Hands up, Santa: hackers hijack parcel confirmation emails

News by Max Metzger

As the festive season arrives, hackers have been trying out a new trick: phishing emails in the forms of parcel delivery notifications.

What with Christmas coming, scammers are upping their seasonal game and hijacking parcel confirmations for online shoppers.

PhishMe calls itself the “leading provider of threat management for organisations concerned about human susceptibility” and warned consumers earlier this week to be on guard for suspicious looking delivery notifications arriving into email inboxes. That might be harder to spot, especially at this time of year, when people flock online to get their Christmas shopping done in a timely manner and guards are down when looking out for potential scams.

Among others, PhishMe identified a ‘UK Mail' scam which tells its supposed ‘customers' that their package was not delivered. If they want their package, the email tells the intended victim they'll need to print out the document attached to the email so they can retrieve their package from the Post Office.  When the user opens that ‘document', they are infected with the Dridex trojan, which steals financial information and personal details until finally and fatefully, it can make a move against the user's bank account.

Aaron Higbee, CTO at PhishMe told the media, “Every December we see two perennial themes utilised by threat actors taking advantage of consumers' desire to save money during the festive shopping season, and the anticipation of an order or gift's upcoming delivery, and this year is no exception.”

Higbee added, “Threat actors attempt to leverage in any way the festive shopping and shipping season to further their criminal agendas. This is clear and evident in the phishing email narratives employed during the Christmas season as a means for delivering malicious software.”

The increased financial activity over this season, populated as it is by a glut of expensive holidays, is fertile ground for hackers who attempt to leach off the online flows of money between consumers and retailers for Thanksgiving, Black Friday, Halloween, Channukah, Kwanzaa, Christmas and New Year.

Cyber-security company, ThreatMetrix, said earlier this year the company had detected 45 million attempted attacks against online retailers in the 90 days preceding November. Figures from Christmas 2014 showed £16 million had been stolen from online shoppers, a 42 percent rise on the previous year.

The City Of London Police launched a campaign in November to better school online shoppers in ways to stay safe when Christmas shopping. At the time, police national coordinator for economic crime, Commander Chris Greany said: “Fraudsters and online criminals are relentless and will stop at nothing, giving absolutely no thought as to whether you and your family are left without presents at Christmas time.” He added that ”fraudsters are making gains and are taking every opportunity they can during the festive period.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews