The Australian Federal Police is gearing up for an uptick in the number of Australians falling victim to fake delivery scams as criminal syndicates take advantage of the Christmas shopping season.
Scammers use legitimate-looking text messages to deceive people into providing personal information, which is then sold on the dark web for a profit or used to defraud victims out of thousands of dollars.
The messages purport to be a delivery status update and encourage the recipient to click on a link to track, redirect, or collect a parcel. They may occasionally request that the recipient confirm a postal address.
Scammers frequently use a technique known as "spoofing," which involves using software technology to disguise a phone number and make it appear to be from a legitimate source to impersonate businesses and popular delivery services, including Australia Post, DHL and Amazon.
When the recipient clicks on the link, they are taken to a bogus company website where they are asked to enter their personal information in order to complete the delivery. The scams are engineered to steal personal and financial information from victims and install malware on their devices, enabling criminals to access their usernames and passwords.
According to the Australian Competition and Consumer Commission, Australians will lose more than $2 billion to scams in 2021. This figure is expected to exceed $4 billion by the end of the year.
Phishing is the most common type of scam, with over 57,000 reports of suspicious calls and messages to the commission in the first ten months of this year. Criminals sought to exploit people who were stressed and less attentive in the run-up to the holiday season, according to AFP cybercrime operations commander Chris Goldsmid.
He stated that criminals used the information gained from the scams to extract money from the recipients' bank accounts, apply for loans in their name, or sell their information online to other criminals for profit.
“Scam activity, in particular, is profit-driven,” he said. “Whatever the criminals can do to monetize the information they steal from the public, they’ll do that.”
According to Goldsmid, online cybercrime services that provide "phishing kits" and other spoofing software to would-be scammers have flourished in recent years. The website, which was shut down by UK authorities as part of the "biggest ever fraud operation" in British history, offered software services to scammers for as little as $36.
Before clicking on a link, Goldsmid advised consumers to check the legitimacy of the message and look for red flags such as grammatical errors, requests for personal information, and suspicious URLs. Most delivery companies, including Australia Post and Amazon, do not call or email customers to request personal information, payment, or software installation. Unbranded web addresses and an unusual sense of urgency in messages, according to an Australia Post spokesperson, are also signs of fraudulent texts.
“We’re seeing a greater public awareness of scams and cybersecurity, however, we encourage customers to be aware of how to spot a scam,” she said.
Amazon stated that it had spent more than $900 million globally to hire an additional 12,000 workers to combat cybercrime and online fraud and that it had "zero tolerance for fraud."
“Amazon impersonation scams put our customers at risk, and while these happen outside our stores, we will continue to invest in protecting them,” the statement read.
A DHL representative advised customers to always use the official DHL website and to avoid disclosing personal information. Those who believe they have been a victim of cybercrime should contact their bank and file a report with the Australian Cyber Security Centre online. If the scam involves Australia Post branding, please report it to scams@auspost.com.au.