Back in September I received an email claiming to be from the courier firm DPD and that an attempt to deliver a parcel was unsuccessful. In order to get the item redelivered I would need to reschedule the delivery and confirm the address details are correct. Unfortunately as there had already been three failed attempts there would be a small charge. The link provided also included the tracking code embedded into it for convenience.
But wait, switching from my phone to my laptop showed that it was coming from a Hotmail address instead of a DPD email address and also that the payment was in euros, not pounds sterling. But more to the point, why is it that someone can register the web domain ‘tracking-128673.dpd-co-uk-servicedelivery-supportuser-info .com’ without raising alarm bells? I checked and saw that it was registered using namecheap.com so I reported it to them via their live chat feature and was told to submit a ticket to the Abuse Reports department via the Support option on their website and choosing the relevant abuse type.
At worst paying for the non-existent re-delivery fee would give the criminals your name, address and payment details, but if that wasn’t bad enough a few extra questions to set up an account (for convenience) like an email address, password and a security question answer, can lead to full blown identity fraud which can be devastating for the victims. Large loans can be taken out in a victim’s name, lines of credit established, as well as expensive luxury goods purchased with the original payment details. If the password given has been used elsewhere, online accounts could be taken over, adding to the misery.
Now with email still accounting for over 90% of cyber attacks on businesses, why are we not stopping fraudulent web domains from being created in the first place, or at least checked by AI, or Dave from the pub for that matter. Anyone with a bit of cyber security common sense can see that it was created to mislead. What doesn’t help is the bulk domain ordering that many web domain registrars now allow, giving the criminals the ability to register hundreds of domains for slightly more than a premium takeaway latte per domain via an uploaded spreadsheet. Not that they care about the cost because chances are they are using stolen credit card information anyway.
So in the meantime, until the domain registrars start taking action, we need to prompt them to block fraudulent web domains. For free advice on how to report phishing emails and fraudulent links for a wide range on online services, check out: www.booleanlogical.com/internet-security