USPS Text Scam: Cybercriminals Hiding Malicious PDFs

In the ever-evolving landscape of cybercrime, scammers are constantly finding innovative ways to exploit unsuspecting victims. The latest threat involves a new USPS-themed text scam that uses a unique method to conceal malicious PDF links, making it more challenging for recipients to recognize the danger. Understanding how this scam works and how to protect yourself is important if you want to stay safe in our online digital world.

The Scam: What’s Happening?

This new scam impersonates the United States Postal Service (USPS) and sends targets a seemingly legitimate notification about USPS package delivery issues. These messages often include alarming or urgent language, such as “Your package is delayed” or “Action required to complete your delivery.” Accompanying these texts is a link that seems to direct you to a USPS-related site. However, the link actually leads to a malicious PDF file hosted on a legitimate file-sharing service, such as Dropbox or Google Drive.

Once the recipient opens the PDF, they are often directed to phishing sites or tricked into downloading malware. The use of legitimate file-sharing platforms to host the malicious files makes the scam appear more credible and bypasses traditional email and text filtering systems.

Why Is This Scam Unique?

1. Use of Legitimate Services: By hosting malicious PDFs on trusted platforms like Dropbox, cybercriminals exploit the credibility of these services to deceive users.
2. Evasion Techniques: The scam avoids direct links to phishing sites, which are often flagged by email and text security filters. Instead, it uses an intermediary step, making detection and prevention more difficult.
3. Targeting Mobile Users: Text-based scams are designed to target mobile devices, where users are more likely to click on links due to smaller screens and on-the-go distractions.

How to Identify the Scam

Recognizing the signs of a USPS text scam can help you avoid falling victim. Here are some red flags to watch for:

• Unexpected Messages: Be wary of texts claiming issues with a delivery you weren’t expecting.
• Urgent Language: Scammers often use urgency to pressure victims into acting quickly without thinking.
• Suspicious Links: Hover over links (if possible) or examine them closely. If the URL leads to a file-sharing platform or looks unusual, it’s a red flag.
• Grammar and Spelling Errors: Legitimate USPS communications are typically professional and free of grammatical mistakes.

How to Protect Yourself

To stay safe from scams like this, follow these cybersecurity best practices:

1. Verify Messages: If you receive a text about a package issue and you were expecting a package, verify it by visiting the USPS website or contacting their customer service directly.  If you weren’t expecting a package, mark the message as SPAM and delete it.
2. Avoid Clicking Links: Never click on links in unsolicited messages, especially if they seem urgent or suspicious.
3. Adopt a Password Manager:  this is the only way to set long and strong passwords on the hundreds of online accounts we all operate today.  Set each account password to a unique randomly generated password and allow the Password Manager to fill it in when logging into your online accounts. 
4. Enable Multi-Factor Authentication (MFA): Secure your USPS account with MFA to reduce the risk of unauthorized access if credentials are stolen.
5. Keep Software Updated: Ensure your device’s operating system and apps are up-to-date to protect against known vulnerabilities.
6. Use Security Software: Install reputable antivirus and anti-malware programs to detect and block malicious files or links.

What to Do If You’ve Been Targeted

If you suspect you’ve received a malicious USPS text or clicked on a suspicious link, take these steps immediately:

• Block the Sender: blocking the sender and marking it as SPAM will help cell phone carriers identify compromised and malicious accounts on their network.
• Do Not Download Files: Avoid opening any attached PDFs or downloading files from suspicious sources.
• Scan Your Device: Use security software to scan your device for malware or other threats.
• Report the Scam: For netiquette bonus points, you can forward the text message to 7726 (SPAM) to report it to your mobile carrier. You can also report phishing attempts to the FTC at reportfraud.ftc.gov.
• Monitor Your Accounts: Keep an eye on your financial and online accounts for any signs of unauthorized activity.
• Bonus: to protect yourself from Identity theft, follow the advice in this article to Freeze your credit, preventing financial accounts from being opened in your name.

Conclusion

Cybercriminals are becoming increasingly creative in their methods, and the new USPS text scam is a testament to their ingenuity. By hosting malicious PDFs on legitimate platforms, they’ve found a way to exploit trust and bypass traditional security measures. Staying alert, adopting good cybersecurity habits, and educating yourself about the latest threats are essential steps in protecting yourself and your digital life from scams like this.

Stay informed, stay cautious, and share this information with others to help prevent them from falling victim to this new scam.

Secure your business with CyberHoot Today!!!

Sign Up Now

Not ready to sign up yet, but want to learn more? Attend our monthly webinar to see a demo of CyberHoot, ask questions, and learn what’s new.  Click the Green Box below to Register.  You want to, I can feel it!

Webinar Registration

 Additional Reading:

• SC Media – New USPS text scam uses unique method to hide malicious PDF links