Url looks suss. Seems kinda sophisticated for the usual ups fishing scam. Here’s the text message I got leading here.

“Wishing you a bright and sunny day!” Lol, I almost want to help this guy by explaining that UPS and American companies in general have disdain for their customers and would never wish them to have anything that would not benefit the company.

  • lethargic_lemming@lemmy.world
    85·
    9 days ago

    Very well known scam. Some details that give it away:

    (1) They used a url shortener that doesn’t let you see the actual domain. (bit.ly)

    (2) Website domain is not legitimate.

    USPS’s website is usps.com. If the URL doesn’t end in usps.com (meaning usps.fakewebsite.com is still fake) then it’s not legitimate.

    (3) Tone: The USPS doesn’t text you like you’re their friend.

    (4) The number they’re texting you from is not an SMS short code number (usually 5 digits). Instead you’re getting a text from a 10 digit number with an area code, which means it’s a person/individual rather than an application or service.

    source: used to work as cyber sec analyst

    • officermike@lemmy.world
      30·
      9 days ago

      (5) grammatical error(s): “We will ship again in” instead of “we will ship again on

      Edit: more subtle errors and phrasing that feels like it was written by a non-native English speaker.

      • ilovededyoupiggy@sh.itjust.worksEnglish
        22·
        9 days ago

        (6) USPS tracking numbers are like 65 digits long, because they expect to track every hydrogen atom in the known universe individually.

      • BigDiction@lemmy.world
        5·
        9 days ago

        Yeah the first bullet copy with the comma and wrong preposition is clearly unprofessional. These scams always use poor contrasting red warning text as well.

      • abbadon420@lemm.ee
        1·
        9 days ago

        You’re absolutely right, of couse, but keep in mind that communications is still mostly done by people and people are generally fucking stupid.

    • jj4211@lemmy.world
      7·
      9 days ago

      I’ll add how is it that they could not know the address of the recipient, yet would know their phone number?

      Either the recipient is totally unknown or they know the address. The last thing they would know about a recipient is the phone number.

    • bulwark@lemmy.worldOPEnglish
      2·
      9 days ago

      That’s interesting I didn’t think about that fourth point, but whenever I get a verification SMS it does always come from a 5 digit number.

      • viking@infosec.pub
        5·
        9 days ago

        That one is not hard evidence though, for example delivery drivers from FedEx in my area send text messages from their actual phones announcing an upcoming delivery.

        The messages are still standardized, so I’m assuming they are company phones and send pre-programmed messages from templates, but if I call that number, I’ll actually speak to the person handling my delivery.

  • Ech@lemm.eeEnglish
    60·
    9 days ago

    Why the fuck did you click a link like that in the first place? That first message is basically screaming at you that it’s a phishing attempt.

    Best opsec is to delete and block, ideally without opening it at all to avoid read receipts (if that’s a function in your phone). If you think it might be legit, go to the website on your own and find a way to confirm independently. If that’s still too much to follow through with, at the very least don’t click random links sent to you unprompted.

    • JoshCodes@programming.devEnglish
      15·
      9 days ago

      Hey dude, you had an opportunity to educate someone and instead you belittled them. As someone who works in cyber, please don’t do that. People get stigmatised against cyber and IT professionals and they stop trusting us. Users don’t know what we do, so be kind to them the way you should be kind to anyone learning new things. https://xkcd.com/1053/

    • Ihnivid@feddit.org
      1·
      9 days ago

      Could someone educate me on the possible damage clicking a link can bring, assuming I’m not interacting with the website any more than that?

      Not doubting there’s damage, just curious. I’d think they’d get some maybe usable info from fingerprinting or something? Could javascripts lead to more serious problems?

      • nova_ad_vitum@lemmy.ca
        5·
        9 days ago

        If you do nothing but click the link and then close the resulting website without clicking anything else, all that will happen is that they’ll know you’re someone who clicks such links and you’re likely to get more of them.

