Don’t you have a computer science/IT background? Literally anybody can set up an HTTPS server. That’s absolutely meaningless in terms of the legitimacy of a website. It’s like saying “That business has locks on it’s doors, so it must be legitimate.”
Was this at work?
Cuz when you started the story, I sorta pictured you walking behind someone on the sidewalk or some other public area … in my head, now suddenly you’re pouring three days into fixing this random person’s shit?
I assume my initial assumption was incorrect.
Most people are expecting something off Amazon these days. That’s an easy “gimme.”
But in my case (I’m not the O.P. I’m just piggybacking shamelessly) I had just gotten a “missed delivery” note - complete with barcode - from the actual ferrealz USPS.
Which I’ve never gotten before. Anyone who’s shipped me stuff until now knows my exact address. (Hi, Mom!)
However, because SDMB (the shot glass exchange) I was expecting a package from someone who’s never sent me anything before.
HELLA coincidence.
Yes, it was at work. Also, the person I was walking behind was my dad (family business).
Also, everything on his computer (and the other computers here) are now all backed up to 4 places. Google Drive, an onsite NAS, an offsite NAS and another cloud service.
I have been getting them as well. Scam, all the way. I just delete them before opening (and block the number, but that does not seem to work in this case) - I don’t want the scammer to know there is a live person at my phone number.
Wouldn’t the easiest solution be to just contact USPS directly and ask about the package?
I get these every now and then. Most of the time they don’t even bother trying to make their email or URL look legit. It’s usually just from some obvious throwaway Gmail account.
If your gonna be a scammer at least put in the minimal effort!
Their target audience is people too dumb to cause any real problems.
Exactly. Why try hard when there is so much low-hanging fruit to harvest.
Can we all agree that “SMISHING” is a terrible word and should be nuked from orbit? I’ve never seen it before this thread.
Trademark USPS.
I get online security trainings at work every quarter about smishing attacks. It’s a mash up of “SMS” and “phishing”.
You might consider that the text you saw on the screen isn’t what the link actually pointed to (your cutting and pasting would likely have stripped that out).
https://safefakesite.zzz
This is true, but TLS certificates can be free and provisioned in under 2 minutes once you have a domain.
You can automate the purchase of a domain (using a stolen credit card of course), provision a certificate, deploy your phishing site, and send out a batch of emails. This gets shut down 24 hours later and you later, rinse, repeat.
Just so you know, this one, and related ones (FedEx especially) come up frequently in our Scam Omnibus thread. Most recently, I mentioned it came up again for me on 10/10/2023:
I have received several of these. I never open them, but I do reply “Liars” or something like that sometimes before I delete them. It probably doesn’t even get read by anyone, but it makes me feel better anyway.
My boss fell for this very thing yesterday. He gave them information and only stopped responding when he was told he needed to pay 0.030 cents for a postage shortage. He was so mad at himself this morning when I got to work.
Oh no, we have a scam aceplace! The real aceplace would have known!
My background is business computing. Primarily HR and Payroll systems. Mainframes and Vax Clusters.
I’ve avoid Web programming. I already had a niche and good job. I don’t need extra work added to my busy day.
I know Https is a secure server. I didn’t think about a spammer running his own. It’s not my wheelhouse.
It’s not even so much “running his own” as “renting his own from some random hosting provider.”
There are kits of web software you can drop into any compatible rented host and at worst have to tailor to look like your target, but most of the tailoring is pre-done by the bad guys creating and selling those hosting kits.
It’s pretty slick. Ready to use hacking.
I need to read more about it. At least know their capabilities.
From Skywatcher’s link:
Hey, why does the Postal Inspector Service get a gov domain but the Postal Service itself only gets a com domain?