SMS messages from “Australia Post” claiming incomplete or missing address details (or damaged parcels) are doing the rounds — and they’re a straight up scam.
The scourge of SMS scam continues seemingly unabated, with today’s target Australia post. Speaking purely anecdotally, over the past week I’ve received numerous scam SMS messages informing me of incomplete addresses, missing ZIP codes or damaged parcels, all with a handy link to update my details.
Of course, they’re all scams, but there’s an added wrinkle here.
How can you tell it’s a scam?
Outside of the use of ZIP codes — that’s an American term that does not apply in Australia — the dead giveaway is the URL or URLs being used, which are similar-but-not-identical to Australia Post’s actual website.
I mean, we can complain all we like about Australia Post’s service, but even it is unlikely to operate out of a domain called (as per the above screenshot) “MyPoo”. Just a hunch, you know?
Also, just to be clear, I’ve blocked out elements of those URLs, because nobody outside bored security researchers should be clicking on them, just in case you were tempted.
For many businesses — as I’ve detailed previously around scams covering MyGov hacking, Medicare scams or government financial assistance the fact that there’s a URL at all should be a big red flag, because government services specifically don’t send SMS messages with any URLs at all in them.
Australia Post, however, does do that, and this is where this one gets a little more tricky, because you may be quite used to seeing text messages from the national postal carrier around parcels arriving, the need for signatures and so on.
Why does Australia Post include URLs in SMS if it’s a scam risk?
It seems to largely be a customer convenience play, though there is one factor to keep in mind here if you’re feeling wary about a message.
Australia Post typically doesn’t require a sign-in to check the status of a delivery, just the tracking code. If you click on a link in an SMS and the first thing it asks you for is some kind of login, it’s a scam, plain and simple.
What do the scammers get out of my Australia Post account?
If you’re a business with an Australia Post account, access to any and all business functions you have set up, and potentially a way to either initiate dodgy transactions or redirect mail that may have its own intrisic value for matters such as identity theft.
At an individual level, there’s also the identity theft angle; think about how many ID services want bills with addresses and the like and you can see the angle there. There’s also the prospect that you might be someone who uses the same password across multiple sites, so getting one login there — or even getting you to try multiple passwords — might net them access to other more lucrative accounts.
Australia Post has its own scam awareness site here, and as always, you can find a wealth of good information about scams generally at ScamWatch.
