Wednesday, December 4, 2024

Modern survival skills: How to check if a tracking number is real

Spokeo shares actionable tips to prevent and survive fake tracking number scams.

Posted

A woman using a laptop and phone to check a parcel

Rawpixel.com // Shutterstock

One flaw that's deeply ingrained in human nature is the desire to get something for nothing. It's why people flock to "buy one, get one" sale offers or buy lottery tickets that might (but usually don't) give them a lifetime's earnings in a heartbeat. 

Unfortunately, it's also why scammers expend so much energy on finding ways to fleece others instead of engaging in honest work. One frequent scam—especially now that the pandemic has made online purchasing so common—is the fake USPS tracking number or a fake tracking number from some other courier service. They're used in multiple ways—all of which are bad news, Spokeo reports. 

Fake Tracking-Number Scams

There are many ways scammers can leverage a fake tracking number, but they fall into two broad categories. The first affects anyone who buys or sells online.  In this case, someone makes a purchase from a given vendor, and in due course,receives a tracking number. 

Time passes, and the item doesn't arrive, so they check the tracking number, and—to their surprise—it shows that the item was, in fact, delivered.  It turns out that the scammer used the number of a legitimate delivery in the receiver's geographic area. Because tracking shows the item as being delivered, scammers know that challenging the purchase through a payment service like PayPal or a shopping platform like eBay can be difficult (but not impossible). The tracking number may come from the USPS, UPS, or another carrier; how scammers access the numbers is unclear, but that's a problem for the carriers to address. 

The second form of a tracking-number scam is a straightforward phishing attack. The victim receives an email or bogus text, usually claiming to be a tracking alert or a missed-delivery alert from UPS, FedEx, USPS, or some other carrier. The message contains a clickable link or a phone number, so the receiver can reach out to see where their parcel is or correct a problem with their delivery. If they click the link, malware may be loaded onto their phone. If they call the number, a helpful "agent" will take their personal information. Either way, identity theft and fraud are likely to ensue. 

How to Check if a Tracking Number Is Real

Sometimes the number a scammer sends is simply fabricated. The tracking number formats used by the USPS and other major carriers are well known, so they're easily spoofed. Sometimes they're perfectly legitimate tracking numbers, but "fake" in the sense that the scammer has misappropriated them. Either way, checking the number isn't especially difficult. 

Only the laziest and clumsiest of scammers would use a fake USPS tracking number that isn't in the right format, but by all means, screen for that. If you search "USPS tracking number format," or the equivalent for any other carrier, you'll see a numeric or alphanumeric format. If your purported number doesn't match the format, it's bogus (although bear in mind some carriers use multiple formats depending on the type of package or class of service). 

The other way is simply to go to the carrier's package-tracking website and type in the number— but don't do this by clicking the link.  Instead, use your browser (or app, if applicable) to get there. If the number is bogus, you'll get an error or no results. If the number is legitimate, look at the tracking information. If it's not for a purchase you've made, or if the dates are wrong, it's bogus. If you've gotten a phishing text, that's all you need to know. If you were given this tracking number after making a purchase but didn't receive a delivery, you've probably also been scammed. 

Other Signs of Fake Tracking Numbers

Often you won't need to search the tracking number to know that it's probably fraudulent. In the case of the USPS, for example, you'll only get a text about your delivery if you've specifically signed up to receive them for that specific package. If you didn't do that, it's bogus, every time.  Also—and this is a big one—legitimate texts from the USPS won't contain a link, ever.  

The same logic holds true for other carriers. If you receive an unsolicited, unexpected message, it's probably bogus. If you want to see what real-world phishing attacks look like, UPS has an extensive list of examples on its website. There are usually a number of tell-tale clues to betray a phishing message: logos that don't look quite right, spelling or punctuation errors, or language that demands the receiver act immediately.  

Links in the message will often be concealed under a button or clickable text, but if you hover your mouse over it, the underlying link will pop up (on a mobile device, a long press does the same thing). A link going to a noncarrier website is a big red flag, as is a shortened link that obscures the destination site. Unfortunately, even legitimate URLs can be spoofed using non-Roman characters that look right to human eyes but are actually grabbed from other languages (a so-called punycode attack). Your browser protects you against this to some degree, but sophisticated attackers can still use this technique successfully

Dealing With Suspicious "Tracking Number" Messages

When it comes to unsolicited messages, there's a simple rule to follow: If it contains a link, it's probably a phishing attack. Period. To stay out of trouble, never, ever click the link in a message. If you're legitimately expecting packages, that's fine: Go to the carrier's website, as described earlier, and check the tracking number manually (or call customer service at the number listed on the company's website if you've received one of those "there's a problem with your delivery" messages). 

That's especially important with text messages because while most people are understandably jaded about emails, they still tend to open texts. By some accounts, people open up to 98% of texts and usually respond within minutes. For scammers (as with legitimate marketers), that means putting their message in front of more eyeballs and increasing the chance of success. 

What to Do About a Fake Tracking-Number Scam

If you've been victimized by a seller using the fake tracking number ploy, grab screenshots to document the entire history of your transaction, and reach out to the carrier for more information on the real delivery that corresponds to your tracking number. 

If the shipping or delivery date doesn't correspond to your order, or if the carrier can verify in writing that the delivery did not come to your address, you'll have a stronger case for restitution.  This may require persistence on your part since the carrier is obligated to protect the privacy of the customer receiving the real delivery.

If you've received a phishing message, you should report it to the company it claims to come from.  In the case of the USPS, you'd email the U.S. Postal Inspection Service; you can reach out to UPS and FedEx through their respective websites. If you've fallen victim to a scammer through one of these schemes, you should also report the incident to the FBI's Internet Crime Complaint Center (IC3) and the FTC's Report Fraud website. The latter is especially helpful because it will walk you through creating a personalized recovery plan to undo any damage. 

At the end of the day, these scams are relatively easy to thwart. If you're making a purchase, verify the sender before you pay. If you've received what may be a phishing message, don't click the link. Those two simple rules can save you a world of grief.

This story was produced by Spokeo and reviewed and distributed by Stacker.