Cybersecurity researchers find that fake USPS phishing sites account for at least as much internet traffic as the Postal Service itself
A recent paper by cybersecurity-focused firm Akamai has found that queries to suspicious domains impersonating the US Postal Service accounted for nearly as much internet traffic as those to the actual USPS in a four month span between 2023 and ’24. The firm’s conservative criteria for avoiding false positives, meanwhile, might mean that traffic to phishing sites was actually far greater than to the actual Postal Service.
Akamai collected one dataset of domains containing malicious JavaScript and HTML code with “usps” featured somewhere in the address, and a second set of domains with “usps” in the address that led somewhere other than the Postal Service’s official IP range. Akamai’s researchers noted that this method actually excluded a large number of potentially suspicious domains in the interest of avoiding false positives.
“Our harsh parameters meant that we were exceedingly conservative with our analysis,” the paper explains. “Even so, we saw an extraordinary amount of malicious traffic, which makes the true impact of these impersonations astonishing.
“We could have definitely collected appreciably more malicious domains that impersonate the USPS, but it was critical that we avoided including false positives in this dataset.”
Over the sample period between October 2023 and February 2024, Akamai observed about 1.13 million queries to its dataset of suspicious domains, just shy of the 1.18 million that went to the official USPS website. In some weeks over the holidays, the suspicious traffic actually vastly exceeded the legitimate queries, suggesting that the holiday season is a busy time for bad actors trying to take advantage of anxious gift givers.
“Although the USPS won with 51% of the total queries for this 5-month period in this analysis,” Akamai’s researchers write, “the way we filtered the data suggests that the malicious traffic significantly outweighs the legitimate traffic in the real world.”
And that’s just USPS: what about the likely volume of fraudulent traffic impersonating DHL, FedEx, and a myriad other private or state-run parcel delivery services? Forget about package delivery, so much of internet traffic now consists of mass-add WhatsApp Bitcoin chats, “Hello Dear” cold messages, and the infamous “[redacted for public decency] IN BIO” accounts of recent Twitter fame. Those undersea fiber optic cables are absolutely straining under the weight of all this pointless, malicious spam.