      • themoonisacheese@sh.itjust.works
        3·
        9 days ago

        There could theoretically be a vulnerability in your browser that would allow them to infect you with viruses, but such vulnerabilities are much much more valuable used elsewhere (or cashed in through security research bounties). One I’ve seen is that the page further phishes you into downloading and installing an “update” to your browser that’s really a virus, or they simply try to phish you out of money, for example by asking you to pay the shipping costs again.

        It’s also a way to build lists of who actually clicks the links, that they resell to the next sucker (scamming is suckers all the way down, they all buy The Next Big Technique from some guy), ensuring you will get further spam in the future.

        There’s actually a fun technique to do to avoid further spams when it comes to voice calls. A little know fact is that elevator call buttons are actually just phones that have a phone number, and if you dial the number, it will automatically answer and you will hear whatever is in the elevator (generally nothing). If you pick up but don’t say a word, their automated systems will flag you as an elevator phone number and they will stop calling in order to stop wasting resources on calling numbers that won’t lead to money.

    • prettybunnys@sh.itjust.works
      36·
      9 days ago

      100% a scam.

      The USPS won’t text you, they’ll leave you a notice in your mail box. They’re the only people besides you allowed to open your mailbox legally so it’s their best avenue.

      • MaggiWuerze@feddit.org
        1·
        9 days ago

        Well, they claim they couldn’t find your house. So that wouldn’t be an option. Still a scam though

        • HelixDab2@lemm.ee
          7·
          9 days ago

          They can’t find your house, but somehow they know your phone number…? I don’t know about you, but I’ve never had to use a person’s email address or phone number when I was mailing them a letter or package, just their physical address or post office box.

    • Coskii@lemmy.blahaj.zone
      7·
      9 days ago

      Expecting them to have my phone number but not my address is a mental leap I cannot fathom in the first place.

  • Blackmist@feddit.ukEnglish
    45·
    9 days ago

    I think there’s now a generation gap between kids today and people who were routinely sent to tubgirl and goatse during the internet’s formal years.

    If your URL is fucky, it’s a scam. If you clicked one, they’ll send you more.

    • Dozzi92@lemmy.world
      7·
      8 days ago

      Our parents couldn’t use computers properly, and now our kids can’t use them properly either.

      That being said, I learned the hard way back in the golden age many, many times.

  • Technus@lemmy.zip
    39·
    9 days ago

    Bruh, just look at the address bar. That is not a USPS domain. Obviously it’s a scam.

  • plz1@lemmy.worldEnglish
    34·
    9 days ago
    1. 3rd party URL shortener, immediate red flag
    2. Non-USPS.com domain once you tapped it (which you shouldn’t have)
    3. National service sending from a South Carolina area code instead of a short code or a toll free number
    4. Does USPS even have your phone number tied to your delivery address?
    • johannesvanderwhales@lemmy.world
      5·
      8 days ago

      That also doesn’t look anything like a USPS tracking number (which, if this were real, you’d probably already have). Pro-tip: USPS has “informed delivery” where they’ll send you an email every day with scans of your mail and any packages on their way to you. Which would give you another way to know that this isn’t real.

  • psilotop@lemmy.world
    27·
    9 days ago

    Aside from all of the red flags already listed in other comments…are you even expecting a package to be delivered? I almost never receive a package that I don’t expect

  • flamingo_pinyata@sopuli.xyz
    27·
    9 days ago

    Go to the official UPS website (do not click that link, google it) and enter your tracking number.
    If you don’t have a tracking number it means you didn’t order anything, and it’s certainly a scam.

    • snooggums@lemmy.worldEnglish
      16·
      9 days ago

      This is usps, not ups, but everything else is accurate.

      Always check the real site without using a link to get there.

  • Dogiedog64@lemmy.world
    26·
    9 days ago

    This is 10000% a scam. That’s not the USPS url scheme. Plus, as a government entity, they’ll start correspondence through certified mail. Another question you could ask yourself is “Did I order any packages lately?” IF not, then more proof it’s a scam.

    • piccolo@sh.itjust.works
      4·
      8 days ago

      I get emails from usps all the time, they have a service to alert you of mail and packages arriving. Though, they dont SMS, and wouldnt be using a bit.ly url.