How to Avoid Delivery Confirmation Scams

The coronavirus pandemic brought out a lot of things in people, both admirable and not-quite-as-such, but it really brought out the online shopper in a lot of us. More packages than ever are being left on more doorsteps than ever (which was already happening anyway, the virus just accelerated things), and that means a lot of delivery confirmations and notifications arriving in email inboxes and text messages. Usually, these contain a link to the seller or carrier’s website, where you can track the status of a delivery.

Never ones to leave a potentially-lucrative situation unexploited, scammers are leveraging this deluge of notices to launch phishing attacks disguised as alerts regarding the shipment or delivery of online purchases. The messages contain a link that leads to a website created solely to harvest personal information, install malicious software onto your computer or device, or both.

Some phishing messages attempt to impersonate the seller (Amazon or Walmart, for example), while others appear to come from the company shipping the item (USPS, UPS, FedEx, etc.). Some target college students who found themselves sent home abruptly in March, and refer to deliveries that have supposedly been waiting for them to pick up for six or seven months.

The first step you can take in avoid this type of phishing is to be as organized as possible, and make sure you know what you have ordered, whom you ordered from, and when. If you’re only waiting on one package from Amazon, and one other being shipped via USPS, you will be instantly suspicious of a notification from Walmart or UPS.

You can also decline to click or tap links in emails or text messages. If you want to check on a shipment, use the information originally provided by the seller and visit the correct website directly (which will be simple if you’re already doing that “be organized” thing I just mentioned). As always, notifications and confirmations from real companies, while brief, will almost always have correct spelling (and grammar when/if present). Misspelled words, dropped plurals, incorrect verb tense—these are all signs that something is a little “off” about a shipping confirmation.

Prevent Scams by Imagining an In-Person Approach

Imagine yourself walking down the sidewalk. A stranger approaches you. He is wearing business attire and a nametag from a large, multinational bank or credit card provider. He says this: “Excuse me, Customer? Your card has been deactivated due to suspicious activity. Would you please tell me your name, account number, Social Security information, online banking password, and PIN?”

Would you give this person anything he asked for?

Of course you would not. However, this scenario is exactly what happens in the classic phishing scheme: a message informs you that your card has been deactivated, and gives you a link to a website designed to harvest personal financial information and hand it over to someone you don’t know. The message and the website may be dressed up in logos and slogans that mimic some large financial provider, but that does not make them real. The only real difference is that the communication is happening through email instead of in-person.

If you picture unexpected emails, text messages or phone calls from people you don’t know (and whose identity you therefore cannot verify) as in-person approaches, the suspicious intent becomes incredibly clear.

Would you listen to a person running up to you on the street and saying that because you did not pay your taxes (or failed to report for jury duty) you are going to be arrested in one hour unless you buy a prepaid debit card and tell them the numbers?

If someone tapped you on the shoulder and said, “Greetings. You have won the Microsoft Email Lottery. Two-point-five million United States Dollars. But you have to give me five thousand to cover taxes and fees first,” would you run straight for your bank to withdraw the cash? How would you react to a stranger telling you they wanted to immediately hire you for a work-at-home job processing payments, and all you have to do is open an account at a certain bank and tell them the account and routing numbers? Would it strike you as a legitimate offer?

How to Freeze Your Credit

New account fraud, in which someone uses your personal information without permission to open new credit accounts in your name, is probably one of the first things that springs to mind when you hear the words “identity theft.” It is still one of the more common ways thieves use stolen information. A security freeze is your most effective tool in preventing this type of identity crime.

A freeze prevents new credit accounts from being opened using your personal information unless you lift the freeze in advance of applying for new credit. This is accomplished using a PIN that is created when you place the freeze. A freeze can stop an identity thief from creating new lines of credit, even if they have all your information.

There are three major credit bureaus, and each has a specific method for applying and lifting a security freeze. While you can still request a security freeze by postal mail, going online is by far the easiest and quickest method. Make sure to visit all three bureaus to place your freeze, and simply follow the instructions to place your freeze and get a PIN.




