Cybersecurity firm J2 has warned against the rapid increase in post office scams, lulling unsuspecting people into believing there is a package for delivery. The email is made to look like a notification from the South African Post Office (SAPO) and prompts the recipient to make a payment to have the parcel delivered.
J2 CEO John McLoughlin says the South African Post Office does not require customers to make any payment before parcels are released. “The cybercriminals bypass your email security by using a trusted service and website like Survey Monkey. If you click on the fake payment link, you are directed to the Survey Monkey page that the cybercriminal has created."
"Most people don't realise this is a Survey Monkey site and they are then enticed to click to be redirected to the criminal’s fake payment page. You are then asked to insert your credit card details to make payment for your delivery. At this point the criminal will be stealing your credit card information," he explains.
Once the person is redirected, the cyber criminal’s fake landing page will request payment. To make it look authentic, the criminal syndicates copy the logos of trusted South African payment gateways. This entire process is fake! These criminals are out to steal information.
Their next step to complete the card theft is to get the person to enter the card PIN. Sadly, many people are still convinced this is real and when they enter their PIN, the criminals will have all they need to sell the card details and to also use them.
"The attacker will keep you there as they now have an automated process to not only steal your card number and PIN, but they will process a transaction if you've given them the correct details. The next step to process their stolen goods is to get your OTP," he warns.
Here are some guidelines to prevent being scammed in future:
- Know that you are the target, everybody is
- Check the sender’s email address
- Deploy a layered, monitored and comprehensive cyber resilience program
- Take note of the URL of every webpage you are directed to
- If you didn’t request something, then it is fake
- Check that you are using only known and trusted websites
- NEVER enter your PIN or give it out over the phone
- Educate your users, friends and family
- If you are unsure, verify the authenticity with a little bit of research and do not rely on information contained in the email you receive
Without a layered cyber resilience program, these criminals cannot be stopped. Also, cyberattacks evolve daily, so it's important to question every unsolicited email, call and payment request received.