Monday, January 22, 2007

"Fed-Ex" Social Engineering / ID Theft Scam?

At 7am this morning I was woken up by the phone ringing. I didn't make it to the phone in time, and it rang off. "Who the hell is ringing me at 7am?" I thought, in my usual semi-comatose, semi-neanderthal pre-coffee state, but a 1471 said "we do not have the caller's number". Hmmm....

Twenty minutes later it rang again. This time I got there in time to pick up -

"Hello?" I said.
(Well, admittedly, at that time in the morning it was probably more like "blrglhmph?", but you'll have to perform the necessary transliterations yourself for the rest of this transcript)

A man with a very strong Indian-type accent replied:
"Hello, can I speak to Mr. Alistair Davidson?"

"Speaking..."

"Is your address [my address and postcode] ?"

"Yes...."

"This is Fed-Ex, we have a package to deliver to you this afternoon"

"Oh ok..." ...so why do you need to ring me at 7am about it? I thought

"I need to confirm some security details - can you give me Mr Alistair Davidson's date of birth?"

Now at this point my tinfoil-hat alarm bells started ringing -

  • why would Fed Ex possibly want my date of birth in order to deliver a package?

  • come to think of it, how would they know my telephone number?

  • in fact, how did I know this guy was from Fed Ex at all? He said he was calling from Fed Ex, but I could ring up anyone at random and claim to be Kylie Minogue, it wouldn't make it true...



I decided to play it cautious -

"Why do you need my date of birth?" I asked

"I need to confirm these security details to deliver the package" he said

"Well I'm not going to give that information out," I replied

"But we won't be able to deliver this package" he was starting to get a little tell-tale this-isn't-the-way-it's-supposed-to-go tone of voice

"Ok," I paused, thinking - in fact, how did they get my number? I've never sent anything by Fed-Ex, but I'm fairly sure they won't require any information about the addressee other than the address? Now I was really suspicious - time to challenge back....

"So who's this package from?" I asked

"Er - it's a cash, door-to-door delivery, I can't tell you who it's from" he replied. Well, I'll give him a 5.7 on artistic impression for speedy improvisation, I thought, but there was a definite hesitation there, for which the Russian judges would mark him down on technical merit. Besides, if they'll happily accept packages for delivery without any information about the sender, then they certainly wouldn't need to know anything about the recipient

"So can you tell me Mr Alistair Davidson's date of birth?" he returned to what I was increasingly convinced was his script.

"No, I'm sorry, I'm not going to give that information out," I said firmly.

...and he hung up on me. A swift 1471 showed that he'd suppressed the number before he called.

OK, so there's a couple of possibilities here -

  1. He really was from Fed Ex, and they really do have a policy of incredibly bizarre security procedures, ringing their addressees up at 7am, and hanging up on their customers. Call me Mr Idealistic, but I think that's unlikely

  2. He, or an associate, got my name and address from somewhere - maybe from something as simple as a spam letter I threw away, or come to think of it, I'm in the phone book - and decided to try some phishing.


If I was a betting man, I'd put money on the second.

Which makes me wonder -

  • Does he / do they normally try this on US numbers? We don't really do Fed-Ex here in blighty, any delivery is far more likely to be via Parcel Force or even UPS.

  • Do they (I'll assume for now that there's more than one of these scammers) deliberately call early in the morning, to get people while they're fuzzy and bleary and not thinking straight?

  • How many other people have they managed to get identity details from like this?


I'm a suspicious sod, and paranoid about my personal information - it's a known side effect of having worked in "teh intarweb" for too long :-) - but I know plenty of people - like my mum - who will be incredibly dubious about giving their credit card details to an online retailer, but will quite happily answer any question asked by any random punter who rings them up and says "hi, this is (say) HSBC, can we check your account number and sort-code please?"

It's a sad fact that the weakest link in any security system is the people involved, and until there's a fundamental shift in human nature, that's unlikely to change any time soon.

22 comments:

Mark D said...

This definately sounds dodgy as wotsit. The SCOUNDREL (as Russell Brand would say)

Alistair Davidson said...

I found myself in a quandary after this - torn between on the one hand, telling people so that they stop and think for a second if they're caught bleary-eyed at 7am, but on the other hand - really REALLY wanting to avoidn sending one of those "Please forward to everyone you know! This is not a joke!" bloody scam-alert emails...

IN the end I settled for blogging it - hey, (man) blogging IS telling the whole world about it, right?

Anonymous said...

My wife gets so much stuff off line the Fed Ex guy got a Christmas card this year. :)

Here in the US I've never had a call like that from Fed Ex and I would never give out personal information (if they do ask for something personal, I always ask the to read me their privacy policy - that usually ends that).

If they needed verification, they would ask you for ID in person.

Sounds like thieves that flunked out of email phishing school.

Alistair Davidson said...

That's what I thought - thanks for the confirmation Brandon

Tom Chiverton said...

