Scammers using FedEx and COVID-19 ruses to collect PII

In separate scams, fraudsters target would-be victims who are worried about packages they might never receive plus COVID-19 threats. The criminals play on fears to harvest personally identifiable information.

Johnny Smith checked his credit card statement and found some odd charges. His wife concurred. His credit card company said that someone most likely compromised his card number. His tech friends asked him if he’d recently given his number to anyone. He said that he’d received a recent text message from FedEx that included a tracking code, a link about a shipping preference and a chance to win a prize. He unknowingly revealed his credit card number and became a victim of a scam.

FedEx scam No. 1

This case is fictional but represents the plight of victims. The U.S. Federal Trade Commission (FTC) agency warns of this scam designed to steal personally identifiable information (PII) from consumers. Like most scams, it’s written to catch the recipient’s eye with an important message. (See Is that text message about your FedEx package really a scam? by Alvaro Puig.)

The text message from FedEx (although scammers might use other shipping companies), which gives the reader the impression that a package will soon arrive, provides a fake shipment tracking code and a link to update a delivery preference. The link takes the recipient to a fake Amazon website on which they’re asked to complete a customer satisfaction survey with the chance to win a free prize. However, the site will ask for the victim’s credit card number to cover shipping of the supposed prize. Game over! The real prize winner is the scammer.

This scam has similar characteristics of most schemes but also some atypical ones. As always, it’s devised to con individuals out of their cash or expose their PII. Fraudsters probably aren’t psychologists, but they’re knowledgeable about working the minds of potential victims. Typical scams divert recipients’ attention away from the message by creating an environment of panic, which prompts them to act quickly to avoid or solve fake problems (for example, the well-known grandparents’ scam).

The FedEx scam doesn’t present an urgency to act but, like other scams, the ruse diverts potential victims’ attention to enticing chances to win free prizes. But, like all scams, this tactic prevents them from questioning the validity before acting.

If you get such a text message, ask yourself:

• “Did I order something online that’s being sent to me or someone else?”
• “Is someone in my family or someone else sending me a package?”

However, if you’ve clicked the link to the free prize, then ask yourself:

• “Why do I have to pay when the prize is free?”
• “Why can’t I wait to give my credit card number if I’m notified of winning a free prize?”

Fraudsters are good at diverting our attention away from real issues. Yes, patience is a virtue.

The FTC offers these tips:

• If you get an unexpected text message, don’t click on any links.
• If you think the text could be legit, contact the company using a website or phone number you know is real.
• Don’t use the information in the text message.

FedEx scam No. 2

In a recent scam alert, FedEx Delivery Text Scam by the Identity Theft Resource Center (ITRC), fraudsters again use FedEx in a similar delivery text phishing scam to victimize those who might be worried about theft of our packages.

The scammers use texts to directly steal PII and/or install malware to steal it later. Scammers send texts to victims from unknown numbers to ask them to click on links to get instructions for deliveries. But why wouldn’t FedEx already have addresses to deliver packages? Why would it be asking for them again?

The ITRC provides this advice:

• Never click any link — by text, email or instant message — if you can’t verify the sources.
• When in doubt, check with the company that supposedly sent it.
• Never follow through with the message. Go directly to the company’s website.

COVID-19 scams

We’ve all heard about common COVID-19 scams. See the Fraud Magazine Online Exclusive, Coronavirus fraudsters add to the anxiety and misery, by Jason Zirkle, CFE, for tips.

By the time you read this, additional online scams will have popped up. But here’s some general advice.

The FTC warns about scammers setting up fake emails, texts and social media posts to rob us of cash and PII. (See the FTC blog, Coronavirus: Scammers follow the headlines, by Colleen Tressler.)

Malicious email attachments and fake websites ask people to donate money to COVID-19 patients and submit financial information or other PII via their credit cards and downloaded malware from attachments. They also encourage victims to use gift cards and money wires to expedite transfers.

The FTC provides these tips:

• Of course, don’t click on links from sources you don’t know that could download viruses. Make sure your anti-malware and anti-virus software is up to date.
• Watch for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or experts saying they have information about the virus. For current information about COVID-19, visit the CDC and the World Health Organization.
• Ignore online offers for vaccinations and lotions, potions, pills and lozenges touting prevention, treatment or cure claims.
• Don’t let charities or crowdfunding sites rush you into making donations via any means, especially cash, gift cards or by wiring money. 
• Be alert to fake investment opportunities. The U.S. Securities and Exchange Commission is warning about online promotions, including via social media, that claim products or services of publicly traded companies can prevent, detect or cure COVID-19 and that the stock of these companies will dramatically increase in value.
• Hang up on robocalls. Don’t press any numbers. Scammers are using illegal robocalls to pitch everything from scam treatments to work-at-home schemes. Pressing numbers probably might lead to more robocalls.
• Visit usa.gov/coronavirus for links to U.S. federal, state and local government agencies.

The U.S. Department of Health and Human Services Office of Inspector General warns against scammers offering COVID-19 tests and sanitary kits to Medicare beneficiaries in exchange for PII, including Medicare information. Fraudsters are using telemarketing calls, social media and door-to-door visits. The crooks use the PII to fraudulently bill federal health care programs and commit medical identity theft. If you suspect fraud, contact the National Center for Disaster Fraud Hotline at (866) 720-5721 or disaster@leo.gov.

Contact me

Include these scams and important information to protect your online identity in your outreach programs and with your family, friends and business associates. As part of my outreach program, please contact me if you have any questions on identity theft or cyber-related issues that you’d like me to research and possibly include in future columns or as feature articles. I don’t have all the answers, but I’ll do my best to help. I might not get back to you immediately, but I’ll reply. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash. He’s also on the ACFE’s Advisory Council and the Editorial Advisory Committee. Holtfreter was the recipient of the Hubbard Award for the best Fraud Magazine feature article in 2016. His email address is: doctorh007@gmail.com.