Be cautious of any delivery messages that ask for your personal data, especially during the holidays.
With Black Friday behind us and Christmas now just around the corner, many of us are expecting a number of packages to arrive at our homes. We can typically track these using a website run by the delivery service, or alternatively, less sophisticated methods such as SMS updates. Unfortunately, the latter option is the perfect scenario for cybercriminals who send scam messages trying to lure victims into giving them personal information.
Let’s take a look at a current campaign impersonating Correos, the Spanish Postal Service. This attack all starts with victims receiving an SMS indicating that they have to pay customs and a link to proceed. The link leads to the following website:
It informs victims of the amount they have to pay (1.79€). If the user agrees and clicks on “PAY AND CONTINUE”, they’ll be taken to the next screen where they have to fill out their credit card details:
The site doesn’t check whether the credit card information is correct, but it does make sure that at least the correct number of digits have been entered before it’s possible to continue. After that, it requires the user to enter their phone number:
Once entered, it asks the user for a code that supposedly should have been received via SMS:
In this step, the fraudulent website checks that the code has the correct length (6 digits). At the time of our team’s research, no SMS was actually being sent – it’s unclear whether or not this is intentional. When individuals enter a random code, it then takes them to the next screen, on which they’re asked to enter your PIN code.
Once this code has been entered, the user arrives at a credit card details page that indicates their card was refused and that they should use a different one. This is purely an attempt to siphon multiple of the victim’s credit cards.
How to protect yourself from SMS delivery scams
Especially during the holiday season, beware of any delivery messages that ask for your personal data. Fortunately, this phishing attack is already blocked by Avast.