Text scam: Chinese phishing crew behind fake delivery notifications

By Kim Komando

August 25, 2024

Oh, no! An urgent text from the U.S. Postal Service about your package delivery. Yeah, we all know by now these texts are fake.

And we finally know who’s behind the scammy messages. I thought this was super interesting, and I bet you will, too. A Chinese phishing operation has been farming personal info for the last year and a half.

One big smish-mash

They go by Smishing Triad (paywall link) and their MO is simple: Send texts to lure people into scams. It’s no small operation; they send an estimated 100,000 messages per day.

It starts with a notification of extra fees required to deliver a package. USPS, FedEx and UPS are common names they use to text Americans. The messages typically include a link to a legit-looking website where you enter your financial info.

Fall for it and hackers add your details to Apple Pay or Google Wallet accounts on burner smartphones — and then go shopping. They can also use the stolen info to withdraw money from ATMs. Crazy, right?

But wait, there’s more! Smishing Triad also sells its malware as a subscription service to other cybercrooks. Yep, they get paid for sharing their tools.

Don’t touch that text

OK, we know who’s behind these texts, but that doesn’t mean they’re going to stop anytime soon. With banks behind the curve on this one, it’s up to you to stay alert.

• Stop and think: Don’t click links included in bogus messages or answer phone calls from numbers you don’t recognize. Just don’t.
• Shhh: Don’t respond to random texts, even if the message requests you “text STOP” to end future messages. This can alert a scammer you’re a real human, resulting in even more messages. Delete the text and report it as spam.
• Update everything: Keep your phone’s operating system and any security software you use (this is my pick) updated to the latest version.
• 2FA is your friend: Enable it on any app you can that contains personal information (bank accounts, health records, social media accounts).

When in doubt …

Go to the source. If you get a text from a well-known company or government agency, contact their customer service department to confirm the text you received is real. Here’s a cheat sheet of official numbers:

• USPS: 1‑800‑ASK‑USPS (1‑800‑275‑8777)
• FedEx: 1‑800‑GoFedEx (1‑800‑463‑3339)
• UPS: 1‑800‑742‑5877

📮 Postal service jokes don’t need much setup. It’s all in the delivery. (I know you’re gonna use that.)

Don’t get left behind – Stay tech ahead

Award-winning host Kim Komando is your secret weapon for navigating tech.

• National radio show: Find your local station or listen to the podcast
• Daily newsletter: Join 575,000 people who read The Current (free!)
• Watch: On Kim’s YouTube channel
• Podcast: “Kim Komando Today” – Listen wherever you get podcasts

Tags: Apple, Google, hackers, malware, operating systems, security