Table of Contents
Many people have received messages SMS on behalf of post offices, claiming that items purchased online are being held, and require a fee to be paid to be released. The practice has been known as “Post Office scam” and has already claimed several victims across the country. Today we will explain how this scam works and what to do to avoid it. Just take a look:
How the scam works
Cybercriminals are taking advantage of the recent import tax, popularly known as “blouse fee“, to apply a new scam using the name of post offices.
The scam involves sending messages via SMS, in which criminals claim that a product purchased abroad is being held and that payment of taxes is required to release delivery. A link in the message directs the victim to a fake website, which imitates the official website of the Post Office in appearance, colors and logos, to give the impression of legitimacy.
According to ESET (Essential Security against Evolving Threats), a multinational company specializing in proactive threat detection, the scam employs social engineering techniques to collect personal data that can be sold on Dark web or used in illicit activities. This scam also facilitates the theft of money through instant payments via Pix, which can make recovering value more difficult.
Many of the SMS messages indicate that the criminals have some of the victims' personal information, as many of them refer to them by their first name, which gives the scam even more credibility if people are not careful.
Daniel Barbosa, Information Security Researcher at ESET Brazil
The fake website guides victims through the next steps, which include a delivery mechanism and a tracking number. Barbosa goes on to state that it is possible to note that the tracking number actually exists on the real Correios website, referring to an item posted in February and held since May, awaiting payment. This demonstrates how criminals seek to insert real elements into the fake process, increasing the credibility of the approach and inducing people to believe in the fraud.
The website then displays a button that asks the victim to provide information such as email, telephone, full name and CPF. This data allows criminals to create different types of records and to still approach the same victims in future fraud attempts. To increase the perception of credibility, criminals implemented a validation in the CPF field, which prevents victims from entering a random number to continue the process.
After filling in the data, the website requests the payment via Pix, inserting a time limit to create a sense of urgency in the victim.”By analyzing the QR Code, it is possible to identify that the beneficiary is another company, and not the Post Office, as would be expected in a legitimate payment of import fees.“, highlights the researcher.
The expert emphasizes that, despite all the elements that seek to imitate the truth, at no time do the communications on the fake website provide the official link of the Post Office. false message, which pretends to be the postal service company, began circulating a few weeks ago, on the eve of the new tax coming into effect. This reflects a worrying trend of increasing scam attempts, taking advantage of recent dates and events to deceive victims.
All of the scam attempts we have identified so far have occurred via SMS. However, this does not mean that this is the only means of contact used by criminals. This type of message can also be sent via apps such as WhatsApp and Telegram, as well as via email.
Daniel Barbosa, Information Security Researcher at ESET Brazil
How to protect yourself
It is possible to avoid the scam by paying attention to some points, such as those we will see below:
Avoid clicking on links
Clicking on links provided in suspicious emails or messages — such as the SMS messages in this new scam — can compromise the security of your device and its personal information. As we have seen, these links often lead to fraudulent websites that imitate legitimate pages to steal sensitive data.
Everlasting insert manually the address of the Post Office website (which is www.correios.com.br) in your browser instead of clicking on links provided in emails or messages. This helps ensure that you are accessing the correct page and not a fake version created to trick users. Also, avoid downloading files or opening attachments from unknown messages, as they may contain malicious technology.
Analyze emails
Upon receiving emails related to orders or deliveries, carefully analyze the sender and the content of the message. Check that the email address matches the domain postal officer and look for grammar or formatting errors, which could indicate a fraudulent message — a common indicator. Legitimate emails usually have a professional tone and clear, accurate information.
Do not click on links ou download email attachments that seem suspects or have not been requested by you. If you have any doubts about the veracity of the email, please contact the post offices through official channels to confirm the authenticity of the communication. Be wary of emails and messages that create a sense of urgency to pressure you to act quickly.
Confirm contact details
To avoid becoming a victim, always confirm the contact details provided in any message you receive. If an email or message claims to be from the Post Office and asks for personal or financial information, verify the authenticity of the contact details before providing any information. Use the official channels of the post offices such as website or the Phone, to confirm that the communication is legitimate.
Track orders on the Correios website or official app
To ensure that your orders are being tracked safely, please use only the official website of the Post Office or the official app — available for Android e iOS (iPhone) — to check the status of your deliveries.
