A multinational shipping company, UPS distributes notification letters to its Canadian customers. The notes state that some personal details owned by the customers suffer exposure in its online package look-up tools after falling victim to a phishing campaign.
Based on reports, the notification letter from UPS Canada is about awareness against phishing campaigns since the title of each letter is “Fighting phishing and smishing – an update from UPS.” However, the primary message of the notes includes a data breach notification after the company disclosed in the letters that it received reports of SMS phishing messages that contained recipients’ names and address details.
UPS shipping also stated that some customers had received scam text messages.
According to UPS shipping, some of the packages received by their customers contained fraudulent text messages that demanded payment before delivering the package. Hence, the company contacted its partners within the delivery chain to investigate the method used by the attacker to harvest their target’s shipping details after receiving the phishing reports.
After the initial investigation, UPS discovered that the threat actors that orchestrated the ongoing phishing attack utilised package look-up tools to access delivery details, including the recipient’s data, between February last year to April this year.
The company has adopted preventive measures to restrict access to sensitive data to mitigate the chances of phishing attacks against unsuspecting customers.
Furthermore, the delivery company stated that it is reminding individuals whose details may have been compromised to ensure they know the phishing situation.
The customer data within the package look-up tools include the customer’s name, shipment address, phone number, and order number. Unfortunately, the delivery company explained that they could not provide an exact time frame when the attackers misused the package look-up tools. The incident may have compromised packages for a small group of customers and some of their customers from February 2022 to April 2023.
Phishing attacks have affected UPS customers worldwide since online reports showed that the threat actors used names, phone numbers, postal codes, and recent information from orders.
Customers should be aware of phishing and fraud tactics to avoid compromise that could lead to financial loss.
