UPS Canada Alerts Customers of Personal Information Exposure in Phishing Attacks

UPS, the multinational shipping company, has alerted Canadian customers that their personal information may have been exposed via its online package look-up tools and used in phishing attacks. UPS Canada sent letters to customers titled “Fighting phishing and smishing – an update from UPS,” which initially appeared to be a warning about phishing dangers. However, the letter also disclosed that UPS has been receiving reports of SMS phishing messages containing the recipients’ names and address information.

UPS is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered. According to Emsisoft threat analyst Brett Callow, UPS needs to be clear in its breach notification to avoid confusion. UPS worked with partners within the delivery chain to understand the method used by the threat actors to harvest their targets’ shipping information. After an internal review, UPS found that the attackers had used its package look-up tools to access delivery details, including recipients’ personal contact information, between February 2022 and April 2023.

UPS has implemented measures to restrict access to this sensitive data to prevent further phishing attempts. The company is notifying individuals whose information may have been affected to ensure transparency and awareness of the situation. The information available through the package look-up tools included the recipient’s name, shipment address, and potentially phone number and order number. UPS customers worldwide have been affected by these phishing attacks.

The threat actors impersonated LEGO and Apple shipments, with other companies likely also impacted. To defend against such attacks, customers should avoid clicking links embedded in suspicious messages or replying with sensitive information.