Make sure to bookmark each website so you can lift the freeze later if the need for a new account arises, and keep your login/password information safe if a site requires you to create an account. One trick is that if you are applying for new credit, if you know which credit bureau the lender uses, you can lift the freeze temporarily for only that particular credit bureau, instead of all three.

Finally, make sure you keep your PIN somewhere safe, where it will not get lost. A lost security freeze PIN can be handled, but it takes a while and is a much bigger hassle than simply keeping track of your PIN.

Keep in mind that a freeze helps prevent one type of identity theft, but does not prevent existing accounts from being accessed with stolen credentials, fraudulent credit or debit card transactions, employment or medical identity theft, or the filing of fraudulent tax returns. In other words, even after you place a security freeze, you must remain aware of the risks of identity theft and protect your personal information.

Three Tips for Keeping Your Information Safe

So you have a crosscut shredder and you know to hang up on that “you owe back taxes” phone call, but personal information can be compromised in many ways. Here are a few personal data security tips that you might not have considered.

Never email your Social Security Number

No matter who someone claims to be, there is never a reason to send someone your Social Security Number via email. Even if you are initiating contact with someone you believe works for the IRS. This happened to a writer at Lifehacker—she wrote an article about the 2020 Economic Impact Payments, and a number of readers somehow got it into their heads that she was from the IRS and began emailing questions that included a lot of personal information. Don’t ever do it. Even if you somehow are in contact with the IRS or other government entity via email (which is exceedingly rare), they already have your SSN and other information. If someone you don’t know is asking for your number via email, they’re up to no good. If it is someone you do know, with a legitimate reason to need your SSN, there are safer ways to relay this information.

(The entire above paragraph also applies to text messages. Don’t text your Social Security number, either.)

Never email an account number or PIN

On a similar note, it is a bad idea to email financial account numbers. If you get the wrong address, you could accidentally send your information to someone else. In the same way the federal government already has your Social, any business you have an account with already has your account number. They can look it up. You also never know what the email security protocols are like on the other end. Even if the security system itself is robust, how do you know your email isn’t sitting out in full view on an unlocked computer, while the recipient walks away (or leaves for the night)?

Never give additional information

If you successfully opened an account or membership with a company, you have already provided them with all the information they need. For example, if you sign up for Netflix, all they need is your name, email address, phone number, and payment information. However, phishing emails that appear to come from Netflix appear in inboxes every day, and many of these contain links to fake websites designed to harvest further information, such as banking passwords/PINs, Social Security numbers, and other personal details. Don’t do it. If they needed a piece of information, they would have asked for it before opening the account.

Employment Scams are Still Going Strong

The Better Business Bureau has released a report on employment scams that is well worth a read (it’s only about six pages long, not counting the title page and what would be the back cover if the report were printed).

There are some interesting findings in the report.

In 53% of cases where someone responded to a job offer that turned out to be fraudulent, the primary thing that attracted the victim was the promise of being able to work from home. This is nothing very new—I was writing about the scammy nature of online work-from-home offers ten years ago—but I have a feeling that fake job listings will increasingly promise working remotely as the pandemic continues in the U.S. Stay home full-time and get paid? I would want to take that action without a pandemic simply because I don’t like commuting. If I was looking, and if any of those jobs weren’t scams.

The age group most targeted by, and most likely to fall for, a fraudulent job posting is the 25-34 range. People in that age bracket are often looking for their first career-type job, and those with established careers still tend to change employers often. Additionally, a lot of them don’t (or barely) remember a time when the internet wasn’t just an everyday fact of life, the way the television was just there if you grew up in the ‘60s, ‘70s or ‘80s. They may not have developed an innate slight distrust of online offers yet, which is such a helpful scam-avoidance tool.

While younger people are more likely to be victims, the greatest monetary losses to these scams are incurred by people aged 45-54 and 65+. Women are more likely to encounter a fraudulent job listing online, but men are slightly more susceptible to becoming a victim. Unemployed persons account for over half of the encounters with job scams, which makes sense because they are more likely to be looking in the first place.

If you’re looking for work, there are a few things to keep in mind. First, you must research every single company that puts an advertisement up. Make sure it’s a real employer offering a real job that pays real money. Never pay someone else in order to secure a position, and assume any listing with the words “work from home” is very, very likely fraudulent. There are exceptions, but they are few.

