Bpost is the national postal delivery service in Belgium. One would expect that they have their online affairs in order, given the tremendous amount of phishing scams targetting bpost, DHL, PostNL and all the other couriers around.
Today I got phished in a really professional way or at least I thought I was, until it turned out I wasn't. It was worse than that.
What initially happened
Here's some context: I ordered a nice art print coming from the UK, not thinking about the extra import taxes I'd have to pay related to Brexit. So one week after placing my order I got a letter in the mail from bpost, stating that I had to pay around 18€ of import taxes for the package coming from the UK. That sucked, but I followed the instructions in the letter anyway stating that I should enter the tracking code on www.bpost.be/track to pay the taxes if I wanted my order to be released for delivery.
This all went fine and I paid the amount and got a success message saying that my payment had been received. So far, everything was going according to plan to get the print delivered.
What started going wrong
One week after paying the taxes the print still hadn't arrived and the seller asked me if I liked the print. I wasn't really skeptical at this point and checked the tracking code again but there were no useful updates to speak of.
A few days passed and I received another letter in the mail from bpost claiming that I had a package sitting in transit and that I needed to pay 16€ (a different amount than what was shown on the first letter) in order for it to be released. I quickly checked the pictures attached to the tracking code on the online bpost link and saw that it appeared to be the same package with the art print I paid for earlier.
Now I started getting a bit nervous. Was this the same package? I didn't order anything else, especially not from the UK so it must be the same package right? Also, what about that payment I made a week earlier. Was that payment legit or had I been scammed. This really peaked my interest, especially because I teach a couple of cyber security and hacking workshops myself so I hope I'm a bit more on edge when it comes to phishing scams compared to the average grandparents that didn't grow up in cyberspace.
Have I been scammed with a fake letter?
I couldn't find the first letter I received because it had been a week ago, the payment was succesful and I threw the letter away in the paper recycling box. I started checking my banking app to see where the payment I made online actually went. My banking app stated that the receiver was "bpost NV Bruxelles" with the bpost icon next to it. That at least looked somewhat legit but when can you be sure right?
The second bpost letter
The second bpost letter I received had the same layout (according to memory) and message as the first one and there was nothing that seemed like it was a fake. If it were a fake, it was done so perfectly that even the links mentioned in the letter couldn't hurt anyone since they all referred to the official bpost.be domain. Perhaps the tracking bar code (the one I blurred above) had been faked in order not to raise suspision in any other place.
I checked the barcode again on www.bpost.be/track being really careful to type in the correct domain name but it all seemed fine to me. After entering the tracking code to see if it mentioned my earlier payment (it didn't) I noticed something that was off. The tracking website wasn't hosted on bpost.be, but on bpost.cloud. That's something I would definitely set up if I were a phisher.
I started to get really nervous and hoped my bank account wasn't emptied by now. To make things even more suspicious, the delivery address on the second bpost letter was my address written with all possible typos you can imagine. I can't even imagine that a letter could arrive at my place given that address, because the OCR software had completely messed up my address somehow. It looked super phishy for sure.
Calling customer service
It was time to pick up the phone, get the popcorn out and brace myself for a long wait while trying to reach customer service. I was somewhat surprised to get a real person on the phone within five minutes (much appreciated bpost!) and I explained the situation about receiving the two letters. Unfortunately I didn't have the first letter anymore (or so I thought at that point) so I couldn't say for sure what the tracking code was and if it was the same as the one on the second letter. I was sure though, that the package was 100% the same.
The customer rep tried to help but couldn't figure out what was going on either as they had no trace of my payment whatsoever linked to my address. They would have to pass the question on to another support level, which will probably take a few days to get back to me in order to verify the bank transfer or whatever.
Getting a phishing text message
After hanging up the phone, I noticed that I had received a text message with some dodgy short URLs in them. I don't give out my phone number and I don't use any of the bpost apps to track packages so these must be targeted phishing links, so I thought.
I checked the phone number 8152 and that appeared to be the number that bpost.be mentions on their website being their official number. Weird. This might have been a spoofed number, who else would send out such dodgy text messages.
What creeped me out was the timing of all this. How the hell could someone know that I was right now trying to figure this bpost thing out in order to send me such a timely phishing message. I couldn't have planned it more perfectly myself!
I opened up urlchecker.info to expand the short url's to see where this would lead me. The apple.com link pointed to another short url, which in turn pointed to ... the official bpost apps in the App store.
By now I was completely puzzled as to why bpost would do so many things that made their activities look like a phishing scam. In an environment such as the package delivery industry, where phishing scams and fake text messages are omnipresent, it would be a good idea to take extra efforts making sure clients can track packages and pay for fees in an environment that is more clearly trustworthy.
What went wrong
The package hasn't been delivered and we'll see if it ever arrives but what probably went wrong is that somebody at customs declared the package, charged some amount of VAT on it and instead of clearing the package it was picked up again by someone else who again charged a different amount of VAT on that same package. On top of that, bpost customer support did not seem to have any way of seeing what activity or packages were in transit on my address or name. The only thing they could do is enter the same tracking code I could enter on the bpost website.
What bpost could improve
In order to look less like a phishing scam, bpost and its partners could do a couple of things to improve trust in its online services. First of all, they should try to avoid human errors like creating double import declarations. Of course, nobody is perfect. This might not be an issue at bpost itself, but is probably an issue at customs. The issue could have been avoided if there weren't two letters with different codes sent out that — how does that math even work — seemed to have a random amount of imports charges linked to the same package (16€ the first time, 18€ the second time). These letters let me believe something phishy was going on, while that wasn't true.
An important thing to consider is to not use generic top level domain names like track.post.cloud, while you already have domain name bpost.be. It would be way better to just set up a domain like track.bpost.be because that's the domain name we know we can trust. I was under the impression that maybe the bpost.be site was hacked or that I was running some kind of malware that was rewriting and redirecting the URL to track the package. This wasn't true, bpost is really using bpost.cloud for some weird reason. If I were a phisher I would definitely set up a domain like bepost.be, bpost.cloud, bpost.eu, or something similar to try and lure people to my fake website where I could ask them to make a payment or worse.
Next, I was really confused when I received the text message that urged me to install an app through a bit.ly link. It's exactly the way I set up a phishing trap when I try to educate my students about scams like that. I never gave my phone number to bpost (but they probably just read that from screen when I was calling them) nor did I ever want to receive messages or push notifications from them. Why are they sending me text messages at all? If they wanted me to act on that message, all they needed to do was ask me on the phone if I wanted to receive such a message or tell me that they would be sending me this unwanted message. That would have removed any paranoia surrounding these messages.
A final thing bpost could consider is to integrate a service like itsme, that allows me to login securely and see all packages or transaction history linked to my name if I wanted to. That way, I could have seen the earlier succesful payment and it would have been clear to me as well as the bpost customer support rep that the package was declared twice. Of course, I always tend to prefer less data being linked to me but I'm sure they already have the data sitting somewhere so they could as well present it to me in a more human way.
In the end, being a bit too paranoia or careful like I was doesn't hurt and would be a good idea for a lot of people but it could also be avoided by building out online services that take into account the factors above.