I received a text today, purporting to come from NZ Post, saying that a parcel could not be delivered, with a link to click to arrange re-delivery.

Unfortunately, I missed the indications that it might be a scam:

  • It said they would arrange re-delivery the same day; normally, re-delivery happens the following day
  • Phone number is Austrilian (+61, rather than +64)
  • The link to click points to bit.ly, a link-shortening service, which also acts as a link-obfuscation service.
  • Sent using RCS rather than normal SMS; this is just a bit unusual

I clicked the link, and got a page that looked like a tracking page with a valid-looking tracking number, except

  • it had an unusual URL https://nztxpits.icu/?token=, nothing like NZ Post
  • the delivery events (pickup, out for delivery, etc) did not make any sense

My experience with your standard re-delivery web pages is that it is easier to do with a keyboard rather than on a phone, so I transferred over to the laptop.

Clicking the link again failed. Typing the tracking number into the NZ Post tracking service brought up a page with some data the same as the scam link, but slightly different details.

It was only at this point that I realised something was not right. Searching NZ Post website for current scams showed that this is a thing.

Lessons learned

  • I have stopped clicking on links in emails, unless I have explicitly requested something by logging in to the website, and the email appears in my inbox in the next few minutes.
  • I will have to stop clicking links on texts too.
  • Do not trust URL shorteners such as bit.ly, goo,gl, TinyURL, etc.
  • The bank says on its website that it no longer sends clickable links in emails, and requests that you log in manually; the same applies to all services.
  • If you do receive a link, even one that looks valid, do not click it. Instead, log in to the service manually, and type or copy-paste the identification number (tracking number, reference number, invoice number, etc) into the appropriate box on the website.
  • If a service provider does not provide enough information to do this, complain to the service provider.

Outcome

  • I clicked the link, so the scammer knows that my phone number is valid.
  • I did not click the re-delivery options button, so I did not enter any important information.
  • But this was by good luck, not by good judgement.
  • My house is weatherboard too.
  • Painted the same colour.
  • My gumboots are on the deck.