Understand how the “post office scam” works and how to protect yourself from it. The new tactic involves sending SMS messages to real owners of packages who make improper payments. Understand

Understand how the “Post Office scam” works and how to protect yourself from it

lucas gomes avatar
New tactic involves sending SMS messages to real owners of orders that make improper Pix payments. Understand

Many people have received messages SMS on behalf of post offices, claiming that items purchased online are being held, and require a fee to be paid to be released. The practice has been known as “Post Office scam” and has already claimed several victims across the country. Today we will explain how this scam works and what to do to avoid it. Just take a look:

How the scam works

Understand how the scam has been applied. Image: eset postal scam
Understand how the scam has been carried out. Image: ESET

Cybercriminals are taking advantage of the recent import tax, popularly known as “blouse fee“, to apply a new scam using the name of post offices.

The scam involves sending messages via SMS, in which criminals claim that a product purchased abroad is being held and that payment of taxes is required to release delivery. A link in the message directs the victim to a fake website, which imitates the official website of the Post Office in appearance, colors and logos, to give the impression of legitimacy.

According to ESET (Essential Security against Evolving Threats), a multinational company specializing in proactive threat detection, the scam employs social engineering techniques to collect personal data that can be sold on Dark web or used in illicit activities. This scam also facilitates the theft of money through instant payments via Pix, which can make recovering value more difficult.

Many of the SMS messages indicate that the criminals have some of the victims' personal information, as many of them refer to them by their first name, which gives the scam even more credibility if people are not careful.

Daniel Barbosa, Information Security Researcher at ESET Brazil

The fake website guides victims through the next steps, which include a delivery mechanism and a tracking number. Barbosa goes on to state that it is possible to note that the tracking number actually exists on the real Correios website, referring to an item posted in February and held since May, awaiting payment. This demonstrates how criminals seek to insert real elements into the fake process, increasing the credibility of the approach and inducing people to believe in the fraud.

Fake website about orders. Image: eset
Fake ordering website. Image: ESET

The website then displays a button that asks the victim to provide information such as email, telephone, full name and CPF. This data allows criminals to create different types of records and to still approach the same victims in future fraud attempts. To increase the perception of credibility, criminals implemented a validation in the CPF field, which prevents victims from entering a random number to continue the process.

A little more about the fake website. It tries to replicate the original postal service website. Image: eset
A little more about the fake website. It tries to replicate the original Correios website. Image: ESET

After filling in the data, the website requests the payment via Pix, inserting a time limit to create a sense of urgency in the victim.”By analyzing the QR Code, it is possible to identify that the beneficiary is another company, and not the Post Office, as would be expected in a legitimate payment of import fees.“, highlights the researcher.

Fake payment screen. Image: eset
Fake “Pix dos Correios” payment screen. Image: ESET

The expert emphasizes that, despite all the elements that seek to imitate the truth, at no time do the communications on the fake website provide the official link of the Post Office. false message, which pretends to be the postal service company, began circulating a few weeks ago, on the eve of the new tax coming into effect. This reflects a worrying trend of increasing scam attempts, taking advantage of recent dates and events to deceive victims.

This is the legitimate address and page of the post office. Image: eset
This is the legitimate address and page of the Post Office. Image: ESET

All of the scam attempts we have identified so far have occurred via SMS. However, this does not mean that this is the only means of contact used by criminals. This type of message can also be sent via apps such as WhatsApp and Telegram, as well as via email.

Daniel Barbosa, Information Security Researcher at ESET Brazil

How to protect yourself

It is possible to avoid the scam by paying attention to some points, such as those we will see below:

Understand how the “post office scam” works and how to protect yourself from it. The new tactic involves sending SMS messages to real owners of packages who make improper payments. Understand
The most important thing about this scam is to avoid clicking on links sent by unknown SMS. Image: Reproduction/Metrópoles

Clicking on links provided in suspicious emails or messages — such as the SMS messages in this new scam — can compromise the security of your device and its personal information. As we have seen, these links often lead to fraudulent websites that imitate legitimate pages to steal sensitive data.

Everlasting insert manually the address of the Post Office website (which is www.correios.com.br) in your browser instead of clicking on links provided in emails or messages. This helps ensure that you are accessing the correct page and not a fake version created to trick users. Also, avoid downloading files or opening attachments from unknown messages, as they may contain malicious technology.

