This week we’ve found lots of phishing scams in which scammers are impersonating trusted brands, including Costco, MetaMask, and USPS. Would you have been able to spot all these scams?  

Phishing Scams  

Impersonating trusted brands, scammers spread phishing links via text message or email and attempt to get you to click on them. These links will lead to phishing sites designed to steal your personally identifiable information (PII): email address, credit card number, Social Security number, and more.

Why do they want your PII? With your PII, they can commit cybercrimes, such as draining your bank account or stealing your identity. Scammers often falsely claim that you’ve won a prize or reward and prompt you to collect it via a phishing link. The link takes you to a fake online form that asks for your PII:

Costco​ Halloween Scam

We’ve detected many Costco scams before. This week, scammers tried to trick you into thinking that you can get “an exclusive reward” in a made-up Halloween campaign:

Don’t click on anything! If you take the bait and click the link, it will take you to a fake Costco survey page that asks you to provide lots of your PII. Scammers will use these credentials for their own good, and you will receive nothing. Don’t fall for the scam! 

Avoid Scams for FREE

The truth is, there are lots of scams and scam sites on the internet and they’re getting even more difficult to detect with common sense alone. However, for an easy and reliable method of detecting and avoiding scam sites, check out our free Trend Micro ID Protection.         
 
ID Protection can shield you from scams, fake and malware-infected websites, dangerous emails, phishing links, and lots more! If you come across something dangerous online, you’ll be alerted in real time so you’ll know to stay well clear.        

In other cases, phishing links also lead to fake login pages:

MetaMask Phishing Scam

What will you do if you receive a MetaMask email that asks you to take security precautions via an embedded button? Don’t just click. Take a close look first! We’ve reported on fake MetaMask emails before, and this week there are more:

Posing as MetaMask, scammers claim that you need to provide additional personal information using the button in the email. If you click, you will be led to a fake MetaMask page that requires your recovery phrase to log in.

Watch out! If you submit your recovery phrase on the fake page, scammers can hack into your MetaMask wallet and steal all your crypto.

USPS Parcel Scams

Fake USPS delivery text messages never go away. This week we’ve seen more new cases; have you received any of them?

• The USPS package has arrived at the warehouse and cannot be delivered due to incomplete address information. Please confirm your address in the link within 00 hours. <URL> (Please reply to 0, then exit the SMS, open the SMS activation link again, or copy the link to browser and open it) The US Postal team wishes you a wonderful day
• Package Tracking: Your package arrived at the transit center but could not be delivered due to incomplete address information. Details: <URL> best regards, USPS Customer Service
• (usps[.]c-openinfocenter[.]us <- Missing important delivery information: EHKZS0O0)
• [Delivery failed, addressee unknown] Your item has been delivered to the transit warehouse .But you are not at the shipping address or you <NAME>’t have a safe place to store it temporarily. Please click this link to view <URL> Get More Out of USPS Tracking: USPS Tracking Plus

These links lead to fake USPS tracking pages where you could eventually end up exposing your PII. Be careful!

Sample fake USPS tracking page URLs (as of Oct 27, 2023):

• Usps[.]c-openinfocenter[.]us
• Usps[.]postsall[.]com
• Upostverin[.]com
• Usps[.]serverc[.]us
• Usps[.]cannotbesent[.]com
• Uspp[.]shop
• usps[.]uspkp[.]com
• usps[.]uspspsk[.]com
• uspostalcenter[.]vip
• usps[.]catchfire-parcel[.]com
• usps-way[.]top
• usps[.]mybusipos[.]com
• usps[.]drop-parcel[.]com
• usps[.]drop-pp[.]com
• usps[.]safetycenter[.]vip

Note: Double-check the web address — the only legitimate domain is usps.com.

Tips to Stay Safe Online

• Double-check the sender’s mobile number and email address. Even if it seems legitimate, think twice before you take any action.    
• Never click on dubious links or attachments! Only go to official websites and apps to make purchases, update information, or track a package’s status.
• If you’ve accidentally revealed your PII somewhere, change your passwords immediately and inform your bank and/or other companies that scammers may contact them pretending to be you. 
• Check if any of your PII has been leaked and secure your social media accounts using Trend Micro ID Protection.   
• Finally, add an extra layer of protection to your devices with Trend Micro Maximum Security. Its Web Threat Protection, Ransomware Protection, Anti-phishing, and Anti-spam Protection will help you combat scams and cyberattacks.  

If you’ve found this article an interesting and/or helpful read, please SHARE it with friends and family to help keep the online community secure and protected. Also, please consider leaving a comment or LIKE below.