Online shopping is in the midst of its biggest season ever, with Amazon reporting third-party sales of $4.8 billion in the days after Thanksgiving, up 60% from last year. Now, hackers are sending out fake shipping notification links to capitalize on the surge.
The fraudulent delivery messages appear to come from Amazon, FedEx, UPS and other major shippers, but they launch malware or mine for personal information. Cybersecurity firm Check Point Software Technologies found these messages impersonating shippers were up 440% from October to November, and 72% since November last year.
Long Beach realtor Tom Hoehn was expecting a package from UPS when he got one of these emails.
"It looked like it was from UPS and it said we were unable to deliver your package. However, if you click on the following link you can look up the tracking information on that package and then you can reroute it back to your place. At that point, I clicked on the link and my screen started flashing," Hoehn said.
"The message said, 'You have been hacked. We have encrypted all of your files. Send, I think it was like 150 bitcoins to this address."
A fake shipping link can launch ransomware like it did for Hoehn, or it can redirect to a counterfeit branded page that asks for credit card or personal information to reroute a package, or tricks you into entering your username and password.
When Hoehn chose not to pay the ransom of some 150 bitcoins, the equivalent of more than $66,000 at the time, he lost everything on the computer including his family pictures and business contacts. Months later, the IRS informed him his identity had been stolen. Then his email was hacked, with phishing emails sent to thousands of his contacts.
"We have our mind on other things like pandemic and our kids getting remotely educated," said Brian Linder, a threat prevention manager at Check Point. "And it's a perfect time for these bad actors to prey on consumers that are not paying close attention."
Check Point found that 65% of fake shipping messages in the U.S. impersonate Amazon.
"They're successful because most of us are doing business with Amazon. We're ordering on Amazon. And for us to get an email from Amazon about a package we ordered would be perfectly normal and expected," Linder said.
Amazon told CNBC it works with the Federal Trade Commission or Better Business Bureau to go after scammers and said in a statement, "Any customer that receives a questionable email, call or text from a person impersonating an Amazon employee should report them to Amazon customer service. Amazon investigates these complaints and will take action, if warranted."
The phishing messages also commonly impersonate UPS, FedEx and DHL, which all have their own dedicated reporting emails. The companies that make our devices are also on guard. Microsoft, for example, has a Digital Crimes Unit that works with law enforcement and claims to have "rescued" more than 500 million devices from cyber criminals since 2010. Apple, meanwhile, offers public recognition and even bounties of up to a million dollars to users who report security issues.
Some big warning signs to watch out for include slight misspellings or incorrect logos, unencrypted landing sites, and messages with a countdown urging consumers to act quickly.
The best protection, experts say, is to prevent the scam messages from reaching your device in the first place. Operating systems have built in security protections, which is one reason software updates are crucial. Apps like Nomorobo offer additional blocking features, and users can help by changing passwords often, turning on two-factor authentication and using a variety of different email accounts and passwords for different online activities.
Investigations into phishing attacks are usually conducted by the Federal Trade Commission.
"It's really important that we empower and adequately fund the agencies that go after these scammers. Number one, the Federal Trade Commission, they have a huge responsibility to police unfair and deceptive practices across the entire economy and yet their workforce and their funding is only a fraction of what it was in the 1970s," said John Breyault, vice president of public Policy, telecommunications, and fraud at the National Consumers League.
As enforcement struggles to keep up, scammers are constantly finding ways to exploit the next trend.
"Consumers should really expect to start seeing messages on social media, emails, phone calls, text messages offering to get you to the front of the line for the vaccine if you'll pay some money up front. That is a big worry for us."
If you do fall victim to one of these scams - or even just come across one - report it directly to the Federal Trade Commission or through the Better Business Bureau's Scam Tracker tool. You can inform mobile carriers of a spam text by forwarding it directly to SPAM.