Analyze emails

It is also very important to check whether the emails you receive are trustworthy. Image: office1
It is also very important to check whether the emails you receive are trustworthy. Image: Office1

Upon receiving emails related to orders or deliveries, carefully analyze the sender and the content of the message. Check that the email address matches the domain postal officer and look for grammar or formatting errors, which could indicate a fraudulent message — a common indicator. Legitimate emails usually have a professional tone and clear, accurate information.

Do not click on links ou download email attachments that seem suspects or have not been requested by you. If you have any doubts about the veracity of the email, please contact the post offices through official channels to confirm the authenticity of the communication. Be wary of emails and messages that create a sense of urgency to pressure you to act quickly.

Confirm contact details

Confirm the identity of the contact sender. Image: webid
Confirm the sender's identity if you receive a “mail from the post office”. Image: WebID

To avoid becoming a victim, always confirm the contact details provided in any message you receive. If an email or message claims to be from the Post Office and asks for personal or financial information, verify the authenticity of the contact details before providing any information. Use the official channels of the post offices such as website or the Phone, to confirm that the communication is legitimate.

Track orders on the Correios website or official app

Always access the postal service website or app (links below) to make sure you are safe. Image: Lucas Gomes, SMT
Always access the Correios website or app (links below) to make sure you are safe. Image: Lucas Gomes, SMT

To ensure that your orders are being tracked safely, please use only the official website of the Post Office or the official app — available for Android e iOS (iPhone) — to check the status of your deliveries.

These channels are reliable and provide up-to-date information on the progress of your orders. Avoid using unverified third-party tracking sites as they may be fraudulent.

When tracking your parcels, manually enter the tracking number provided by the delivery service on the official website or app. This helps ensure that you are accessing the correct platform and avoids the possibility of falling for scams that imitate the official tracking service.

What to do if you are a victim?

General guidelines on what to do if you have been the victim of a scam:

Pix refund

Pix refunds can be bureaucratic but they are possible. Image: infomoney
Pix refunds can be bureaucratic but they are possible. Image: InfoMoney

If you are the victim of a scam involving a payment made by Pix, refunding the amount can be a bureaucratic process. The Pix system, as an instant payment method, does not have an automatic refund mechanism for fraudulent transactions. The first action to be taken is toget in touch immediately with your bank to report what happened.

Banks often have procedures in place to deal with fraud and may attempt to help recover the amount transferred, although the success of such recovery is not guaranteed and will depend on a number of factors, such as the time elapsed since the transaction and the cooperation of the banks involved.

O central bank advises you to contact your bank as soon as possible to inform them of what happened and request the return of amounts. Then, if necessary, file a complaint providing all the information, evidence and documents, including the police report.

With your report, the bank must register a notification of violation in the Central Bank system, the alleged scammer's bank will block the amounts and both institutions will have time to evaluate the case in detail.

After 7 days, if the scam or fraud is proven, your money will be returned within 96 hours. If there is not enough money to make a full refund, within a maximum period of 90 days from the original transaction, the recipient's relationship institution must monitor the account and, if funds appear in the account, must make partial refunds.

We have already explained more about this subject in a special article on Pix refund, be sure to check it out.

Police report

Have you been scammed? File a police report online. Image: federal government
Have you been a victim of the “Post Office SMS”? File an online police report. Image: Federal Government

O Police report (or popularly known as BO) can be registered in different ways, depending on the state and the severity of the situation. For cases such as the postal scam, it is often possible to register the BO through Internet.

Most states have an Electronic Police Station, where citizens can access the Civil Police website and fill out a form detailing what happened. After filling it out, the report is analyzed and, if approved, the document is sent by email.

Check out the complete list of links according to each state:

About ESET

Data and information provided by eset. Image: ax4b
Data and information provided by ESET. Image: ax4b

For more than 30 years, ESET offers advanced digital security solutions, combining AI and human expertise to prevent known and emerging cyberattacks. Its protection tools for endpoints, cloud and mobile are effective and easy to use, with robust detection, secure encryption and multi-factor authentication.

The company offers 24/7 defense and local support, ensuring continuous security for users and businesses, and invests in cutting-edge research and threat intelligence with a strong global network of partners.

Have you ever been involved in this scam? Do you know anyone who has? Tell us about it. Comment!

See also:

Pix arrives at Google Wallet. See how it works

reviewed by Victor Pacheco in 04 / 09 / 2024.


Discover more about Showmetech

Sign up to receive our latest news via email.

Leave a comment

Your email address will not be published. Required fields are marked with *

Related Posts