Finally, some online job postings involve processing payments from home—receiving large sums into your account, then transferring or wiring it to overseas accounts, or processing shipments—receiving electronic goods which are then “reshipped” to someone else. These jobs will compensate you, but they are actually part of an organized money laundering scheme, leaving you as one of the only verifiable, domestic, and easy-to-locate links in the chain. Victims of these scams can find themselves in legal trouble if law enforcement decides they “should have known” something was not right.

You Have Not Been Awarded a Grant

“Money for Nothing” is a great song (from a year I’m not going to name because none of us need to feel that old right now) but a lousy concept to hang your hopes on. Especially when it comes to the promise of grant money.

Hang around the internet long enough and you’re bound to see an advertisement, email or social media post (or direct message) informing you that you—yes, YOU—have been awarded a grant you didn’t apply for, or can get one simply by responding to the pitch.

This is the problem: grant money is kind of hard to get. First, you must have an identifiable project that needs funding. Then you must find a grant that is earmarked for projects like yours. Then comes the application process, which can be quite exhaustive (and exhausting). After the paperwork comes the waiting. If you are successful, then comes using the money exactly as indicated, then (usually) reporting back to the grantor with proof that you did so.

But in the popular imagination, grants are just free money indiscriminately handed out for doing whatever. That makes grants, especially federal grants, an easy setup for scams. Here are some things to keep in mind:

  • You will never be awarded a grant you did not apply for.
  • They do not hold drawings or raffles to distribute grant money.
  • Real government grants do not require you to pay up front—advance fee fraud is a very common grant scam (there may be private foundations that require an application fee, but this would be exceedingly rare, and cause for suspicion in most cases).
  • Grantors will not contact you out of the blue; it is your job to find them.
  • Your friend on Facebook, Twitter or Instagram is not telling you about a real grant opportunity. Your friend’s account has been hacked or cloned.
  • You will generally never be awarded a grant to simply do whatever you want with it.
  • For the most part, grants are not advertised, and the word “free” is suspect; there may be exceptions involving famous people running a nationwide project, but a yard sign or a flyer on a pole? No.
  • “Cash this check, then wire some of it back to me for fees/taxes/because the amount is too high” is always, always, ALWAYS a scam.

What do the people running grant scams want? They want the usual: for victims to give them money or personal information. They may ask for banking information in hopes of breaking into your accounts, other personal details to steal your identity, an upfront payment via wire transfer or prepaid gift cards, or to convince you to cash a check, then wire funds back before the check comes back as counterfeit.

Mystery Seeds and Brushing Scams

By now you have probably heard of people getting packets of mystery seeds sent to their homes, apparently from China. And you may have heard the term “brushing” applied to this scheme. But what is brushing, and how should you respond?

Brushing is a scam used by online sellers to boost their product ratings at online marketplaces, such as Amazon, that allow third-party sales. Sellers will order their own products through these channels and send…something…to random recipients, then use the now “verified” purchase (since a shipping label was created and the shipment was completed) to post five-star reviews of their own product on the unwitting recipient’s behalf. The sales also help artificially inflate the product’s ranking on the site through which it was “sold.”

What gets shipped to the random recipients is generally not the product whose ranking and reviews are being inflated. It will be an inferior knockoff, an empty box, or in the case of this latest version, a packet of mystery seeds, labelled as jewelry on the outside of the mailer.

What should you do if you get a packet of seeds you didn’t order?

First, do not plant them. They could be an invasive species capable of destroying crops if they spread, such as amaranth, which has already been identified in some cases. By that same token, don’t throw them in the trash, since they could take root at the landfill and spread from there. (Also, don’t eat ‘em, smoke ‘em, or stick ‘em in your ear. I know that should be obvious, but people can be…surprising.)

Do not open the packet. If you live in Indiana, mail them along with the envelope and any packaging to:

State Plant Health Director
Nick Johnson
3059 N. Morton St.
Franklin, IN 46131

(Outside of Indiana, you will need to find out where to send the seeds.)

