USPS.gov redirecting to USPS.com certainly doesn't help matters.
Things like this should use one of the few TLDs that actually has policies and procedures in place; then it's a simple "if it's not .gov, it's not real."
You're right that it doesn't help, but looking at regular non-technical people like my retired parents for example, I really wonder if it's a realistic expectation that people know what the important part of a URL are.
They need to parse slashes, dots, colons and ats (remember URLs can contain credentials, even though I believe browser issue warnings these days), identifiy the TLD and the domain and then know what is legit and what isn't. And know that things like onmicrosoft.com is legit while atmicrosoft.com is probably not. Or whatever link shortener some legit organizations are using.
The root of all these things is companies, banks, and governments offloading the responsibility of security on to the worst possible person - the end user.
"Identify theft" should simply not be a thing at all - it's fraud against the bank and the person's whose "identity" was stolen shouldn't be involved. Combined with simple fraud chargebacks that make the bank accountable if they can't make their (fraudulent) customer accountable would reduce much of it.
The Internet has been around long enough at this point. Maybe your parents might never be able to read a URL and there will always be people who get scammed.
But we should be taking the obvious steps like enforcing government domains on .gov . Attacks and scams are getting more sophisticated, so I hope when I'm elderly I can atleast check the .gov portion and know it's an actual government website.
It's not just the elderly generation though. Young people mostly use apps and might barely interact with an actual browser. Big browsers de-emphasize the URL bar more and more. Yes, you and I and probably everyone on HN will never have a problem with this, but significant portions of the population will. I think it's a hard problem.
For .gov, gov.uk, etc. specifically, it's not that hard of a problem. You can't sign up for those TLDs if you're not a government, so browsers could decorate the URL bar for them. Then you just need to teach people e.g. that the URL bar should turn green whenever interacting with any government, and governments at all levels should use these restricted domains.
You could do a similar thing with banks. Require them to use a .bank TLD (or .bank.us, .bank.uk, etc.), only let actual, regulated banks register them, and give them special decorations. Use eminent domain if those domains are already taken.
Unlike EV cert validation, it would actually mean something if you restricted decorations to specific known regulated groups.
Just to be clear, the two options in this false equivalence are "no fake USPS app has ever been seen, though it is possible in theory" vs "scam websites see as much traffic as USPS itself".
The first result in my region when I type usps into the google play store is a sponsored result for an app called Parcel Tracker, by internet media. The visible reviews for this app are negative citing scamminess.
If I search for whatsapp, in the sponsored section there are 10+ apps with white speech-bubble style icons on green backgrounds that aren't WhatsApp
That's like suggesting people don't need to know what the zip code is because it's often redundant and omitted. People are often lazy, but it's immediately obvious to anyone that omitting the full 9-digit zip code could result in the letter being misdelivered, even if I don't understand what the last 4 digits are even for.
I'm 38, live in the SF Bay area, and have never given anyone more than the first 5 digits in my life. Online some might auto correct, but I've never learned them in my life and never even considered I should.
The Zip+4 last four digits align to delivery zones. It can be trivially constructed from the complete address now that we have reliable digital mapping systems, and in fact this is what happens internally in the postal system.
It is not required and will likely never be required to provide a 9 digit ZIP for reliable delivery. It may, and does sometimes, impact speed of delivery due to sorting/distribution rounds.
> It is not required and will likely never be required to provide a 9 digit ZIP for reliable delivery.
That depends on who you are.
If you are a regular person, then yes, 5 digits is sufficient. But if you are a sender of presorted commercial bulk mail (which is discounted from first class), you may actually be required to provide a 5 + 4 + 2 = 11 digit ZIP.
That little barcode the post office prints on your letters is actually just the 11 digit zip. The final two digits are the last two digits of the house number. So "123 Any Street, Anytown FL, 45678" the final two digits of the zip would be 23.