You should report this, to your phone provider, BT, OffCom or similar. Their next victim may not be so lucky or as informed as you, and just because you can't 1471 doesn't mean the phone company can't.
'Cause it was probably from a PAYG mobile with time bought for cash, but you never know, some criminals are stupid.

Alistair Davidson said...

Hmm, I might just do that tonight, Falken - if anything else happens, I'll post an update

Anonymous said...

Fed Ex just informed me that the package of cash I was sending you has ben refused by the adressee.

I will send again. please post your DOB and licence number so I may verify your identity before sonding. thanks, Fed Ex India

Anonymous said...

I've just seen a MacBook Pro for sale, which I inquired about. I was told that the guy selling it is in Greece on business at the moment but if I give him my name, address and phone number he will send it to me via Fed Ex and I'll be able to inspect the MacBook before paying for it. I thought it sounded a bit odd so googled it and found your post. It's all very odd!

Leonid S. Knyshov - Crashproof Solutions, LLC said...

Just so you know...

This post is the #1 link on Google for 'fedex package scam' as of 6/20/08

Would be cool to update it with more details about this scam. :)

Anonymous said...

YEa I got a similar thing from FedEX through e-mail, and I only needed to contact them to give them a bit of information, FULL NAMES:TELEPHONE:POSTAL ADDRESS:CITY:STATE:COUNTRY: and make arangement to pay the 130$ holding fee and I would get the 200000$ the my colleague Leonard (however that is) has sent me... good old Len, he's soooo generous...scam scam scam scam....I still find it odd that with all the news about these scam that some poeple still get caught.... On the telephone I would have given him a false date of birth and mailing adress, just to make their life a bit dificult...if they spend all this time and money researching the wrong info maybe they will stop??

Anonymous said...

I got nearly this exact phone call. Someone who called, claiming to be FedEx. Well, FedEx has my address information based on my name. I called them today, gave them my address and they told me no package was to be delivered.

Luckily after reading this post I called the three major credit report companies and will be careful lol

Beth said...

Unbelievable! I did not get a phone call, but instead I received an 'Extremely Urgent' FedEx envelope, in which I found a bogus check made out to ME (how do they know my name and address? I've only just moved here!) for the amount of $3400.00, drawn on Bank of America in Mesa, Arizona. The account number does exist (I called the bank) but the account name on the check is BOAT ANGEL, not the actual account holder. So, I googled Boat Angel in Mesa, AZ and an eastern Indian voice answered the phone. I said I had a fraudulent check in my possession and intend to turn it in to the Attorney General. Inside the envelope was a strip of paper with these instructions (verbatim) ~ "Dear Sir/Madam, Thanks for your sincere attitude and indulgence. However, you really need to contact us via the email stated below immediately you receive the payment. This is most important. Please if any other information is given to you, kindly get back to this contact email address before you go ahead with any transaction. xpresslineoutfinanceshipdept@gmail.com -- We will give you further instruction as soon as we read an email from you upon receipt of receiving the payment. We will let you have the authorize information to get the excess funds wired. Note: E-mail to xpresslineoutfinanceshipdept@gmail.com immediately you receive the check for more details and further instruction. This is very important to avoid Risk. Your Cooperation will be highly appreciated. Best regards," ~ OK, I received no phone call like Alistair Davidson, but I did receive this odd bit of FedEx mail tacked onto my front door today. What to make of it? I will report it at once!

Anonymous said...

This just happened to me this morning, so I googled "fedex scam" to see if there were any repercussions to this if I didn't give them any info. I'm hoping my name and phone # is the only personal info. they had. I hung up before getting to what details they actually wanted from me.

I was woken up by a call from Jamaica (I live in Houston, TX, USA) and ignored since I figured it was a wrong #. They called back immediately when I didn't answer the 1st time, so I picked up out of curiousity. The caller said, "Is this ____?" (They knew my name). I said yes and he said something along the lines of, "This is FedEx Review" calling. He sounded so unprofessional and kept hesitating and saying it again two or three times, that I hung up knowing full well that no one from FedEx Jamaica would be calling me. They called back twice again and I didn't answer. Should I be worried?

Anonymous said...

I received a call last night at 10am EST from "Fed Express" asking for my husband by name, and then me by name (we are both listed in the phone book) to tell me that my package would be delayed because of the weather (we are in the midst of a major snow storm). I said that that was no problem but who was the package from, that we hadn't ordered anything. He said he was calling from Arizona and that it was an online order and that from his screen he couldn't tell who it was from. I assured him we were not waiting for a package - then he said it from from 'Super Sport'. What is a Super Sport? He said he could not describe the items but it looked like 'adult' items. Did we still want it delivered. I said no, not to deliver it. His last comment was "you might like it". I hung up. He did not ask for any personal information. What kind of call is this???

