UPS Takes Action Against SMS Phishing Attack

In an alarming wake-up call for the modern age, the recent data breach at United Parcel Service Canada Ltd. (UPS) has sent shockwaves through the cybersecurity realm. The data breach at UPS is a prime example of how the landscape of cybersecurity has changed due to the growing reliance on online platforms and emphasizes the possible dangers and vulnerabilities linked to digital systems. In June 2023, multinational shipping company UPS alerted customers in Canada that there was a chance that their personal data had been compromised. Attackers may have used UPS’s online package search tools to steal data for fraudulent activities like phishing.

In 2021, Singapore police warned of a widespread SMS phishing scam. These messages were impersonated on behalf of OCBC Bank, which incurred a financial loss of $13.7 million. It surprises many that people still fall prey to SMS phishing attacks. Posting a letter with the title “Fighting phishing and smishing – an update from UPS,” the company included information about phishing and smishing attacks. The letter indicated a data breach notification and warned of phishing risks to other customers. UPS investigated the cyberattack and found a vulnerability in their package system that leaked delivery information. 

Read about- SMS Phishing Scam: OCBC Bank’s Customers lost $8.5 Million

What did UPS Write in the Letter?

UPS stated in the letter that it has recently faced a data breach that exposed customer information, including addresses, phone numbers, and other private details. From February 2022 to April 2023, an unidentified group or individual exploited UPS’s website vulnerabilities. They illicitly gathered contact information of UPS clients using package tracking tools.

One concerning outcome of this breach has been the rise in fraudulent text messages received by some UPS package recipients. These phishing messages falsely claim that payment must be made before a package can be delivered. UPS prioritizes clear and concise breach notifications to ensure affected individuals understand the incident’s gravity.

“We cannot tell you with precision when our package look-up tools were abused. Between February 1, 2022, and April 24, 2023, it might have had an impact on some of the packages sent by a small number of shippers and their clients,” UPS said in the letter.

The threat actors are posing as Apple and LEGO shipments, with other companies probably also affected, according to a number of fraudulent SMS messages that Bleeping Computer has seen and believes were received during this campaign.

Know the Reasons Behind Successful Phishing Attacks

Measures Taken And Suggested by UPS to Mitigate Such Attack

In response to the breach, UPS has taken immediate action to bolster its security measures and minimize the risk of similar incidents occurring in the future. The company mentioned in the letter that customers should stay vigilant about the source of the SMS. They advised customers to check if the text messages are coming from number 69877. 

UPS has been interacting with delivery partners, law enforcement, and outside specialists to solve the issue at earliest. The company has implemented stringent measures to restrict unauthorized access to sensitive customer data. UPS acknowledges the significance of the breach and recognizes the potential impact it may have on its customers. The company advises individuals to exercise caution when encountering unexpected communications, particularly those that request sensitive information or payment. They published an advisory blog for its customers to safeguard themselves from phishing attacks.

In September and July, the Internal Revenue Service (IRS) and the Federal Communications Commission (FCC) warned Americans about a significant increase in SMS phishing attacks. These federal agencies urged individuals to exercise caution when receiving text messages from unfamiliar numbers, as these messages often contained misleading or incomplete information and suspicious links.

After reports surfaced about the data breach, the spokesperson of UPS Canada said, “We remain extremely vigilant in safeguarding against phishing attempts and other malicious activities by unauthorized individuals. UPS has become aware of reports concerning an SMS phishing, or ‘Smishing,’ scheme that specifically targeted certain shippers and their customers in Canada.” 

As a precautionary measure, UPS Canada will actively issue privacy incident notification letters to individuals in Canada whose information may have been affected. We strongly urge our customers and the general public to stay informed about the ongoing fight against fraud and take appropriate steps to protect themselves. In a conversation with Bleeping Computer, UPS Canada further stated that they are actively collaborating with partners, including the delivery chain, as well as law enforcement agencies and external experts, to understand the methods employed by these perpetrators. Consequently, they are determined to put an end to their activities soon. Law enforcement authorities have observed a rise in smishing incidents affecting various shippers and industries.

Read More about Impersonation Attacks Led By Email Phishing and Spoofing

How Can You Keep Your People Safe From Smishing?

Combining “SMS” (short messaging services) and “phishing,” the term “smishing” designates a particular kind of social engineering attack. In Smishing attacks, hackers take advantage of receivers’ faith in text messages rather than the bogus emails used in classic phishing attempts, which target people’s email accounts. Therefore, Smishing awareness is a significant step to follow in cybersecurity. Although technical safeguards like firewalls and antivirus software are essential, fraudsters continue to rely heavily on the human factor.

Informing and educating employees about the dangers of smishing and other social engineering techniques can considerably improve the entire security posture of an organization. Prioritizing people security management as a vital component of securing an organization’s digital infrastructure is crucial in the field of cybersecurity. Threatcop’s Smishing Awareness Training can be very helpful to every organization as employees can be vulnerable links because the success of a smishing attack totally relies on the unawareness and lack of vigil of an employee.

Scanning the links and attachments in an email helps organizations ensure they are threat-free, thereby reducing the chances of getting phished. Also, you can check the sender’s reputation report for every email to determine whether it’s legitimate or fraudulent. The repeated smishing simulation campaigns in this training can help you track how your employees react to smishing and if they have made any progress after each campaign. 

Creating an awareness-based culture and offering resources to assist staff in recognizing and effectively responding to suspicious messages can also prevent smishing attacks.To fulfill the need for security awareness training, organizations can use tools like Threatcop Security Awareness Training (TSAT). This will help you to increase employees’ productivity due to reduced time spent handling security incidents and recovering from cyberattacks. Invest in tools that equip your employees with the knowledge and skills to identify and mitigate potential security risks, reducing the organization’s vulnerability to cyber threats. 

Take a look at our blog on Prevent Phishing Attacks to Secure Your Organization

FAQs: UPS SMS Phishing Attack