I was waiting for the courier and almost got scammed “to Poczta Polska”. “The spaghetti plate method”

At the beginning of May, I placed an order in a popular online store. The device I wanted to buy was not available in my city, so I had to wait for the staff to search warehouses in Poland for me. It took a good few days. When the device was found, I paid and chose the delivery date, I checked the accuracy of the data I provided several times to avoid unpleasant situations. After all, no one likes to wait a long time for their shipment, and providing wrong data could significantly extend the delivery. I’ve had a few incidents with couriers in the past, but this time it wasn’t the courier’s fault. Why am I explaining all this? About that in a moment.

Post Office scam. I almost got taken in

I agreed with the store that the parcel should reach me on a given day between 9:00 and 19:00. So I waited at home – I must admit that I really wanted the device I ordered, which, as it turned out, is not so easily available. However, at At 9:30 am, I unexpectedly received a text message that the delivery of my package was stopped due to the wrong address. I was also asked to give my home address again. There was a link in the text message (we’re covering it for security reasons) that directed me to a page purporting to belong to , where I could enter my details. I read there that the courier will then try to deliver the parcel to me again, and the sooner I provide the details, the better for me.

The scammer wrote to me, pretending to be the Polish Post Dominik Moliński / Gazeta.pl

I must admit that I was annoyed with the whole situation – that day, before starting work, I wanted to take care of a few things in the city. Ultimately, emotions took over – I clicked on the link on the website, and entered my data in the form: I entered my name and surname and my exact address, as well as telephone number and e-mail address. Then the second form came up and I wondered how long it would take to fill in all the boxes. I read that I have to pay a small fee for the fact that the courier could not deliver the parcel the first time. I thought to myself: “Okay, I’ll pay the few zlotys. I want to get this over with.”. Only at the last moment did I realize that I provide the card number and its expiration datealthough the link to the page looks suspicious. But it was only at the very end that I noticed the most important thing – the website resembled the website of Poczta Polska, and yet the package was to be delivered to me by an InPost courier.

I was waiting for the package. Then the scammer wrote to me

I put down the phone, hid the payment card and for a moment I had doubts, but after a few minutes I realized that a scammer wrote to me and I almost fell for it. After all, I have shopped online many times and no one expected me to provide such sensitive data in such a situation. Anyway, under no circumstances should you provide your PESEL number or payment card numbers. Many times I wrote about fraud on the pages of next.gazeta.pl, and now I was close to falling victim to a scam “for Poczta Polska”. I was a moment away from having a scammer wipe out my bank account or take a loan on me. I’m kind of ashamed to admit it, but I’ve come to understand that it can happen to anyone.

The Polish Post often warned against this type. “Never respond to requests for personal information, passwords and/or account logins. Watch out for errors in link content (e.g. reversed order of letters or substitution of other letters, numbers), if you find one, it’s probably a scam” – . In the message, the Post also provided several examples. Fraudsters can replace characters with others that are very similar to each other, e.g. the number 1 as a lowercase letter “L” or the uppercase letter “i” as a lowercase “L”. However, in my In the case when emotions prevailed in a hurry, these small details simply did not notice.

Phishing is still very effective. Expert from CERT Polska: Scammers are smart, but we have to be smarter

But how could the scammer know that I was waiting for a parcel from the courier that day? – I think there is a timing coincidence here, because the phishing campaigns [podszywanie się pod inną osobę lub instytucję – przyp. red.] they are of a mass nature and reach many people at the same time, said Iwona Prószyńska from CERT Polska, a team that monitors the situation in cyberspace and responds to incidents, in an interview with Gazeta.pl. A cybersecurity expert explained to me that phishing campaigns are simultaneously targeted at several hundred thousand and even several million people. – Statistics says that every time a fraudster will come across someone who is waiting, for example, for a package. This is the “spaghetti plate method” – if you throw it against the wall, something will stick. There will always be a person who is in such a situation to whom the cybercriminal’s message will refer. This is the power of phishing, i.e. social engineering and favorable circumstances she stressed.

Iwona Prószyńska also reminded about the recently published CERT Polska report entitled: “”. – Last year, we collected 322 thousand. submissions. This translated into over 39 thousand. handled incidents, of which over 25,000 to was phishing – explained the expert. – In addition to the fact that cybercriminals are perfecting techniques in the field of psychology and new elements appear to lull our vigilance, scammers’ websites are so well prepared that even people who know about cybersecurity often fall for the scam she noted.

How can we protect ourselves against phishing? Of course, you should pay attention to every detail in the message you receive from a scammer, but as my case showed, you also need to keep your cool. – Cheaters are smart, but we need to be smarter. Education is the key. If we are aware that there is still so much phishing that we need to pay attention to, we will be able to fight it more effectively – said the expert from CERT Polska.

Iwona Prószyńska reminded that By reporting suspicious links, we also protect others from scammers. – At CERT Polska, we always reply to text messages with links. If the link leads to a phishing site, we put it on the warning list, which leads to its blocking, thus protecting other people. In 2022, we blocked a total of over 20 million attempts to enter fraudulent websiteswhich were entered on the list thanks to the notifications and proactive actions of CERT Polska analysts. This result shows that 20 million times we saved someone from unpleasant consequences – emphasized the cybersecurity expert.