UPS delivery

UPS warns customers of phishing attempts after data accessed

UPS Canada is warning customers in Canada of potential data exposure and the risk of phishing. People have started to receive letters like the one below from UPS, which some have assumed were “just” regular phishing alerts. As it turns out, the letter is specifically about the potential exposure of data via a look-up tool.

One example of the letter is below, via a tweet from threat analyst Brett Callow.

You’ll notice why recipients assumed it was a generic phish warning straight away: There is no reference to any actual incident until halfway down the page. The whole first half is a generic description of what phishing and smishing involve, alongside a link to examples and where genuine UPS texts originate.

I would think many people looking at this would have already tuned out and thrown it into the garbage. In this case, that would be a mistake. Anyone who reads on will (eventually) discover that all is not right in the land of parcel deliveries:

The letter goes on to mention that an internal review took place to see if information it received from shippers was somehow contributing to these attempts taking place:

UPS states that access to this information has now been limited, and people whose information may have been impacted are being notified out of “an abundance of caution”.

In terms of the data potentially accessed:

This isn’t great, and it’s exactly the kind of data needed to get the phishing ball rolling. Bleeping Computer notes some other messages doing the rounds which may be tied to this campaign, which include delivery fee charges owed, and missing shipments of Lego.

Parcel Delivery scams are a big problem, and target firms like UPS and even the US Postal Service. Being able to grab personal details from actual delivery firms is a major boon for scammers so it’s essential to be on your guard where mysterious parcel texts and emails are concerned.

How to avoid fake parcel scams

  • Check your orders. The email isn’t going anywhere, and neither is your order. You have plenty of time to see if you recognise parcel details, and also the delivery network. 
  • Avoid attachments. So-called invoices or shipping details enclosed in a ZIP file should be treated with suspicion.
  • Watch out for a sense of urgency. Be wary of anything applying pressure to make you perform a task. A missing payment and only 24 hours to make it? A time-sensitive refund? Mysterious shipping charges? These are all designed to hurry you into action.
  • If in doubt, make contact with the company directly via official channels.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.