I'm a smug 30-year-old who thought only Luddites like my mom fall for 'smishing' scams. Then it happened to me.
- I'm a smug 30-year-old journalist who grew-up (mostly) computer literate.
- It wasn't enough to stop me from giving my credit card information to a USPS smishing scam.
My mother — a fierce, street-smart, "boomer" — can accomplish anything she puts her mind to. But when she does, it helps if there are no computer skills necessary. Because she doesn't have many.
About five years ago, when I noticed she started using her phone to buy things online — or to tweet photos of our 15-year-old family dog to Ellen DeGeneres fan accounts, thinking she had a direct line to her favorite person in the world — the panic set in.
Ever since, I've been bracing for the moment she would get a call from some scammer telling her that me or my sister had been kidnapped, forcing her to run out and drain her modest retirement account, load it onto gift cards, and send it to some faraway warehouse or PO box. Or, even more likely, when she's baited into paying a scammer for the opportunity to meet Ellen.
Anytime she shared a story about a "sweepstakes" (usually Ellen related) or website (also Ellen) that she signed up for, I would immediately launch into a slightly condescending lecture about the threat of scammers and shame her for clicking unfamiliar links online.
But thankfully, my mom hasn't had her identity or credit card information stolen.
But now I — a smug Millenial journalist who practically grew up online — have.
Awkward.
It started with a text message
When my (non-biological) grandmother moved to Norway, I sent her a small package with some art my 1-year-old made.
So when I got a text message claiming to be from the United States Postal Service saying there was a problem delivering my package, I'll admit, my Spidey senses did go off. I did think it was probably a scam.
But I went to the link anyway, just in case. I didn't want Mommo to never get my daughter's priceless package!
The scam website looked a lot like the real thing
I opened the link on my phone. I was suspicious. I then opened it on my laptop so I could click around and make sure it was actually the USPS. I am a prudent internet user, after all.
It seemed legit. It linked to a page about "informed delivery" and I am an Informed Delivery subscriber. I like to know when my late-night Halloween decor purchases are arriving before they hit my doorstep.
It also had a tracking number, an FAQ page, and other indicators that left me satisfied.
I went back to my phone, entered my home address — which in retrospect I'm not sure why they'd need that — my email address, and my phone number.
Then the red flag that trumps all red flags appeared: it asked me for my credit card information for a $o.30 redelievery fee. I thought — this doesn't feel right, but what the hell.
WELP.
Finally, it prompted me to enter the verification code it sent to my phone. It also had a timer to do so.
I never got a code. After checking all my spam folders to make sure, I realized I HAD BEEN GOT.
With a heart full of shame, I reported the scam
I called my husband, a web developer who also works in IT. You know, that sassy department that sends you scathing emails warning you not to fall for phishing attempts.
He was displeased. And also, not quite as surprised as I was that I could fall for something like this. I'm offended, to be honest.
My husband tried to call the bank to report fraud. That call, however, was interrupted by their call. The bank had detected fraud and was already letting him know about it.
He cancelled the card and no money was lost — that we know of.
I also let my IT department know because I opened the link on my work laptop. (Please don't fire me.)
Then I began Googling everything about the USPS scam. I should have trusted my gut.
The USPS says they don't send tracking texts or emails with links in them
The USPS has an entire webpage warning people about "smishing," the name for scams conducted via text message.
The USPS does have services to track packages, but you'd have to ask for it and initiate the text yourself. (I had not, so, my bad.)
These alerts from the actual USPS won't contain a link, and apparently wouldn't cost any money. Shame on me for thinking our postal service was milking me out of $0.30.
The website also asks that you report any smishing attempts to spam@uspis.gov. I have since done that, with shame in my heart.
This whole ordeal serves as a lesson that I am not above these sophisticated scam attempts.
Maybe I will be less smug the next time I have to write about the poor, well-meaning grandmother who was duped out of her retirement savings.
She, at least, (hypothetically) thought her loved-one's life was in danger. I thought my daughter's handprint art might be lost in transit.
Who's the bigger fool?