It's honestly not that obvious. I never knew there's a difference between the 5-digit and 9-digit versions of my zip code. Most checkout flows do not even allow me to input more than 5 digits in the first place. But upon receiving my mail, the 5-digit code is always corrected to the 9-digit one.
I had never considered that if there were multiple 9-digit expansions of a 5-digit zip code, the correction might turn out wrong unless the full 9-digit code is specified.
Browsers have gotten better at highlighting the important part. On this URL Firefox highlights the "ycombinator.com" part of the URL (by writing the rest in muted gray), and edge at least highlights "news.ycombinator.com". Chrome curiously doesn't, and neither do any of my mobile browsers
I wonder if it would have helped to sort URLs in order of importance. For example com.microsoft.login/reset-password. Then the rule is "does it start with `com.microsoft.`" It would still require people reading URLs and only work well if companies don't spray important stuff across domains (Microsoft is particularly bad here) but at least it is way better than "The stuff in front of the first slash that comes after the protocol slashes." which is pretty hard to explain to someone.
The problem is that the browser knows that myups.com is not ups.com. But it doesn't know that you don't have an account at myups.com and think you are logging into ups.com.
The best solution to this is using your browsers built-in password manager (or your favourite browser-integrated password manager) then your randomly-generated password for ups.com won't auto-fill for myups.com and you at least have to think about it and wonder why you need to fish the password out of the password manager.
This is a problem I have a REALLY hard time with when discussing with people, often about scams.
A lot of people look at scams and think "I'd never fall for that" because at face value something looks obvious and you think you can use these obvious filters. BUT in reality there's tons of fuckups like this that make the space confusing because the "red flags" just look like flags.
For example, in the scams where people fake a voice of a loved one people think they'd know. But there's bad connections and scammer makes it feel like an emergency so you'll let little weird things slip by. Or how every year or two Google changes its login page format (and currently I seem to hit two very different formats...). Or a week ago with the rabbit leak I said this was a reason not to push people to download a file[0] and people concentrated on the part of it being a zip and not that 1) you download something and 2) that zip has to be opened even if a zip alone can't do anything.
This really is one of the big dangers of enshitification. It becomes difficult to distinguish legitimate things from scams.
USPS purchased the usps.com domain a long time ago specifically so they could control it and prevent phishing. The decision to replace usps.gov with the .com domain came later, with the tenure of Trump appointee Louis DeJoy.
Right wingers believe that USPS should operate as a business, not a public service, so "rebranding" their website to be .com is definitely a part of that narrative.
This does not jibe with my recollection, which is that usps.com has always been the main site. And now, after a quick interent search, I find many references[0] that show your claim is wrong -- the use of the .com domain pre-dates DeJoy by many years, going back in fact to the days when WWW was starting to get widespread use (because .com was far better known than .gov).
No, as I and others have commented, this wasn't changed by the current Postmaster DeJoy (not ignoring all the other wonderful stuff he's changed). They've been using the dot com domain for decades at least?
I'm honestly not a fan of what Louis DeJoy has done to USPS, but I'm pretty sure they've used the dot com domain for as long as I can remember, way before DeJoy became Postmaster General....
fake news ... i love how people always blame dejoy even tho he is one of the better PMG's we've had... and then right wingers somehow enter the picture? I've been working at usps in tech for 15 years...this has nothing to do with dejoy or right wingeres and .com has existed for a very long time as the main external facing website for customers
> Right wingers believe that USPS should operate as a business, not a public service, so "rebranding" their website to be .com is definitely a part of that narrative.
Seems failing businesses is also on brand for those guys.
Its not just in US, it happens in every country. SMS is the main way these links are distributed. So much so that in Sri Lanka, gov planned to add a centralized SMS firewall.
I periodically wonder how quickly this would end if the costs shifted to the telcos who currently see it as a profit center. Imagine if reporting a message got you an immediate $1 credit and they had to recover it from the network which originated the spam: how quickly would they be able to turn on egress filtering?
