It was a Tuesday morning when I received the message telling me I need to sign a DHL shipment. I’ve been doing some online shopping the previous days, and therefore I didn’t find it weird that I received a DHL shipment SMS.
Furthermore, that message arrived into the same thread I previously received real DHL notices on past shipments. Another valuable factor to lower my alarm.
So, thinking that because I’m in America and have shipped to an American address (my brother’s), I’m dealing with the English branch of DHL. I didn’t have any previous experience with DHL aside from Hebrew.
So I’m filling out the form, putting my credit card to pay 1.99 dollars, and then, before I can “confirm” the payment, I need to wait for an SMS that the credit card company will deliver to the phone number associated with my credit card.
That SMS never came.
I did have some problems receiving SMS over my Israeli phone number here in Austin, Texas, so I didn’t find it weird.
I told myself to figure it out later, and maybe I should call DHL, but I left it at that. At this point, the hacker already had my credit card information.
Paying For Rent or a Hotel in Romania
The following morning, I received an email from my credit card company that a charge for 543 Euros was denied in Romania at a company that provides housing or rental services because of not enough credit. I’m not usually one to make such huge payments.
Also, I’m obviously not in Romania and have never paid for pretty much anything in Euros.
I realized I was hacked and proceeded with canceling the credit card as stolen. But I still couldn’t figure out how or why that hack happened. I still didn’t put two and two.
Circling Back to The DHL Scam
Trying to figure out where I put my credit card information yielded, circling back to that DHL message.
At first, I thought it would be the sample thank you cards that I ordered from Canva to add to my Etsy store, but then I accessed Canva and realized those were still printing.
So, I took the shipment number and went to look for it on DHL Tracking, and that’s when I accepted the fact I’ve been duped — the shipment didn’t exist.
For me, as a Software Engineer who learned Social Engineering in college, this was very upsetting. I didn’t think someone could fool me because there are things I always check automatically. But here we are.
So, the least I could do is list out what I learned and how you can prevent this from happening to you, too.
4 Ways to Recognize a Phishing Scheme
Here are 4 things to look for when you receive (any) message requiring you to fill in sensitive information.
1. Look at The URL
Is the URL coming from the domain of the actual company? For example, in my case, the domain should have been dhl.com, but it came from something else that included the word dhl but ended with .me instead. This should have been the first thing to notice, but I missed it this time.
2. Check The Certificate
The website I accessed included a generic HTTPS certificate, which should be a must for a website requiring you to put credit card information. Any website can have an HTTPS certificate these days, but you need the certificate to recognize the institution, too, and that certificate was not assigned to DHL.
3. Check For Spelling Mistakes
Every institution that respects itself will not have spelling mistakes on its website. It’s the most basic thing that can give a phishing scheme away. On the other hand, hackers won’t check grammar mistakes.
4. Fact Check The Information
Regardless of any suspicion, I should have done one thing to check the tracking information on the DHL website. If it exists, then the message would have been legit. If you take anything from this article, it’s the ability to question the “facts” presented to you.
In this article, I shared how I’ve been duped and my credit card information was stolen. Then I also shared with you some things that could have given away the phishing scheme.
Now I invite you to open up about your own experiences with Phishing. Did you ever fall for that? What did you learn? Let’s share information to help others prevent it, too.
Thank you for reading!
Oren Cohen Newsletter
Join the newsletter to receive the latest updates in your inbox.
Sign in or become a Oren Cohen member to join the conversation.
Just enter your email below to get a log in link.