Monday, February 27, 2017

PSA for UPS customers: beware of phishing after a LiveChat session

I bow to no man or woman when it comes to the level of misery I’ve encountered when the online whatever I’ve ordered is coming UPS. Oh, most of the time it works out okay. I pay for MyChoice, which lets me direct packages to the UPS Store around the corner. I don’t have to worry about being around to receive a delivery, and I don’t need to worry about it being left on the doorstep on a well-traveled street that thousands of people walk by on the average day. (A couple of years ago, I devoted a screed post to just one of my experiences with UPS. That sinking feeling I always get when the package is coming via UPS…)

I really do want to like UPS. A kabillion people work for them, the pay and bennies are supposed to be good, and the UPS folks I’ve dealt with have been almost uniformly pretty darned good. So I honestly don’t want them to be replaced by robots and drones. Cross my heart and hope to die trying to take delivery of an online order.

My most recent experience with UPS occurred last week.

I had ordered some clothing from a new place and – ugh – saw that they used UPS all the way. Fingers crossed, I directed the package to be delivered to the UPS Store on Charles Street. But when I hadn’t received any notification, I tried to track it down.

For some mysterious reason, it could not be delivered to Charles Street, so UPS made a (bad) decision to try to bring it directly to my place. Door locked. No one home. Package now in some infinite loop that I can’t figure out.

While this should have been simple enough - I mean, there is all that scanning and tracking technology out there – I ended up on multiple phone calls (mostly in which I was, admittedly and apologetically, venting my spleen). And on multiple chat sessions via UPS LiveChat.

Shortly after the first chat session, I received an email ostensibly from “UPS My Choice”, but really from some scam artists at <ups20@rnmk.com> telling me:

You shouldn't have to worry about whether or not you'll be home when your package arrives.  UPS My Choice membership offers you an option that helps you manage your most valuable commodity--your time.

Click here to learn how to take control of your deliveries.

Despite my pique – which was considerable – I cannily recognized a fishing expedition when I saw one. (Thanks in part, I suppose, to the quarterly security eLearning training that one of my clients requires me to go through so that I can use their email and other systems.)

So, I did not “click here”. After all, I already am a UPS My Choice subscriber. And if ever a URL looked phony – Russkie, even – it would be rnmk.com. A quick google confirmed that they do a lot of customer support phishing aimed at a number of well-known companies. (No info on UPS, however.)

But it would have been easy enough to click through. And if I hadn’t already been a UPS My Choicer, I could have easily signed up and given them my credit card info, etc.

Good little citizen of the world that I am, I forwarded the email off to the UPS Fraud Protection address listed on the UPS site. And received this in response:

Thank you for forwarding this information to us. The e-mail you received is not a legitimate UPS communication, nor was it sent through or by our system.

Our UPS fraud group is aware of this malicious e-mail. Please do not select any links or open any attachments in the e-mail as they may contain a virus. Since UPS has all of the information we need, we recommend that you permanently delete the e-mail.

We appreciate you taking the time to make sure we were aware of the situation. 

Same thing happened after my second chat session: the bogus email, followed by my passing it along to UPS.

But here’s my question to UPS:

If you’re aware that customers using your chat support are being sent phishing emails, WHY DON’T YOU HAVE AN AUTOMATIC WARNING e-MAIL SENT OUT TO THEM WHEN THEY INITIATE A CHAT SESSION. Something along the lines of what to do when you get an email from @rnmk.com. Don’t click, delete it, report it to us.

You know you’ve been hacked, UPS. It seems to me that it would be easy enough to let your customers know that they’re potential victims of a scam.

Maybe they don’t want to admit that they’ve been hacked, but still.

I’m sure that some of their customers have been suckered. I could easily have been.

I’m ticked off enough about the package problema. Image how I’d feel if I’d given my credit card number to one of Vladimir Putin’s cronies?

1 comment:

Rick T. said...

Right about UPS, and many other companies. They are great about warning you about things that are obviously fishy (phishy?) that you are warning them about first.

I have a Hotmail address in which I regularly get fake mail claiming to be from the "Hotmail Team" or the "Outlook Team" (just a new name for Hotmail) with a "sent by" email address that is obviously not one that Hotmail would use. Of course it asks me to "verify" the account by reentering my password, etc. There is an easy way to let Hotmail know that a given email (any kind, including emails from banks I have never had an account in, and so forth) is fraudulent. So I click that, and they thank me for letting them know.

But surely Hotmail itself should know when something purporting to be from Hotmail is obviously not. How hard can it be for them to prevent it from being delivered to anybody's account as soon as it hits their first server?