Unpacking the Threat: UPS and FedEx Convincingly Impersonated in Phishing Attacks

If there’s one thing cybercriminals love to do, it’s create scenarios that exploit a person’s innate desire to resolve unexpected issues quickly—such as a package that can’t be delivered.

Regardless of what the package contains, having a delivery not reach its intended destination is exceptionally frustrating. And if the shipment is related to an organization’s operations, a failed delivery is not just inconvenient; it can also be costly.

In a series of recent phishing attacks, threat actors posed as UPS and FedEx and attempted to deceive targets into providing their credit card information under the pretense of fixing a problem with a pending shipment. What makes these attacks stand out is the impressive level of impersonation the perpetrators achieved, which made the emails and the accompanying phishing sites especially convincing.

The initial emails, crafted to resemble notifications from UPS and FedEx, claim the respective recipients have a pending delivery that requires their attention.

The pretext for the email impersonating UPS is that the package has an unclear transit status which the recipient must verify using the embedded link. The fake FedEx notification uses a similar pretense and states the target has a shipment en route. The perpetrator of this attack, though, chooses to increase the manufactured sense of urgency by claiming delivery of the package was attempted but failed, and the recipient must confirm the destination address via the provided link.

Each message contains a button the recipient is asked to click in order to start the process of resolving the shipment issue. However, should they click on the button labeled “CLICK HERE” in the UPS email or the button labeled “CHECK HERE” in the FedEx email, they will be redirected to a detailed, multi-step phishing site.

While the content of the emails is different, the next three steps in the phishing attack are nearly identical (save for the branding)—down to using the same fake photo purportedly of the target’s pending shipment.

On the penultimate page of the phishing site, the target is informed that they can expect their delivery within three days. But first, they must provide their contact information and remit a payment of $1.95 for unpaid shipping costs.

If the target clicks through all three pages, they are redirected to the final step—at which point they are prompted to enter shipping and payment details to finalize the request.

Should a target of either attack provide the requested information, it will be stolen by the threat actor, who can then use it to initiate fraudulent transactions for sums much larger than $1.95.

Cybercriminals opting to pose as global carriers in phishing attacks isn’t an especially new or unusual strategy. Indeed, in a previous threat report analyzing phishing emails in which brands were impersonated, we found shipping service providers were the third most imitated.

That being said, bogus shipping notifications of the past often contained minimal text, limited formatting, and little to no mimicked branding beyond perhaps a single logo. These campaigns, on the other hand, include a remarkable level of detail and incorporate the impersonated carrier’s branding into not only the initial messages but also the multi-step phishing sites. Additionally, from a grammar, spelling, and syntax standpoint, the text of the emails is essentially flawless.

The attackers also utilize other tactics beyond the imitated branding to increase the appearance of legitimacy. For example, they hide the sender address behind display names of “UPS” and “FedEx Delivery.” Many mobile email clients do not automatically show full email headers, which means if either of the targets viewed the message on a mobile device, they would only see the misleading sender display name.

Further, the threat actors request a meager $1.95 from the targets—an amount that is unlikely to raise any red flags. However, this is simply a way to steal credit card information that can then be used to make much bigger purchases.

The perpetrator of the FedEx impersonation attack even went so far as to spoof a payment page for a now-defunct ecommerce site that features four fraud prevention logos from well-known brands. Ironically, these badges are usually used to indicate to consumers that their personal information will be protected from theft. Interestingly, it seems whichever legitimate payment page the threat actor replicated for this attack is a couple of years old, as all of the badges are out-of-date or discontinued entirely.

The level of complexity of this series of attacks indicates one of two things. Either the perpetrators invested considerable effort into building branded phishing pages, or other threat actors have made particularly sophisticated phishing-as-a-service kits available on the dark web. Whichever may be the case here, these attacks represent the startling level of believability that modern cybercriminals can achieve—and showcase how easy it is for a target to be tricked into providing sensitive information.

Both employees and traditional email security tools, such as secure email gateways (SEGs), would have difficulty accurately identifying these emails as malicious for multiple reasons.

For employees, the impersonation of a known brand, convincing and consistent use of UPS/FedEx branding, and lack of conspicuous grammatical errors or misspelled words would make it challenging for the average person to recognize the email as a threat. Additionally, the manufactured sense of urgency could compel targets to act quickly without first confirming the authenticity of the email—especially when these emails are sent to employees who typically send a large volume of packages.

Because the messages use authentic-looking content, contain no malicious attachments, include a multi-stage phishing setup, and utilize social engineering tactics, they would also likely bypass a SEG. Legacy solutions like SEGs only flag messages that exhibit clear indicators of compromise—for example, emails sent from a known-bad domain or those that include an obviously malicious payload, neither of which is the case here. SEGs are also not equipped to grasp the subtleties of language and human behavior, making it difficult for them to differentiate between genuine and malicious intent.

In contrast to a SEG, an AI-native email security solution uses machine learning, behavioral AI, and content analysis to detect the use of social engineering and brand impersonation and accurately flag these emails as malicious. It builds per-user and per-organization AI detection models to understand normal activity for every employee and vendor and compares each message to these baselines to detect anomalies.

With an anomaly detection engine that leverages identity and context, an AI-powered email security platform can stop this attack before it reaches end users. In doing so, organizations can protect their employees more effectively and prevent their credit cards from being used for malicious purposes.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.