Hundreds of people across the Balkans have been targeted in an apparently coordinated SMS phishing scam based on fake postal delivery notifications. The perpetrators have yet to be identified and there is no sign of a regional response.
BIRN identified a number of cases in which, like Djokic, the victims really were expecting packages, making it more likely they would fall for the fraud.
Many cases probably not reported
Serbia’s electronic communications and postal regulator, CERT, says phishing is one of the top five forms of cyber-attack, with cases rising rapidly from some 17,000 in 2021 to more than 63,000 in 2023.
Phishing messages purportedly from delivery services are also on the rise. CERT said 306 such cases had been reported in 2023. “These are incidents related to the alleged impossibility of delivering packages due to the incomplete address data of citizens,” the regulator told BIRN.
A message claiming a package delivery could not be fulfilled due to incomplete address information:
“(JP Pošta Srbije [Post of Serbia]) Your package has arrived at the warehouse and cannot be delivered due to incomplete address information. Please confirm your address on the following link. https://807926162.postars.site/87dZtK/ (Copy the link and open it in Safari browser to get the latest logistics status)”
CERT has been warning about such scams since 2021, but authorities only began investigating in late 2023.
Digital rights expert Nevena Ruzic said public institutions were often too slow in telling the public they had come under cyber-attack. When state-owned power utility Elektroprivreda Srbije, EPS, and the cadastral authority suffered data leaks, the public only found out from media reports. Ruzic said public bodies often prefer to say nothing unless forced to respond.
“They [EPS and the cadastral authority] didn’t go public until there was a lot of fanfare,” she told BIRN, “as if it was a mantra to stay quiet”.
In response to the delivery service phishing, Post of Serbia suspended standard delivery notification via SMS and produced an app that it says will improve communication with customers.
In an anonymous BIRN survey conducted in June in Serbia, Bosnia and North Macedonia, most of the almost 70 respondents reported receiving phishing messages on multiple occasions.
According to media reports, such scams have cost their victims significant sums, in one case roughly 2,000 euros.
The High Tech Crime Prosecution Office in Serbia has received hundreds of criminal reports concerning fraudulent messages; the real number of victims, however, is likely far higher due to underreporting.
Two cases are currently under investigation, one in 2023 involving messages claiming to be from the Serbian post office and another, this year, purportedly on behalf of the package delivery giant DHL.
“In the case of DHL, one person was uncovered and is connected to several persons from abroad, so the procedure for providing international legal assistance is currently being worked on,” said Boris Majlat, a Serbian high-tech crime prosecutor. He specified, however, that the individual is not yet officially a suspect.
“In the case of Post of Serbia, the Service for Combating High-Tech Crime’s report has not been submitted to date,” he added.
DHL did not respond to a request for comment. Nor did the state postal services of Serbia, North Macedonia and Bosnia.
Press release from Post of North Macedonia in February 2024 announcing that its company name had been misused: “Citizens currently are receiving messages that contain false contents informing them about deliveries that have arrived and inviting them to confirm their address via a link that is offered,” it said. Screenshot: www.posta.com.mk
No regional response
In North Macedonia, the National Centre for Response to Computer Incidents, MKD-CIRT, has received over 100 reports of SMS scams so far this year and blocked a number of related websites.
The public prosecution in North Macedonia said it does not keep any separate records on delivery-related SMS scams, saying they fall under the broader fraud category. It directed BIRN to the interior ministry for questions regarding the number of cases under investigation or resulting in charges. The ministry did not respond.
Police and prosecutors in Bosnia also did not reply.
Authorities and postal services across the region have warned the public not to reply to text messages asking for personal data or bank details.
Despite the apparent regional nature of the scams, the public prosecution in Serbia said it was not collaborating with prosecutors in any other affected country.
“It is possible to establish cooperation only if there are facts that indicate that the perpetrators are the same [even if they are unknown],” said Majlat. “It is possible to carry out such a check through Interpol, but so far no country from the region has approached us with such a request.”
“It is not possible to assert with any certainty that it is one or more related persons who in this way commit a criminal offence to the detriment of citizens’ property, or if they are completely different perpetrators,” he told BIRN.
Asked if there was any suspicion that it might be a case of international fraud, Majlat said not yet, “because no one has been identified”.
He also said it was likely that many victims do not file complaints. Djokic didn’t, despite her bank saying she should.
“They advised us to report it to the police, but since we weren’t affected we didn’t,” she said.
As a response to targeted phishing attempts, Post of Serbia suspended SMS notifications and launched an app. “The Post of Serbia mobile app represents a major step forward in enhancing services… In addition to existing features such as scheduling couriers, tracking shipments and price calculators, users will be able to avoid the scams, fraudulent texts and Viber messages they have been exposed to in recent times,” Post of Serbia said in a statement. Screenshot: play.google.com
Victims targeted, or picked at random?
Unlike Djokic, Jasna, who asked to be identified only by her first name, did go to the authorities.
It started in December last year she tried to help a colleague from the United States who was unable to open a message about a package and forwarded it to Jasna, who clinked on the link.
After entering the recipient’s details, Jasna was prompted to pay a storage fee of 32.93 dinars, roughly 25 euro cents. “I entered my card details and shortly after I received notification that about 67,000 dinars [around 570 euros] had been taken from my account,” she told BIRN.
Jasna immediately contacted her bank and blocked her card. She reported the case to the Serbian postal service, which directed her to CERT and the High-Tech Crime Prosecutor’s Office.
Seven months later, in July, Jasna said she had not received any update on the progress of her complaint or the necessary documentation she requested from the prosecution for her insurance claim.
In Djokic’s case, the parcel she was expecting from Japan arrived the day after the fraudsters struck.
This, she said, “led us to the conclusion that the people who send those messages may have insight into the data of the Serbian post office and that they are targeting people who are expecting shipments”.
But Ruzic, the digital rights expert, said victims were more likely found at random.
“I would say that there is a machine behind it, some generated numbers, because these mass frauds are not about attacking individuals; they do not target personally, but anyone,” she told BIRN, noting that the phone numbers used are listed in public registries.
“Our phone numbers are available in the registry; according to the laws on electronic communications, every fixed and mobile phone operator is obliged to have a subscriber registry and a person can be omitted on request.”
Majlat, the prosecutor, also dismissed the idea of data having been leaked from the postal service or other delivery services, saying most of the victims were not expected parcels.
He said it was impossible to say precisely how many people have fallen victim to such scams given those who were defrauded of a few hundred dinars may not have bothering reporting it.
Azem Kurtic in Sarajevo and Sinisa Jakov Marusic in Skopje contributed reporting to this story.