Multinational shipping company UPS is warning its Canadian customers that some of their personal information may have been exposed through its online package finder tools and misused in phishing attacks.

At first glance, the letters sent by UPS Canada, titled “Combating Phishing and Smishing – An Update from UPS”, appear to be warning customers about the dangers of phishing.

However, it turns out to be a data breach notification, with the company sneaking in a disclosure that it has received reports of phishing text messages containing names and addresses. recipients.

“UPS is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered,” UPS said in a letter. share by Brett Callow, threat analyst at Emsisoft.

“Breach notifications need to be absolutely clear about what they are from the start. Inflating them doesn’t help anyone and just increases the chances of them being trashed unread,” Callow told BleepingComputer.

After receiving the phishing reports, UPS worked with partners within the delivery chain to understand the method used by the threat actors to collect their targets’ shipping information.

Following an internal review, UPS discovered that the attackers behind this ongoing SMS phishing campaign were using its package tracing tools to access delivery details, including recipients’ personal contact information, between February 2022 and April 2023.

The company has now implemented measures to restrict access to this sensitive data to thwart these convincing phishing attempts.

UPS says it is notifying people whose information may have been affected to ensure transparency and awareness of the situation.

“The information available through the package finder tools included the recipient’s name, shipping address, and optionally the phone number and order number,” UPS said.

“We cannot provide you with the exact period during which the misuse of our package tracing tools occurred. This may have affected packages from a small group of shippers and some of their customers from the 1st February 2022 to April 24, 2023.”

UPS Customers global were affected by these phishing attacks, as seen in online reports showing threat actors using their names, telephone numbers and postal codesas well as information on recent orders.

According to numerous malicious text messages seen by BleepingComputer and believed to have been sent during this campaign, threat actors impersonate Lego And Apple shipments, with other businesses likely affected as well.

A UPS spokesperson was not immediately for comment when contacted by BleepingComputer earlier today regarding the number of affected customers and which other shippers impersonated the attacks.

In September And Julythe Internal Revenue Service (IRS) and the Federal Communications Commission (FCC) have warned Americans of a massive increase in SMS phishing attacks.

Both federal agencies told them to be wary of text messages from unknown numbers with suspicious links and often containing misleading and incomplete information.

To defend against such attacks, you should never click on links embedded in suspicious messages or reply with sensitive information.

Update: A UPS spokesperson shared the following statement after the article was published:

We are constantly vigilant regarding phishing and other attempts by malicious actors. UPS is aware of reports of an SMS phishing (“Smishing”) scheme targeting certain shippers and their customers in Canada. UPS worked with delivery chain partners to understand how this fraud was perpetrated, as well as with law enforcement and third-party experts to identify and stop the cause of this scheme. Law enforcement said there has been an increase in smishing affecting a number of senders and many different industries.

As a precautionary measure, UPS is sending Privacy Incident Notification Letters to individuals in Canada whose information may have been impacted. We encourage our customers and consumers in general to learn about ways to stay protected against such attempts by visiting Fight Fraud | UPS – Canada.