These channels are reliable and provide up-to-date information on the progress of your orders. Avoid using unverified third-party tracking sites as they may be fraudulent.
When tracking your parcels, manually enter the tracking number provided by the delivery service on the official website or app. This helps ensure that you are accessing the correct platform and avoids the possibility of falling for scams that imitate the official tracking service.
What to do if you are a victim?
General guidelines on what to do if you have been the victim of a scam:
Pix refund
If you are the victim of a scam involving a payment made by Pix, refunding the amount can be a bureaucratic process. The Pix system, as an instant payment method, does not have an automatic refund mechanism for fraudulent transactions. The first action to be taken is toget in touch immediately with your bank to report what happened.
Banks often have procedures in place to deal with fraud and may attempt to help recover the amount transferred, although the success of such recovery is not guaranteed and will depend on a number of factors, such as the time elapsed since the transaction and the cooperation of the banks involved.
O central bank advises you to contact your bank as soon as possible to inform them of what happened and request the return of amounts. Then, if necessary, file a complaint providing all the information, evidence and documents, including the police report.
With your report, the bank must register a notification of violation in the Central Bank system, the alleged scammer's bank will block the amounts and both institutions will have time to evaluate the case in detail.
After 7 days, if the scam or fraud is proven, your money will be returned within 96 hours. If there is not enough money to make a full refund, within a maximum period of 90 days from the original transaction, the recipient's relationship institution must monitor the account and, if funds appear in the account, must make partial refunds.
We have already explained more about this subject in a special article on Pix refund, be sure to check it out.
Police report
O Police report (or popularly known as BO) can be registered in different ways, depending on the state and the severity of the situation. For cases such as the postal scam, it is often possible to register the BO through Internet.
Most states have an Electronic Police Station, where citizens can access the Civil Police website and fill out a form detailing what happened. After filling it out, the report is analyzed and, if approved, the document is sent by email.
Check out the complete list of links according to each state:
- Acre (AC): Acre Electronic Police Station
- Alagoas (AL): Electronic Police Station of Alagoas
- Amapá (AP): Electronic Police Station of Amapá
- Amazonas (AM): Amazonas Electronic Police Station
- Bahia (BA): Bahia Digital Police Station
- Ceara (CE): Electronic Police Station of Ceara
- Federal District (DF): Electronic Police Station of the Federal District
- Holy Spirit (ES): Online Police Station of Espírito Santo
- Goiás (GO): Virtual Police Station of Goiás
- Maranhao (MA): Maranhão Virtual Police Station
- Mato Grosso do Sul (MS): Online Police Station of Mato Grosso do Sul
- Minas Gerais (MG): Virtual Police Station of Minas Gerais
- Pará (PA): Pará Virtual Police Station
- Paraíba (PB): Paraíba Online Police Station
- Paraná (PR): Electronic Police Station of Paraná
- Pernambuco (PE): Electronic Police Station of Pernambuco
- Piauí (PI): Electronic Police Station of Piauí
- Rio de Janeiro - RJ): Electronic Police Station of Rio de Janeiro
- Rio Grande do Sul (RS): Online Police Station of Rio Grande do Sul
- Rondônia (RO): Rondônia Virtual Police Station
- Roraima (RR): Roraima Virtual Police Station
- Santa Catarina (SC): Santa Catarina Virtual Police Station
- Sao Paulo-SP): Electronic Police Station of Sao Paulo
- Sergipe (SE): Sergipe Online Police Station
- Tocantins (TO): Electronic Police Station of Tocantins
About ESET
For more than 30 years, ESET offers advanced digital security solutions, combining AI and human expertise to prevent known and emerging cyberattacks. Its protection tools for endpoints, cloud and mobile are effective and easy to use, with robust detection, secure encryption and multi-factor authentication.
The company offers 24/7 defense and local support, ensuring continuous security for users and businesses, and invests in cutting-edge research and threat intelligence with a strong global network of partners.
Have you ever been involved in this scam? Do you know anyone who has? Tell us about it. Comment!
See also:
Pix arrives at Google Wallet. See how it works
reviewed by Victor Pacheco in 04 / 09 / 2024.
Discover more about Showmetech
Sign up to receive our latest news via email.