USPS delivers to Canada, so fraudsters are conducting SMS phishing campaigns against Canadians. We spotted this campaign spoofing USPS which informs the recipient that a package cannot be delivered. It also includes instructions that cause the link in the text to become clickable. Responding with a "Y" causes the link to become hyperlinked, and the user can click the link rather than try and copy 'n paste the link into their browser.

This may also allow the threat actors to know that the receiving phone number is valid, so that they can continue to send messages to that recipient.

The domain itself does not specifically spoof USPS, but uses a simple "post" which may be less effective as users should be able to spot this as a fake.

When the link is clicked the user is shown a spoofed USPS page and is then prompted to begin entering their address information.

This example demonstrates that threat actors will not just spoof Canadian brands, but will leverage any brands and/or services used by Canadians.

You can report these type of messages and get additional information from uspis.gov.

IOCs

post-mersue8[.]top

91.92.251[.]93

[IOC Details]