Two staff members and a customer interacting in a busy package delivery shop.

UPS Confirms Data Breach Customer Data Misused In SMS Phishing Attack

UPS Canada confirmed a data vulnerability in its online tracking system control. Customers in Canada are being alerted by the business that there is a chance that their personal information might be stolen using its online package search tools and used for fraudulent activities such as phishing scams.

The UPS data breach letter included details on phishing and smishing attacks. UPS investigated the cyberattack and found a vulnerability in their package system that leaked information about deliveries.

This information includes the recipient’s address, phone number, and other private information. By using this method, an anonymous person or group was able to take advantage of the UPS website and eventually obtain contact information for clients.

UPS stated in a letter Brett Callow, a security analyst for Emsisoft, posted:

UPS is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered. Breach notifications need to be absolutely clear about what they are from the get-go. Fluffing them out helps nobody and simply increases the chances that they’ll be put in the garbage unread.

UPS found that from February 2022 to April 2023, the attackers behind the continuous SMS phishing effort used its package tracking tools to collect shipment details, including the receivers’ personal contact information.

The company has implemented measures to minimise access to this sensitive information and strengthen its security standards to prevent these complex phishing attempts.

Notification Letter from UPS Data Breach
Notification Letter Regarding UPS Data Breach (Brett Callow)

According to the letter, UPS has been swiftly engaging with delivery partners, as well as law enforcement agencies and third-party experts.

UPS continued in letter:

“The information available through the package look-up tools included the recipient’s name, shipment address, and potentially phone number and order number. We cannot provide you with the exact time frame that the misuse of our package look-up tools occurred. It may have affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023.”

Exploitation of UPS Data Breach by Hackers

Phishing refers to the deceptive practice of sending false emails, whereas smishing involves sending false text messages. Scammers employ various strategies to persuade victims into believing they owe money for a package delivery. They utilise emails and texts to request credit card and payment card information.

These fraudulent messages often attempt to appear authentic by incorporating brand names, colours, or even legal disclaimers. It is crucial to recognise that these deceitful attempts have far-reaching consequences, causing disruptions in package delivery across different courier services. As a result, both UPS customers and their packages are exposed to heightened security risks.

Hackers use the UPS data breach to act as UPS and its related companies to fool customers into paying for fake services.  This is a prevalent technique among threat actors using phishing to target victims.

The FCC and IRS warned Americans about an increase in SMS phishing attacks. They warned people to be careful of text messages from suspicious numbers that contained suspicious links and false information.

UPS advised recipients to be cautious of suspicious communications and trust their instincts. The SMS number 69877 is the only one that will send genuine UPS texts. Never share critical information in your comments and avoid from clicking on links contained in unknown messages if you want to protect yourself against these kinds of attacks.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology (none of which can spot 100% of phishing emails), you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks.

Recent posts