UPS discloses data breach after exposed customer info used in SMS phishing

Multinational shipping company UPS is alerting Canadian customers that some of their personal information might have been exposed via its online package look-up tools and abused in phishing attacks.

At first glance, the letters sent by UPS Canada, titled "Fighting phishing and smishing - an update from UPS," seem to be a warning to customers about the dangers of phishing.

However, it turns out that this is actually a data breach notification, with the company sneaking in a disclosure stating that it has been receiving reports of SMS phishing messages containing the recipients' names and address info.

"UPS is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered," UPS said in a letter shared by Emsisoft threat analyst Brett Callow.

"Breach notifications need to be absolutely clear about what they are from the get-go. Fluffing them out helps nobody and simply increases the chances that they'll be put in the garbage unread," Callow told BleepingComputer.

After receiving the phishing reports, UPS worked with partners within the delivery chain to understand the method used by the threat actors to harvest their targets' shipping information.

Following an internal review, UPS found that the attackers behind this ongoing SMS phishing campaign were using its package look-up tools to access delivery details, including the recipients' personal contact information, between February 2022 and April 2023.

The company has now implemented measures designed to restrict access to this sensitive data to thwart these convincing phishing attempts.

UPS says it's notifying individuals whose information may have been affected to ensure transparency and awareness of the situation.

"The information available through the package look-up tools included the recipient's name, shipment address, and potentially phone number and order number," UPS said.

"We cannot provide you with the exact time frame that the misuse of our package look-up tools occurred. It may have affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023."

UPS customers worldwide have been affected by these phishing attacks, as shown by online reports showing the threat actors using their names, phone numbers, and postal codes, as well as info on recent orders.

According to numerous malicious text messages seen by BleepingComputer and believed to be sent during this campaign, the threat actors are impersonating LEGO and Apple shipments, with other companies likely also impacted.

A UPS spokesperson was not immediately for comment when contacted by BleepingComputer earlier today regarding the number of affected customers and what other shippers were impersonated in the attacks.

In September and July, the Internal Revenue Service (IRS) and the Federal Communications Commission (FCC) warned Americans of a massive rise in SMS phishing attacks.

The two federal agencies asked them to be wary of text messages coming from unknown numbers with suspicious links and often containing misleading and incomplete information.

To defend against such attacks, you should never click links embedded in suspicious messages or reply with sensitive information.

---

Update: An UPS spokesperson shared the following statement after the article was published:

We are constantly vigilant when it comes to phishing and other attempts from bad actors. UPS is aware of reports relating to an SMS phishing (“Smishing”) scheme focused on certain shippers and some of their customers in Canada. UPS has been working with partners in the delivery chain to understand how that fraud was being perpetrated, as well as with law enforcement and third-party experts to identify the cause of this scheme and to put a stop to it. Law enforcement has indicated that there has been an increase in smishing impacting a number of shippers and many different industries.

Out of an abundance of caution, UPS is sending privacy incident notification letters to individuals in Canada whose information may have been impacted. We encourage our customers and general consumers to learn about the ways they can stay protected against attempts like this by visiting Fight Fraud | UPS - Canada.