Unknown said...

b.ashworth, I've experienced the same scam except more in depth. My roommates and I are looking to rent out the last bedroom in our apartment as one of us moved out last term and I had it advertised on Craigslist. I was contacted by someone claiming to be a student of a nearby college currently on study abroad and looking for a room, seemed legit enough. After some emails back and forth, request for pictures etc. she agreed to rent it and said she would have her dad send me a check for the security deposit and first month's rent and that she would be flying back in a week. A few days go by and then I get an email from "her" saying that her dad had to fly away on urgent business and accidentally sent me the amount for the room and her car payment and asking me to forward the car payment to her "car dealer" via Western Union. Obviously this raised some concern, today I got an envelope exactly as you described except the address on the sheet inside is ankarafutureaccessinc@gmail.com. Same message word for word, signed by Robert Williams (typed but no signature). I wasn't able to trace the name and city or the address back to a phone number, there are a lot of Robert Williams in Seattle and a reverse address lookup reveals no phone number. I took the check to my bank and asked them to check it out just to confirm again what I already knew that this was a scam. Needless to say they had a field day with it, fishy routing number, no watermark. It was for $3200 through Citibank, they called up citibank and after they got off the phone they told me they wouldn't cash the check even if I wanted to.

MD HASANUR ALAM KHAN ( ALL TRACKED) said...

THIS IS A SCAM E-MAIL I RECEIVED TODAY. PLEASE DONOT FALL IN TROUBLE!! spammer uses fedex logo also ,you can visit my blog#hasanur2007.blogspot.com ,thanks


FEDEX COURIER SERVICE,
EDO STATE,NIGERIA
WEST AFRICA.
10th-02-2009.

Dear

SHIPMENT CODE: CPEL/OWN/9856


I am in receipt of your email, thank you for your prompt response.

As per our previous email, I advise that you go ahead and make the required payment in the amount which is $150 USD for security keeping fee as earlier indicated. The payment should be made to our Account Officer via Western Union Money Transfer, with the below instructions:

Name: Mr. Andrew Muyi.
Address: 1 Air Port Road, Benin City, Edo State, Nigeria.

After which a payment receipt will be issued to you. You are to forward payment details, which must include the following with a scanned copy of the payment slip also for record purpose.

NAME OF SENDER:
ADDRESS OF SENDER:
AMOUNT:
MONEY TRANSFER CONTROL NUMBER (M.T.C.N):


NOTE: that as soon as your payment is confirmed, delivery of your parcel shall commence immediately and your package will be forwarded to you.

Feel free to email or give me a call if you need any assistance.

I await your swift response.

Faithfully Yours,
Mr. Rechard Raynor.
Tel:+234-805-164-6568
Dispatch Director.

FEDEX INTL>> PS...(IT HAS A BACK LETTER OF GURANTEE FROM THE HIGH COURT OF JUSTICE)

2teirah said...

Well here we are in July 2009 and I just received the following message by email -

Greetings From FedEx,
Date: 22/07/2009.

This is to inform you that there is a package in this office deposited by a private organization body on the 22nd of June 2009. Your email address was attached to it and is to be delivered to you. I have been waiting for you to contact me for your confirmable package which contains a Bank Draft of $156,000.00 USD and some vital documents.
====================================================

Kindly contact our branch office (FedEx Seattle, Washington, USA.) via our contact below:

Name: Joan Dephilips
Email: fedex.seattle.wa@yuurok.com
Tel: +1-206-984-9393

You are required to provide him with the following information:

Name:
Address
Age:
Marital Status:
Nationality:
Telephone Number:

Sign Management .

All I can say is WTF! What kind of organization sends packages by FedEx with no address? This isn't even a clever scam.

Alistair Davidson said...

Hah, that's actually so bad it's almost funny.

Now you've got a phone number, so that can be traced to the registered owner, right?

Shia B said...

Wow i was just reading this for one of my classes, and you know we kind of think alike. becuase me, well im not one o give out my info to anyone......i trust no one really and with today's economy who can you blame?...thats whi i'm going to school for cyber crime....in all fairness though,anyone calling me at 7 in the morning will not like the things i say to them.

Anonymous said...

A friend of mine just received basically the same thing as b.ashworth except he got TWO checks one with the exact note that ashworth received from FedEx and one from UPS with a much smaller slip of paper and another check for a bunch of money. The one check was from Fox Group with the address: PO box 990 Beverly HILL, CA 90213 ....it was exactly like that with HILL all capital and missing the S. One check said "cash immediately" the other said "certified check" in the memo lines.... sooooo weird! now they're moving onto UPS too! And he did just get done with some shady person on craisglist so I'm POSITIVE the two are correlated. Beware of people asking to send checks on CL!!

Anonymous said...

the delivery of a package with a check just happened to my boyfriend for $2954 dollars but from UPS, so beware! not just fed-ex.

security technology  said...

I really appreciate this wonderful post that you have provided for us. I assure this would be beneficial for most of the people.