If you are concerned about identity theft or data breaches, change your password with any online retailers you do business with, and keep an eye on your credit reports and bills. The addresses used in this scheme are mostly obtained by the sellers buying a mailing list, but it never hurts to use a little extra caution.

Watch Out for This Amazon Prime Phishing Scam

Here is the text of an email that has been used to target Amazon Prime members:

Dear customer,

Your Amazon Prime membership is set to renew on [DATE].

However, we’ve noticed that the card associated with your Prime membership is no longer valid.

To update the default card or choose a new one for your membership,

Please find the document attached and follow the on-screen instructions.

To prevent interruption of your benefits, we will try charging other active cards associated with your Amazon account if we can’t charge your default card.

If we can’t process the charge for your membership fee, your Amazon Prime benefits will be suspended.

The message includes an attached PDF file.

There are other versions of this attack out there. Some are poorly-spelled attempts to convince the recipient to click on a link and login to what they think is the Amazon website, but isn’t.

However, in this case the grammar and spelling are fine, and the original message as it appears in your inbox contains correct Amazon Prime logos and graphic elements. This one isn’t trying to weed anyone out—it is designed to convince as many people as possible to open that attachment.

What’s in the attached PDF? Most likely the file is infected with malicious software, something that will either log keystrokes or give someone else access to and control of your computer. It may even contain actual instructions for logging into your Amazon account.

If you are a Prime member, keep track of your renewal date so you will know right away if an email has any chance of being legitimate. But also remember that Amazon isn’t going to send you a message with an attached file. Never open an attachment in an email message you weren’t expecting. Even if you think the card associated with your Prime membership might really be expired, don’t click any links or open attachments, visit the Amazon website directly and login to check.

Add Warren Buffett to the List of People Not Giving Away Free Money

Bill Gates isn’t the only game in town when it comes to scammers posing as generous billionaires. Here is an email that made the rounds over the past year:

My name is Mr. Warren E. Buffett an American business magnate, investor and philanthropist. am the most successful investor in the world. I believe strongly in ‘giving while living’ I had one idea that never changed in my mind? that you should use your wealth to help people and i have decided to give ($2,500,000.00) Two Million Five Hundred Thousand United Dollars, to randomly selected individuals worldwide.On receipt of this email, you should count yourself as the lucky individual. Your email address was chosen online when searching at random. Kindly get back to me at your earliest convenience , so I know your email address is valid. ( warrenbuff02(at) ) Email me Thank you for accepting our offer, we are indeed grateful You Can Google my name for more information: Warren Buffett .God bless you.

Sure. Warren Buffett’s email address is going to be “warrenbuff02(at)” And he’s going to forget the word “I” at the beginning of a sentence. And rich people give away millions to random individuals all the time. That’s how they get rich—by giving it away, not by getting it and keeping it. Everybody knows that!

So, it is very obvious that this message is designed to appeal only to the absolute most trusting individuals, and weed out anyone who might start to respond but become suspicious and not follow through. It is also obvious that the World’s Richest People are going to forever have their names utilized in email-based grifts like this one, so for future reference, if you get one of these from Jeff Bezos later on, that’s a scam, too.

A Reminder That the IRS Won’t Email You

Will there be a second round of direct Economic Impact Payments to U.S. residents in 2020? The debate continues as of this writing (mid-June 2020), and while the question of whether or not it will happen might be resolved by the time this article is published on June 24th, I ran across an article that is disturbing in either case: Second Stimulus Payment Fraud: Why 35 Matters More Than $1,200.

In short, a research team did some polling and found that 35% of the people they asked expected the IRS would contact them by email regarding future Economic Impact Payments. That’s over one third of people who, upon seeing a message from the IRS in their inbox, would not immediately recognize the attempted deception.

This is despite the IRS repeating “we won’t email you” like a mantra, despite hundreds of articles written about how the IRS won’t email you (I’ve penned a few myself), despite warnings of email scams going after the previous payments, despite the fact that they didn’t email anyone the first time around in 2020.

Therefore I want to remind you now: don’t be one of that 35%. The IRS isn’t going to email you, about future payments when and if they occur, or about anything else.