UPS Package Invoice Scam

Yet another email scam to be on the lookout for.

UPS ScamToday, I got an email message from UPS Quantum View . On the surface, it looked almost legit. There was the from field, which certainly looked legit and a subject of “UPS Delivery Notification, Tracking Number CDE31400FCA9E1A9.” That didn’t sound right to me — I’ve never had a UPS tracking number that started with the letter “C.”

I first saw it on my iPad, so that’s where I opened the message. When I read the contents, I knew something was wrong. It was a plain text message that said:

You have attached the invoice for your package delivery.

Thank you,
United Parcel Service

*** This is an automatically generated email, please do not reply ***

I’ve never received any communication from UPS that wasn’t in HTML. And I’ve never received one with poor English (note first sentence). And finally, I’ve never received any communication from UPS that included an HTML attachment — this one was named invoiceCDE31400FCA9E1A9.html.

Of course, to verify my suspicion that this is some sort of scam, I had to open the attachment. I wanted to do that on my Mac, but not with a Web browser. Instead, I used a plain text editor, TextWrangler. Inside, I found the usual collection of HTML code that would display UPS-looking text and graphics. But most of the links inside the document were to the domain A quick Whois lookup revealed that the domain is registered to someone in China.

Not UPS.

Other than a bit of javascript at the end of the message that appears to be some sort of counter, the attachment looked harmless enough. I can only assume that clicking the links within the attachment is what triggers whatever this scam attempts to do.

I can imagine someone more gullible than me getting this email message and wondering what package UPS was telling them about. They open the linked file, see what looks like a legitimate UPS communication, and click the link to learn more about the mystery package. Their computer then becomes infected with some sort of virus or perhaps the page itself attempts to get information that the scammers can use for financial gain. I don’t know. I’m not about to try it. You shouldn’t either — not on a computer that isn’t quarantined for this kind of work.

I’ve said it before and I’ll say it again: Don’t open file attachments you aren’t expecting, especially from people you don’t know. Don’t click links from strangers.

Oh, and if you get one of these, forward it to

6 thoughts on “UPS Package Invoice Scam

    • What annoys me about these is how many people fall for them — and get burned. That’s why I blog about them. To help spread the word.

  1. As a general rule, before entering any data, especially confidential data (SSN, credit card, etc), into a form, check the URL in the bar at the top of the browser. Even if it looks right (I once got one from, or something to that effect), it may still not be legit. If, however, instead of the usual “http://” at the beginning, it lists it as “https://”, that means they’ve gone through a rather stringent process to prove legitimacy, and can be trusted.

    • Although this might be one guideline to help prevent you from becoming a phishing victim, I would not rely on this. Instead the best course of action is to never click a link in an email message from a company you do business with. All links should be considered suspect. If your bank, for example, writes to say there’s a problem with your account and offers a link, disregard the link, open your web browser, and type in the URL you normally use to access your account. Then log in as usual. Sure, it takes a few minutes longer, but it’s the safest way to get to your account.

      In addition, you need to realize that even clicking a link in an email message can cause a problem. It could take you to a site that uses code on the Web page you arrive at to infect your computer or steal data. If the link itself can contain malicious code. Remember, the link you see in the email message may not be the actual URL you’re going to. On a Mac, you can point to a link to see the actual URL. In a malicious email message, what you see won’t match the link in the message.

  2. I agree, hovering over a link to check it before you click on it is definitely the best course of action. My advice was for after a page is already loaded. If you’re on the page, check it before submitting.

  3. Thanks for pointing out this scam, Maria. I received one purporting to come from American Express, with links. Unfortunately it’s hard to see where the links go on an iPad – had to view the message source on the Mac, and yes, the links went elsewhere…

What do you think?