I think about that every time I just a call with a forged number. I remember when VoIP was coming on the market and people were warning about spoofing but telco executives apparently just blew that off because it’d slow sales.
About 7-8 years ago in France you’d get regular phone calls from actual humans running the same scam about a DHL or whatever packaging requiring duties to be paid. Plus the same SMS scams.
Americans are lucky in they usually don’t have to buy from abroad and when they do, rarely is tax/duty payment required from the recipient (unlike many other parts of the world).
In Germany we get those phishing SMS too, but I think the US is probably worse off, as they get way more phishing calls (which I think are more effective) as scammers in Nigeria or India usually don't speak German or French...
In 2019, when I landed in Hamburg, I got a scam SMS before the "Welcome to germany"-SMS. IOW, the scammers managed to consume the "new arrival" event somehow, and send out their own scam. Tells a lot about how much the telcos actually care / are a part of these scams.
RCS messaging being adopted on Android has meant that I now get added to spam group chats called "USPS" by some criminals impersonating the post office.
> We have found that the USPS is under attack from text scams
The core challenge of phishing attacks is that USPS is not, in fact, the primary victim of these attacks.
The victims are distributed citizens who fall for the scam. USPS doesn't have very many levers available to them to address the attacks (besides a warning on their site, which they have), but also doesn't 'feel' the impact so would have a hard time justifying substantial investment in addressing it.
Ultimately the solution needs to come from regulatory regimes that target fraud, particularly SMS message spam.
The USPS is empowered with a law enforcement branch to defend against attacks on the mail system.
The problem is usually that domestic law enforcement is powerless against international crime, which gets laundered by international utilities like DNA and IP routing/peering.
I get no spam, until I send something...then it's an avalanch for a few weeks then they dry up until next time I need DHL (or, indeed, any other carrier - €40 to send a registered letter, DHL priced themselves out of my budget).
I'm disappointed by how little protection we're getting against phishing campaigns. Google's SafeSearch takes forever to process stuff, where presumably very quick response times are much more effective, Fastmail, despite being great in general, is _terrible_ at detecting phishing, Booking.com met my report of a phishing campaign over their site (hotel got hacked) with a "it happens, we might talk to the hotel about it one day" shrug, and banks and other institutions continue to send legitimate messages that look like phishing.
> Booking.com met my report of a phishing campaign over their site (hotel got hacked) with a "it happens, we might talk to the hotel about it one day" shrug
This is my problem with almost every "report spam/fraud/etc" flow. It's always a digital shrug, and then nothing happens.
Only one site I know of ever had it right: Instagram, up to about 2021. When you reported an account or post, you would actually be notified when they took action, which would usually take about a week and be something like "the account was removed". It was so satisfying to see a spam account get taken down after a report. But, they removed that in favor of the "hey thanks for the report we've tossed it right in the trash lol" user flow that every other site uses. Unfortunate.
The problem with the feedback is scammers can abuse it - they report a few of their own scams and then use feedback to check on those and thus see what happened an in turn they better know when they are blocked and have a better idea how to create new accounts that are hard to block.
> banks and other institutions continue to send legitimate messages that look like phishing.
The Canada Revenue Agency (tax collectors) once called me up about something. They literally said "To verify your identity, please give me your social insurance number". It's hard to blame people when actual government agencies are training people to be phished.
I ranted about something similar when it came how the US Internal Revenue Service was implementing authentication for their free-filing service.
They're training taxpayers to put in large amounts of extremely sensitive personal information into a third-party domain called "id.me". Even if you trust the private company, I think it's insane they didn't at least whitelabel the process through a *.irs.gov domain!
(For those curious, the .me TLD is run by the country of Montenegro. Control over DNS has some security implications for phishing and man in the middle attacks.)
"Contact the suspicious person back through the official number or website" is always a good heuristic, especially since it works pretty well as advice for non-technical relatives.
