By BECKY RUTHERFORD
So last week, I got two texts notifying me of a package “on hold” since April.
One came in on Tuesday; the other came in on Friday. Both came in from unknown numbers. Both had URLs that were shortened, using a tool like Bit.ly.
Bit.ly and other URL shortening tools allow a user to take a very long URL and shorten it. For example, I could take www[.]ilovecats[.]com[/]myfavecat and shorten it to something like bit[.]ly[/]1uy742iKL. Why would I want to do this? It can be easier to share links if they are shorter.
Unfortunately, this is something that is frequently abused by scammers. You have no idea what you are clicking on with a shortened URL; it could go anywhere. As a general rule, I avoid clicking on shortened URLs.
So what to do about the persistent texts about my “missing package”? Well, I deleted them and blocked the number. If you got such a text, it was indeed a scam. You do not have a missing package!
People across the nation have been reporting this scam with the same numbers and shortened URLs in many cases.
Had you clicked the link, it likely would have taken you to a page spoofing a popular package delivery company, and requesting that you login. If you had done so, the bad actors would then have your login credentials. If your account was not protected with 2FA, they could hijack your account. Even if your account is using 2FA, if you are on a compromised web page, they may realize this and request a 2FA code from you. They could use this stolen code to access your account.
The other threat from clicking unknown links on your phone; you may download malware onto your device. It would likely be done very silently, and you might not even notice. Depending on the type of malware, they could siphon a lot of data off your device, and use it to steal your identity, financial information, and more.
Text message phishing remains a widespread threat. It is harder to tell what is real on a phone than it is on a computer. You might feel safer clicking on your phone than you do on your computer. It’s a trap! It’s decidedly not safer; if you end up on a credential harvesting webpage, it can be worse. On a smaller screen, it can be much harder to tell if you are on a spoofed page.
Another popular text scam out there is the “work from home” scam, likewise with a dangerous link. There are also many COVID-19 themed scams out there right now.
If you get a text message and you aren’t sure it is legitimate, stop and think before you click. Go to your email and look up any packages you might have pending. Likely the tracking information is in your email, and you can get the tracking number and go directly to the page to check. Never click a link in a strange email or text. It’s a great way to lose data, money, and more. Always go directly to the company either via a known phone number or website and confirm what the text is telling you. These scams are meant to surprise and scare you into clicking. Don’t take the bait! Investigate, then block the number and delete the message from your device.
Editor’s note: Becky Rutherford works in information technology at Los Alamos National Laboratory.