I immediately knew it was a scam because the USPS would never wish me a wonderful day : scams

[–] [email protected] 25 points 1 year ago (2 children)

It amazes me that people fall for shot-in-the-dark e-mail scams like this (they must, or scammers wouldn't still be doing them).

I mean, yeah, they have to get lucky to match your actual current circumstances (ie, you're really waiting for a USPS package right now, or you are a customer of the bank they randomly guessed when generating the scam message), but even if that occurs...

I'm just stunned that there are so many people out there who blindly go "oh yeah, it must be them, how else would they know?" and proceed straight to the scammer through that e-mail link to dump info (or unknowingly download malware). It's absolutely insane to me.

If it's really your company, then your thought process should be... thanks for the heads up, I'll just go to your actual official site that's in no way attached to this e-mail to check my account or tracking number or whatever.

[–] [email protected] 15 points 1 year ago

Sooo many scams would be prevented if we taught people to go to the actual site, or reach out yourself via phone call to a known branch/building.

If my banks calls me, it's perfeclty fine for me to hang up and initiate the phone call myself. That way I'm 100% sure it's the bank I'm taking to

[–] [email protected] 10 points 1 year ago

There's a shocking number of people who are unfathomably tech illiterate, to the point that they can't recognize things like this. At work, I'll ask people what page they're referring to on our web site, and you'd be shocked and dismayed by how many people say things like "I was on google."

I legit wish I could teach a class on just the ABCs of digital security, especially for elderly people.

[–] [email protected] 22 points 1 year ago (2 children)

Hell yes, the USPS is one of the few organizations that is straightforward and doesn't include those kind of fake pleasantries like for profit businesses do.

[–] [email protected] 10 points 1 year ago

Gotta respect that

[–] [email protected] 5 points 1 year ago (1 children)

All the same, there's a old mustachioed guy that works the counter at my local USPS and he's super friendly, always says have a good day.

[–] [email protected] 6 points 1 year ago

That doesn't sound like fake pleasantries and is not what we are talking about.

[–] [email protected] 15 points 1 year ago (2 children)

I've gotten 8 of these texts in the last 9 days. Every single one has a different URL. Out of curiosity I clicked on one of the links and chrome detected Chinese on the page but I couldn't see it anywhere.

[–] [email protected] 8 points 1 year ago (1 children)

Isn't it risky even to click the links?

[–] [email protected] 4 points 1 year ago (2 children)

Shouldn't be that risky, browser exploits are rare nowadays. They'll get your IP but there isn't much a scammer can do with that especially if it's a mobile data IP.

[+] [email protected] 6 points 1 year ago (2 children)

[deleted]

[–] [email protected] 3 points 1 year ago (1 children)

How would they do that? The url in the OP is just a short domain, it doesn't have a tracking code. They aren't going to register individual domains for every potential mark.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

I can think of at least 2 ways to make it useful.

First, you're most likely to click the link within a few seconds or minutes of receiving it. So, you send out the link to one number, and wait 5 minutes before sending it to another number. If you get a hit on that domain, there is a very good chance it was the last number that converted into a click. You'll get some false positives conversions, yes. But at the end of your campaign, you have a very good list of people known to quickly click through.

Second, you don't necessarily need a 1-to-1 correlation. You might just be trying to refine your target lists to find the numbers most likely to convert.

Say you have a large list of numbers to check for gullibility. You set them into groups of 100, and send all 100 to the same domain. Every time someone clicks through, you increase the rating of everyone in the group. So, 1 person in your first group clicks through, everyone in the group gets "1" added to their rating. 99 will be false positives, but this group is infinitely more valuable to you than a group of zeroes.

Repeat with a second group and a new domain: 20% click through, everyone in this group gets "20" added to their rating. This list is 20 times more valuable than the first, even though 80% of them are a false positive.

Once you've gone through your entire list, drop all the zeroes, subtract 1 from every score, rinse and repeat.

After just a few repetitions, you have a high quality list, very rich in potential targets.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

I don't think the timing attack method would work very well since they probably have thousands of numbers to go through. The other one, I guess, but it seems like a lot of effort to find out who is slightly more likely to click things when they could have included a tracking code instead (or, like what they did, requested a reply text in addition to going to the link). I think it probably isn't that risky to just look at the website.

[–] [email protected] 1 points 1 year ago

RCS chat at the top already proved the number is real to the spammer who sent it. Otherwise, RCS straight up fails with a client side message it can't be sent/delivered. In which case the client would retry as a basic text on prompt.

[–] [email protected] 1 points 1 year ago (1 children)

Didn't all major browsers recently push an urgent update due to a browser exploit?

[–] [email protected] 2 points 1 year ago

Probably, but my understanding is that knowledge of exploits pre-patch is very valuable and difficult to come by, and the more systems the hack is used on the faster it gets patched. For that reason these are only really used in high value and targeted attacks, and not so much broad net phishing campaigns.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

I've been getting these 1-3 times a day every day for the last month.

[–] [email protected] 14 points 1 year ago (1 children)

I love when I get texts like this as a Canadian. You'd think the scammers would at least message people in a relevant country.

[–] [email protected] 2 points 1 year ago

It's a good filter: any Canadians who aren't immediately put off by that are easy prey.

[–] [email protected] 12 points 1 year ago (1 children)

Well, that and the obviously bad link along with weird instructions on how to use it.

[–] [email protected] 11 points 1 year ago (1 children)

I was just joking a bit. It's pretty obvious right out the gate when they refer to "the USPS package" instead of giving a tracking number or something

[–] [email protected] 4 points 1 year ago

Also, it would properly be "A USPS package".

[–] [email protected] 9 points 1 year ago (2 children)

Also how would they have sent It to the right warehouse without the full address info

[–] [email protected] 7 points 1 year ago

It's not the right warehouse, it's "the" warehouse.

[–] [email protected] 4 points 1 year ago (1 children)

and somehow they had your phone number

[–] [email protected] 2 points 1 year ago (1 children)

That doesn't seem that far-fetched. Half the places ask for a phone number along with your shipping information. If you try not to provide one, they say your address is incomplete.

[–] [email protected] 3 points 1 year ago (1 children)

It’s common for FedEx and UPS but not the post office as far as I know.

[–] [email protected] 2 points 1 year ago

How much do people pay attention to that detail, though? I certainly haven't. And I at least differentiate between UPS and USPS while I know a good handful of people that don't remember which is which and don't particularly care.

Plus, if you're buying something on Amazon, you have no idea who will be shipping it when they ask for the shipping address, so pretty good chance you did give your phone number when buying the thing you're expecting from USPS.

[–] [email protected] 7 points 1 year ago (1 children)

I got half a dozen of these last week and they were all from a country code in the Philippines. I'm not in the Philippines.

[–] [email protected] 7 points 1 year ago

Neither is the USPS.

[–] [email protected] 6 points 1 year ago

I get these pretty much daily at this point

[+] [email protected] 5 points 1 year ago* (last edited 11 months ago)

[deleted]

[–] [email protected] 4 points 1 year ago

I've been getting something similar here in the UK, but from the Royal Mail interestingly enough....

[–] [email protected] 4 points 1 year ago

I've been getting similar spam text messages for the past month or so.

Always immediately block and report as spam, but assume it's constant rotating numbers, as I get a few per week.

Appears to be a common, and annoying scam. I'm on android, and they usually do a good job detecting/not showing spam. Hope Google steps up their game on this one.

[–] [email protected] 3 points 1 year ago (1 children)

Ive been getting this message every day since the post... :(

[–] [email protected] 2 points 1 year ago

That post was the first one I got, but I got 3 more yesterday.