Delivery alert

There may be an issue with the delivery of your newspaper. This alert will expire at NaN. Click here for more info.

Recover password

‘Phishy’ emails exploit holiday shipping frenzy

You didn’t have to watch CEO Jeff Bezos fantasize about a flying army of drones on “60 Minutes” earlier this month to realize that shipping packages during the Christmas shopping season is big business.

UPS, FedEx and the U.S. Postal Service each expect to ship millions of packages during the lucrative 27-day period between Thanksgiving and Christmas this year.

FedEx backed up predictions that Cyber Monday (Dec. 2) would be the busiest day in its 40-year history, handling more than 22 million packages on that day alone.

Not to be outdone, UPS projected it would ship 34 million packages on its peak day, which it expects to fall on Dec. 16.

And, as is usually the case, if there is money to be made by legitimate businesses, illegitimate businesses looking to scam you can’t be far behind.

That’s why the Better Business Bureau issued a “Scam Alert!” a few weeks ago, warning consumers to be on the lookout for bogus email shipping notifications carrying the names and logos of the major package-delivery firms.

Not only won’t these phishy emails help you track down your holiday packages, but they could infect your computer with viruses that can access your personal and financial information – or worse.

“Like all scams, this one has many variations. Scammers have posed as FedEx, UPS, USPS and even big online retailers, like Amazon” the BBB warns.

“A common version of this scam is a fake delivery failure notification. Scammers claim the attached virus is the receipt you need to collect your package from the local office.”

Several months ago, a newsroom colleague received three of these emails – all purportedly from DHL Express – within a 27-hour period.

“Dear Customer,” it began, “your package has arrived on August 1st, but messenger was unable to deliver the package to you, for more detailed information, please, download and read mailing label.”

Now if you can put aside the poor sentence structure and the strong aversion to periods for a moment, the emails look legitimate enough on the surface. Each carry the DHL logo and colors, and each lists the date and time, status and tracking ID number for the phony package.

But upon closer inspection, something doesn’t seem right. For starters, the tracking ID number in all three instances is superimposed over the last word in “Shipment not received,” making it extremely difficult to read.

And if you take the time to inspect the headers of the emails, the “From” line indicates they all came from different places with different email addresses: Priority Shipping Service (, Express Service ( and – my personal favorite – Shipping Service (

The clear intent of the email is to get you to click on the bold-lettered “GET MAILING LABEL” in the big, red box, which is when all the mischief begins.

The BBB says doing so will unleash a virus, which typically seeks out personal and financial information stored on your computer. If that weren’t bad enough, you also could be held hostage by what’s known appropriately enough as “ransomware.”

The BBB alert refers to a recent FBI warning about “CryptoLocker,” a particularly virulent version of ransomware. In short, this malware program encrypts your files – essentially locking down your computer – and then demands you dish out $300 for a “private key” to free them up.

To avoid this fate, the BBB offers a few tips for this and other email scams:

  • Don’t always believe what you see: As in the DHL example, scammers are really good at designing emails that look legitimate. That doesn’t necessarily make them so.
  • Be wary of emails that contain links or attachments: This is particularly true if you didn’t expect to receive the email in the first place.
  • Be skeptical of poor grammar and spelling: Again, as noted in the DHL emails, this can be a tip-off that the message didn’t originate with a reputable company.
  • Don’t panic: The most effective email scams try to scare you into taking immediate action – don’t. In this case, a simple Google search of “shipping notification scam” would have turned up more than 1 million items.

Nick Pappas is assistant business editor at the Albuquerque Journal and writes a blog called “Scammed, Etc.” Contact him at or 505-823-3847 if you are aware of what sounds like a scam. To report a scam to law enforcement, contact the New Mexico Consumer Protection Division toll-free at 1-800-678-1508.