It’s nice to receive packages, and we’re often expecting something, but the package you might have received a message about may not be the gift you were expecting.
A fairly regular scam that has been making the rounds on email and SMS for the longest time, this scam is about convincing you to click on a link to pick up your package.
Very similar to a scam advertising a mystery prize or a second place prize, the package scam suggests you head to a website to track your package or claim it immediately.
Many of us can probably work out a package from an unknown name or number isn’t legit at the best of times, but where this scam starts to get complicated is when the message comes in as if it originated from the post organisation in your country.
In Australia, package scams often arrive as if they were sent by the Australia Post, and on a phone, can even sit in the same feed as previous messages about actual packages.
How does this happen? How can scammers infiltrate the SMS feed?
How scammers pretend to be the local post
When scammers send out an email, they can pretend to be the local post by changing their name. It won’t affect their email address, and if you look hard enough, you’ll see a domain that isn’t quite right, however it gets a whole lot more complicated in an SMS scam.
On a phone, the SMS you receive can come with a name attached. When a phone receives multiple messages from this name, a phone will typically group them together.
However a name on a phone doesn’t mean the numbers are all the same, nor does it mean they’re all connected. Companies can use many phone numbers to send out messages, and so phones typically link messages together using the send name.
Smart scammers will generally use an online service to send SMS in bulk, and these allow you to create a name for the sender. While some names are off-limits to scammers — names like “Apple” and “Google” — local brands aren’t likely to suffer the same fate, and so scammers can use company names that will be familiar for their messages.
This means your local post organisation can be faked, and you can be convinced that the message sent to you from your local post provider is the real deal.
How this scam looks
When you receive a note for this scam, it will likely look one of two ways.
On the one hand, it could arrive from an unknown sender with just a random number or name. When this happens, the scam will just look like any other scam message with the name and number being someone you don’t actually know.
However the alternative is harder to spot the scam in. Crafty scammers will adopt a name that is identical or very close to the type being used by the official post organisation.
In Australia, that means “AusPost”, and if you’ve ever received a package alert message from AusPost in the past, the scam message can just sit right in the centre of it.
It can certainly be disarming, because it can make a scam just that much easier to believe since it looks like it’s supposed to be official.
Of course, the giveaway here is the domain name, something you can use to determine scams if you look at them more carefully before you click. Australia Post typically uses mypo.st or auspost.com.au for its links, which 1pu.ltd is definitely not connected to. The domain therefore tells you this message is not legit.