ALERT: USPS Smishing Scam

Artemis Sere Alerts

As if my life isn't challenging enough right now during my job layoff, this week I was the victim of a "smishing" scam. These dastardly thieving acts always seem to hit me at the wrong time.

In 2021 on my first day of my new job, I was hit with a catalytic converter theft which took my vehicle out of commission for 6 months. In January 2022 in the dead of a winter night, I was hit again, knocking my vehicle into the yard again for 6 months while I waited for parts. You may have seen me interviewed on local Fox9 about my thefts.

The end result: an expensive metal shield to protect my converter and jacked up insurance rates for my area due to the thefts.

Evidently, the perpetrators may have been caught.

My hope is that this blog can protect you from the scam I fell for, and maybe give investigators some background for their hunt for this fraudster or fraudulent entity.

What is Smishing?

"Smishing uses fraudulent mobile text messages to trick people into downloading malware, sharing sensitive data, or paying cybercriminals money." (Source: IBM)

How did I fall for a Smishing Scam?

This has been a stressful week. Between searching for jobs, prepping for an interview, applying for opportunities, and worrying about my future, I've been somewhat distracted.

When the first smishing text came in on November 3rd, I was high and overtired. It hit me at just the right time, and I honestly thought the text that I received was legit. If you've followed my vinyl adventures over the last year, you know I've had a bumpy road.

On a few occasions, I've had to contact USPS or FED EX to get a package of mine "unstuck" from a sort floor because an address had "fallen off" or been damaged in the transmit from a global location. I've never been charged before, but I thought paying 30 cents to get a package "unstuck" was worth it. The branding on the message seemed legit. The messaging seemed reasonable.

With all of my training around phishing scams, I should've known there was some fishy stuff going on:

  1. The message was sent via text and was an image with no clickable links. There was a pretty link and a QR code for quick connection to a USPS form.

  2. The USPS form didn't detail which package was affected.

  3. Even with the package info missing, I thought thirty cents wouldn't hurt. But when I put in my card info, the form submission failed. I thought that was suspect, but didn't think any more about it. I gave up and moved on.

And didn't think about it again until my credit union contacted me yesterday about some possibly fraudulent charges.

Then I put the two together and realized I got pulled into a scam. I didn't expect that I would be a target for fraudsters. I expected that the fraudulent USPS form would need to be submitted for the fraud to happen.

But even with the failed submission, the fraudsters got the info they needed about my check card from the info I submitted on the screen.

What happened to me as a result of the scam?

A few days ago, the fraud began with a $350 Amtrak ride charged to my account. I didn't catch it because I don't traditionally check my account every day. And since I'm laid off and not spending money as often as I once did, there's been few reasons to be connected to my daily account movement.

So, the fraud began and didn't stop until it was caught yesterday afternoon. In that time, someone charged Uber, Uber Eats, Lyft, Door Dash, and a Tap Room in Florida for another $500 - $600 worth of charges. I think the bleeding has stopped, but some fraudster got a fun vacation off my dwindling resources.

How do I know for sure this action led to the smishing fraud?

My check card expired in October, and I was in the middle of transitioning my accounts to a new card (same number, different details, you know the drill). Very few "unknown" vendors had the new card details, and in fact, I was behind on transitioning my streaming services to new cards (and some had been shut down due to that). Thus, I hadn't actually used my new card many times since I activated it. The smishing scam was one of the first uses I had of the new card.

What does the USPS Postal Smishing Scam look like?

Here's a screenshot of the text that I received:

USPS Smishing Scam Image

I received the same text for 5 days from a number I didn't recognize.

USPS Smishing Scam Source Phone Numbers and Frequency

At the time I received the first one, I didn't consider that it could've been from an international source, and reacted too quickly. After I realized that it was a scam, I blocked every future transmission and deleted all messages. The messages eventually stopped, and two days later the Amtrak ticket was purchased.

What can you do to keep yourself protected from smishing?

  • Be extra vigilant of communications hitting your phone or email, especially ones that look like they have legit branding. I hadn't heard about this type of fraud until it happened to me, just like the catalytic converter theft ring. I wasn't aware that it was that prevalent, didn't know it was a thing.

  • Only submit your card information to trusted interfaces and websites. Lesson learned: you don't have to hit the submit button for a fraudster to get your info.

  • Report your experience to the USPS here.

Seretic Studios