Two people are engaged in conversation, each holding an envelope in hand.

USPS Fake Websites Deceive Millions, Matching Real Traffic In Phishing Scheme

USPS Phishing Sites, aimed at stealing people’s personal and financial information, receive nearly as much traffic as the offical USPS website. Scammers use email and text-based phishing schemes to trick innocent victims into providing personal information or sending money.

Phishing operations aim to trick people into disclosing private information, such as credit card numbers and account credentials, or force them to pay fraudulent vendors. They typically employ strategies like demanding payment to release items that are being held or inciting panic to prompt rash decisions.

According to the most recent assessment from cybersecurity analysts at Akamai Technologies, throughout the holiday season, traffic to the genuine USPS website was lower than that of its impersonators.

Understanding the Risks Behind the Rise of USPS Phishing Scams

Akamai Technologies saw a significant rise in DNS requests aimed at “combosquatting” sites that mimicked USPS services over the 2023 holiday season. These illegal domains attracted nearly as much traffic as valid ones on normal days, even outperforming real traffic levels over the holidays.

An employee reported getting a strange SMS message, which caused Akamai to launch an investigation into phishing operations with a USPS theme in October 2023. The mail led to a website that included malicious JavaScript code.

Phishing SMS Posing as USPS
Phishing SMS Posing as USPS (Akamai)

The domain usps-post[.]world stands out as one of the most often observed by analysts. The name can mislead people into thinking it is an official USPS global branch. The criminals apparently gave attentive consideration to the domain name they picked, given the significant earnings associated with carefully planned trick domains.

A list of domains that have used the same JS file during the previous five months has been generated by the analysts. Domain names without the string “USPS” in their names were filtered out. These websites impressively look like the official USPS website, complete with realistic tracking pages for progress updates.

Fake tracking information on the phishing USPS website
Fake tracking information on the phishing USPS website (Akamai)

The actual USPS site received 1,181,235 requests between October 2023 and February 2024, whereas fake USPS sites received 1,128,146 queries, according to data compiled by Akamai.

Malicious domains that generate the most traffic
Malicious domains that generate the most traffic (Akamai)

Security experts at Akamai claim that between November and December, traffic to malicious domains exceeded traffic to genuine ones, indicating a spike in harmful activity over the winter holiday season.

Comparing the Total Queries for Malicious and Actual Domains
Comparing the Total Queries for Malicious and Actual Domains (Akamai)

The traffic comparison between the actual site and fraudulent domains reveals shocking results. These malicious websites even surpass in searches during some weeks.

Notably, these peaks fall during the busiest shipping times in the US—Black Friday, Thanksgiving, and Christmas. It appears that threat actors plan in advance to take advantage of higher demands people have for their parcels during these holiday seasons by scheduling their USPS phishing campaigns.

A Time-Based Analysis for Monitoring Traffic Trends
A Time-Based Analysis for Monitoring Traffic Trends (Akamai)

Text scams impersonating the United States Postal Service continue to lure in victims, as evidenced by the web traffic to associated domains. Despite their prevalence, the impact of these scams is often underestimated, making it crucial to stay vigilant against digital threats.

The USPS and the U.S. Postal Inspection Service have pages on their websites that handle smishing schemes. Victims are advised to report such frauds to by the U.S. Postal Inspection Service.

Scammers sometimes link phishing emails or SMS messages directed at USPS customers with fake websites. These misleading advertisements claim that there are various reasons why packages cannot be delivered, including incomplete delivery details or unpaid fees.

Attackers instill a feeling of urgency in the victims, requiring them to take action fast—usually within a few hours—in order to avoid having the package returned to the sender.

Customers who receive SMS or email notifications about package shipping should exercise caution. It is recommended to visit the official website and check the product’s delivery status to verify the authenticity of such messages. Malicious websites can appear when clicking on package tracking URLs contained in these notifications.

Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our 14 day free trial to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.

Recent posts