Is detecting phishing all that straightforward? As banks, travel agents, and even governments, are all terrible at avoiding the signalling of phishing.
Equifax had its entire response to its breach on a different domain, the kind of thing we tell people to watch out for.
It is not straightforward, and it is complicated by a number of factors. The first would be bad "brand hygiene": If a company has dozens of legitimate domains across different TLDs, different providers and different geographical locations then it's already more complicated than just one canonical .com domain. If teams within the company are permitted to spin up their own domains (e.g. marketing campaigns, branch offices) then it gets 10x worse. Lastly if a legitimate brand frequently changes its appearance, it will be harder to pin down the true brand identity.
But even if you follow all of these best practices there are still powerful attack vectors. A threat actor could host their phishing page on an unrelated (compromised) domain with good domain reputation, in that case you wouldn't even know about that site until the first email or SMS hits your customers. Or the threat actor could use one of the many file-hosting or website services to create their site and host it on a shared third-party domain with perfect domain reputation (e.g. amazonaws.com).
And then there's incentive: It's no the companies that suffer financial losses, it is their customers. If you were talking about their employees being phished that would be a different story. Same thing for Google Safe Browsing: Their incentive is to protect against most of the obvious phishing, without any false positives, ever. If they are slow to detect something they won't suffer any losses. If they generate a False Positive their Chrome browser might suffer significant reputational damage if a popular legitimate domain is blocked.
Vattenfall (a big Swedish energy company) had the same for a while. Their marketing created a website where you could log in as a user, on a completely different domain.
Most have been fixed but my current pet peeve is receiving email newsletters from these companies with tracking links. I get it, you're trying to measure something. But they're genuinly sending you links like sx4pv.mjt.lu/lnk/EEEAAAA-3434-asdfasdfasdf
Even tech companies do this wrong. Github had it's upcoming/beta features on githubnext.com and even sent out auth related e-mails from there. I wanted to test their new features but when I got the email I lost my faith in them and opted not to.
DHL sent me a shipment tracking email from "dhlecommerce.co.uk" the other day. I almost deleted it, but then I remembered I was actually waiting for a package.
This is a huge issue and it seems like we've just given up on it. There used to be EV SSL certs, but they are essentially dead now. There's BIMI for email, but support is mixed, and only partly addresses the issue.
AT&T finally copped to enormous breach this month. In their notification to individuals (sorry, sign up for identity protection, etc), they made sure to let you know official email always comes from: att@message.att-mail.com
...an email address and subdomain that have never contacted me before on a sketchy sounding domain that doesn't match the service (hosted at https://att.com). The email links to experianidworks.com which asks for email, address, and SSN upon clicking the CTA.
Reminds me of the fake police station in Do Androids Dream of Electric Sheep [1]. In order to keep up the pretense for three years, the androids have to take crime reports, do paperwork, and arrest perpetrators. In other words, they have to run an actual real police station. So perhaps the fake USPS sites should just start delivering the post!
It might not change anything, but I think the criminal penalties for scams need to be significantly raised.
The idea of reaching out to someone you don't know at all and attempting to steal their money by lying and betraying their confidence is morally disgusting. The type of people who can do this hundreds or thousands of times a day are criminals of the worst and least redeemable kind, yet if caught they would likely face a smaller penalty than someone who steals a single piece of jewelry from a store.
We are slowly losing our ability to trust each other because of the prevalence of scams which adds massive transaction costs to every legitimate exchange. These costs are unseen but they make almost everything we buy slower and more expensive.
Increasing penalties has much less effect on crime than increasing the likelihood of them getting caught. If there is a slim chance of them getting caught it doesn't matter what the penalty is because they will do it anyway.
Indeed. Moral depravedness is supposedly modeled by law. There is an uncanny overlap of scammers and normal economic activity though. That needs to change.
Things like this should use one of the few TLDs that actually has policies and procedures in place; then it's a simple "if it's not .gov, it's not real."