An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

News | Jan. 21, 2022

Online Safety Tips: Spot the Scam

By Tobi Beck and Stephen Hickok DCMA Public Affairs

FORT LEE, Va. — From extortion and phishing to identity theft and hacking, cyber criminals target personal information with innovation and variance. In today’s online world, digital security protects more than bank account numbers. Just about everything is captured on the internet, which means having an understanding of threats and how to protect against them remains vital.

In this new computer-safety series, Tobi Beck, Defense Contract Management Agency’s Information Technology Directorate's chief of strategy, planning, and governance, shares tips for the DCMA workforce to stay up to date and computer safe in this ever evolving digital environment.

I nearly got scammed over the holidays. Like many of you, I have had many packages arriving at my doorstep, a common situation that is being used to take advantage of unsuspecting individuals. The scam was clever. First, I received a text message that read: “[U.S. Postal Sercive] Undeliverable Luggage and Packages. Please check https://www.trackingb2sy0.com.”

It looked authentic, but being in the IT world, I know that the first rule to protect yourself online is to never click on an emailed link.

As an IT specialist, I have access to a computer system used for examining suspect sites, so I typed in the URL. It took me to a website that looked like it was from the United States Postal Service. I’ve been to the real USPS website before and everything looked right. But then I noticed it, the tracking number was in there. How did they get the tracking number for my package when I didn’t put it in the search bar?

I copied the tracking number and went to the actual USPS.com web page and put it in. Nope, they don’t have that number. Then I took a closer look. On the email linked page, the links all directed back to the original fake page, which asked for my personal information before letting me go any further.

If you haven’t noticed before, when you take your curser and hover over a tab or link on a web browser, the link address should show up in the bottom left of your screen (this may vary based on your internet browser and user settings). This is a preview so you don’t have to actually click on it to see where it will take you.

The copyright mark on my scam emailed page was listed as 2021, yet the real USPS page has already updated to 2022. I used an inspection tool to look at the code on the scam page and found that it linked to the real USPS fonts, style and layout in order to mimic the real one, but all of the links were broken. This isn’t a step most people will be able to look for, but it confirmed to me that the page was 100% fake.

The purpose of this scam is an attempt to get your information in order to sell it and hopefully get you to buy into other scams in the future. The more they know about you, the more likely you are to believe it is real, and give them more access to your personal information. For instance, if you filled out the form above, you may later receive a scam email asking for bank account information. And now, with what they already have, they may try to prove to you that they are from your bank by sending a text to your phone number that they “have on file” for you. These scams are used to not only steal your money, but also collect information to sell to other cyber criminals.

I hope you will learn from my experience and use these rules to keep you safe online:

  • Never click on a link in an email … never, ever, ever. If you think it is real, type in the link address into a web browser and see where it takes you.
  • Always check the web address, does it link to where it says it does? If the URL is different from where you are expecting to go then be suspicious. For instance, if you’re expecting to go to your bank’s website and the URL doesn’t use your bank name, then you can know you’re being scammed. The email I received over the holidays had ‘tracking’ in the URL and the name almost looked authentic. So be cautious, you may have to look closely to tell if it’s legitimate.
  • Study the address. Does it have extra letters or misspellings? Realtor.com and Reltor.com go to different sites and one of them is a fake. Also look for extra letters like USAAA, instead of USAA.
  • Look at the words right before the .com. Some sites have sections, and they direct you there by expanding their own site, like at translate.google.com, which takes you to a free translation service provided by Google. But if you type in google.translate you will be directed to a website called translate.com which will charge you for services. Remember that the word displayed right before the .com (or .net, .gov, .edu) is the name of the actual site.
  • Check what comes after the “.” (dot) on a website. Most sites use a suffix that identifies their organization. For instance, educational institutions use .edu, government sites use .gov, most businesses use .com or .net, non-profits or private organizations usually use .org, and grade schools will typically use .k12.
  • Search for the actual site. In my case, the scam authors said they were the USPS. It was easy for me to simply search for the postal service to find the actual site and compare the differences. As the web has expanded across international barriers, we now use something called Unicode to help us translate web addresses into other languages. Sometimes cyber criminals use this advancement to hide the fact that you are not on the real website. For instance, αpple.com is not the same as apple.com. In the first one, the “a” is actually the Greek letter for “a” and will lead to a different website than the official Apple site. This one can be very hard to see as many letters in other languages look very similar to English letters, yet it is easy to spot the difference by not clicking on the email link, but by typing it out in a search bar.
  • And finally, again, never, ever, ever click on a link in an email or text. Does this one sound familiar?  It’s worth repeating.

The key thing to understand is that your information is valuable and people will try to collect and sell it. Sometimes all they want to do at first is to gain your trust in order to get more information from you. But eventually, they could collect enough information that you may believe they represent your bank, a place you have shopped, or some other organization in order to gain access to your money or your identity. 

Until the next article, stay safe out there.