in emails. This can help to prevent you from falling into a trap set up by scammers.

Lastly, it's crucial to check that the domain is related to the service. Many phishing websites use fake domains, so it's important to double-check the URL to ensure that it is genuine. By following these simple steps, you can significantly reduce the risk of becoming a victim of a phishing attack. Remember, it's always better to be safe than sorry when it comes to protecting your personal and financial information.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this