Unpacking the Threat: UPS and FedEx Convincingly Impersonated in Phishing Attacks

Attackers attempt to steal payment information by posing as UPS and FedEx and sending fake shipment notifications about a pending delivery.
June 26, 2024

If there’s one thing cybercriminals love to do, it’s create scenarios that exploit a person’s innate desire to resolve unexpected issues quickly—such as a package that can’t be delivered.

Regardless of what the package contains, having a delivery not reach its intended destination is exceptionally frustrating. And if the shipment is related to an organization’s operations, a failed delivery is not just inconvenient; it can also be costly.

In a series of recent phishing attacks, threat actors posed as UPS and FedEx and attempted to deceive targets into providing their credit card information under the pretense of fixing a problem with a pending shipment. What makes these attacks stand out is the impressive level of impersonation the perpetrators achieved, which made the emails and the accompanying phishing sites especially convincing.

Breaking Down the UPS and FedEx Impersonation Attacks

The initial emails, crafted to resemble notifications from UPS and FedEx, claim the respective recipients have a pending delivery that requires their attention.

UPS Fed Ex Phishing Impersonation Phishing Email E

Malicious emails impersonating notifications from UPS and FedEx, respectively

The pretext for the email impersonating UPS is that the package has an unclear transit status which the recipient must verify using the embedded link. The fake FedEx notification uses a similar pretense and states the target has a shipment en route. The perpetrator of this attack, though, chooses to increase the manufactured sense of urgency by claiming delivery of the package was attempted but failed, and the recipient must confirm the destination address via the provided link.

Each message contains a button the recipient is asked to click in order to start the process of resolving the shipment issue. However, should they click on the button labeled “CLICK HERE” in the UPS email or the button labeled “CHECK HERE” in the FedEx email, they will be redirected to a detailed, multi-step phishing site.

UPS Fed Ex Phishing Impersonation Phishing Page 1 B

The first pages of the phishing sites inviting the target to schedule the delivery of their package

While the content of the emails is different, the next three steps in the phishing attack are nearly identical (save for the branding)—down to using the same fake photo purportedly of the target’s pending shipment.

UPS Fed Ex Phishing Impersonation Phishing Page 2 B

The next step in the scam, which includes a photo purportedly of the package awaiting delivery

On the penultimate page of the phishing site, the target is informed that they can expect their delivery within three days. But first, they must provide their contact information and remit a payment of $1.95 for unpaid shipping costs.

UPS Fed Ex Phishing Impersonation Phishing Page 3 B

The second-to-last page informing the recipient they must pay a small shipping fee to reschedule delivery

If the target clicks through all three pages, they are redirected to the final step—at which point they are prompted to enter shipping and payment details to finalize the request.

UPS Fed Ex Phishing Impersonation Phishing Page Last

The last page of the phishing site requesting contact and payment information

Should a target of either attack provide the requested information, it will be stolen by the threat actor, who can then use it to initiate fraudulent transactions for sums much larger than $1.95.

Why This Phishing Attack Is Noteworthy

Cybercriminals opting to pose as global carriers in phishing attacks isn’t an especially new or unusual strategy. Indeed, in a previous threat report analyzing phishing emails in which brands were impersonated, we found shipping service providers were the third most imitated.

That being said, bogus shipping notifications of the past often contained minimal text, limited formatting, and little to no mimicked branding beyond perhaps a single logo. These campaigns, on the other hand, include a remarkable level of detail and incorporate the impersonated carrier’s branding into not only the initial messages but also the multi-step phishing sites. Additionally, from a grammar, spelling, and syntax standpoint, the text of the emails is essentially flawless.

The attackers also utilize other tactics beyond the imitated branding to increase the appearance of legitimacy. For example, they hide the sender address behind display names of “UPS” and “FedEx Delivery.” Many mobile email clients do not automatically show full email headers, which means if either of the targets viewed the message on a mobile device, they would only see the misleading sender display name.

Further, the threat actors request a meager $1.95 from the targets—an amount that is unlikely to raise any red flags. However, this is simply a way to steal credit card information that can then be used to make much bigger purchases.

The perpetrator of the FedEx impersonation attack even went so far as to spoof a payment page for a now-defunct ecommerce site that features four fraud prevention logos from well-known brands. Ironically, these badges are usually used to indicate to consumers that their personal information will be protected from theft. Interestingly, it seems whichever legitimate payment page the threat actor replicated for this attack is a couple of years old, as all of the badges are out-of-date or discontinued entirely.

The level of complexity of this series of attacks indicates one of two things. Either the perpetrators invested considerable effort into building branded phishing pages, or other threat actors have made particularly sophisticated phishing-as-a-service kits available on the dark web. Whichever may be the case here, these attacks represent the startling level of believability that modern cybercriminals can achieve—and showcase how easy it is for a target to be tricked into providing sensitive information.

What Makes the UPS and FedEx Impersonation Attack Challenging to Detect

Both employees and traditional email security tools, such as secure email gateways (SEGs), would have difficulty accurately identifying these emails as malicious for multiple reasons.

For employees, the impersonation of a known brand, convincing and consistent use of UPS/FedEx branding, and lack of conspicuous grammatical errors or misspelled words would make it challenging for the average person to recognize the email as a threat. Additionally, the manufactured sense of urgency could compel targets to act quickly without first confirming the authenticity of the email—especially when these emails are sent to employees who typically send a large volume of packages.

Because the messages use authentic-looking content, contain no malicious attachments, include a multi-stage phishing setup, and utilize social engineering tactics, they would also likely bypass a SEG. Legacy solutions like SEGs only flag messages that exhibit clear indicators of compromise—for example, emails sent from a known-bad domain or those that include an obviously malicious payload, neither of which is the case here. SEGs are also not equipped to grasp the subtleties of language and human behavior, making it difficult for them to differentiate between genuine and malicious intent.

Blocking Impersonation Attacks with Behavioral AI

In contrast to a SEG, an AI-native email security solution uses machine learning, behavioral AI, and content analysis to detect the use of social engineering and brand impersonation and accurately flag these emails as malicious. It builds per-user and per-organization AI detection models to understand normal activity for every employee and vendor and compares each message to these baselines to detect anomalies.

With an anomaly detection engine that leverages identity and context, an AI-powered email security platform can stop this attack before it reaches end users. In doing so, organizations can protect their employees more effectively and prevent their credit cards from being used for malicious purposes.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.

Schedule a Demo
Unpacking the Threat: UPS and FedEx Convincingly Impersonated in Phishing Attacks

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Sans Recap 7 11 24
Discover trends among modern SOC teams, including misaligned budgets, increased automation, unsatisfactory AI tools, staffing issues, and more.
Read More
B State and Local Government Attack Trends
Advanced attacks targeting state and local governments are increasing. Discover what our research revealed about this alarming trend.
Read More
B Examining Employee Engagement with Email Attacks
Cybercriminals know that humans are your enterprise's biggest vulnerability and are successfully engaging with your employees at an alarming rate.
Read More
Explore how Abnormal’s AI Security Mailbox enhances cybersecurity by engaging and educating employees with personalized GenAI responses. Improve security awareness and streamline operations.
Read More
B Q2 2024 Attacks
In the second installment of our quarterly look-back at malicious emails, we examine 5 more recent noteworthy attacks detected and stopped by Abnormal.
Read More