Order confirmations scams are exploding all over the Internet this holiday season. Ask anybody that works for UPS, FedEx or the USPS and they will tell you this time of year is the busiest there is for them. And for many people this time of year is when you send or receive the most packages. And that is the sweet spot for this holiday scam.
Scammers are sending out phony order and delivery confirmation emails by the millions to people everyday. Many people, knowing they have sent or are expecting a package, do something they would not normally do. They let their guard down and click on that link or the attachment. They may never discover, or find out too late, that they have given up control of their computer or their identities. The links or attachments install malware on the victim’s computer capable of stealing passwords for email or banking websites. Or the malware turns their computer into a zombie on somebody’s bot net. If you are really unlucky you could end up with a CryptoLocker malware.
Seasonal scams like this one return year after year because the method of tricking you is so successful. Crooks are catching people off-guard during the holidays because so many packages are being sent and received. And they use exact email replicas of delivery services and reliable shopping websites like Amazon.com, Wal-Mart.com and Target.com. People are so intensely focused on making sure their orders arrive before Christmas that they forget the Cardinal rule of the Internet; trust no one. Most confirmation emails do not require you to click on anything to get the tracking number. It is right there in the email where you can see it.
Malcovery, a company that tracks email-based malware attacks, reported these phony “order confirmation” scams began around Thanksgiving. The emails use booby-trapped links and attached files to infect Windows PCs with the malware that powers the Asprox spam botnet. Apple computers seem unaffected.
The Asprox malware is a Trojan that steals email user names and other passwords from infected machines. This type of malware runs in the background and you may not be aware of what your computer is doing. It also can infect your friends computer and perpetuate even more Asprox malware attacks. If you are infected Asprox can also use your computer to attack other websites.
Malcovery.com points out that the Asprox spam uses some tricky subject lines such as “Acknowledgment of Order,” “Order Confirmation,” “Order Status,” “Thank you for buying from [insert merchant name here]”, and a “Thank you for your order.”
Be alert to these tricks. Should you receive an email from an online or brick and mortar store you do business with and it has a legitimate looking logo and it references an order, DO NOT CLICK ON THE LINK OR ATTACHMENT! Instead, open up another web browser window and visit the merchant site using the web address you are familar with. Sign in with your own user name and password and check the status of your order. All that information should be there including order issues, your order number, tracking number and expected date of delivery date and who is delivering the package and other information specific to your transaction. Remember trust no one! Use your own information to research your order. If there is a problem you will discover it. And remind all your friends and relatives of this scam. Remember; friends don’t let friends play the fool online!
Here are few more tips to spot and fight order confirmation scams;
- Print a copy of your order confirmation. Highlight all the relevant information and compare it to any email you get.
- The scam email may be fairly generic not using your name or any information that is familiar to you. Examine it carefully.
- Hover you cursor over any links and examine the web address that appears. Make sure it is taking you where you want to go. BE CAREFUL NOT TO CLICK ON THE LINK!
- Examine any attachment and look for “.exe”, or a double extension like “exe.pdf.” That could be a dangerous crypto malware.
- Don’t trust any email just because it has a familiar logo or trademark.
- Keep good records! What to did you buy and from whom? Who did you send it to? Call the person and let them know its coming, the tracking number and who is delivering it. And ask them to let you know what to expect with the same details.
- Never click on links or attachments. Use your own information to research a problem with your order.
- Never pay for delivery of something you did not order or were not expecting.
- Never give personal information over the phone to someone who calls claming to have some thing to deliver to you.
- Its the Internet; trust no one.
Now you know