Scammers Exploit Canada Post Strike with Fraud Campaigns

Canadians are facing a surge in scams as fraudsters exploit confusion around the Canada Post strike to target individuals with phishing, smishing, and deepfake scams. And that's on top of the supply chain disruptions the strike itself has caused.

According to Octavia Howell, CISO at Equifax Canada, there has been an "exponential" rise in fraud attempts, particularly during the strike and the busy holiday season. These scams have ranged from fake package delivery notifications to highly convincing deepfake phone calls designed to steal personal and financial information.

It has now been three weeks since the nationwide mail strike, which started November 15 after year-long negotiations between Canada Post and the Canadian Union of Postal Workers (CUPW) failed and 55,000 postal workers traded their delivery vehicles for picket signs.

The latest scams to hit Canada Post users include:

1. Phishing and smishing campaigns: Scammers are sending fraudulent emails and text messages that mimic official Canada Post communications. Common tactics include claims of "missing address" issues or requests for payment to release packages. These messages often link to fake websites designed to harvest personal information or request small payment fees that expose victims' financial details.

2. Deepfake fraud: Advanced deepfake technology is being used to create realistic voice and video calls impersonating authority figures. Victims may receive a fake call from what seems like a Canada Post representative, pressuring them to resolve package delivery issues or provide sensitive information. Deepfakes make it harder to distinguish real from fake, increasing their success rate.

3. Priority delivery scams: Scammers are posing as courier services offering expedited package delivery for a fee. These fraudulent schemes capitalize on holiday shipping stress and confusion caused by strike delays.

"The Canada Post strike has created ideal conditions for scammers to exploit confusion and urgency," said Kern Smith, Vice President, Americas, at Zimperium. "Mishing (mobile phishing) campaigns have surged, with fraudulent messages mimicking official package delivery communications to trick individuals into clicking malicious links or providing sensitive information. These types of attacks thrive during disruptions, particularly in high-pressure periods like the holiday season."

"The use of deepfake technology in these scams adds another layer of sophistication," Smith added. "Scammers are leveraging advanced voice and video manipulation to impersonate authority figures, making it increasingly difficult for victims to discern legitimate requests from fraudulent ones. This evolution in tactics highlights the growing need for heightened vigilance."

The Canada Post strike has disrupted mail and package delivery services nationwide, creating ideal conditions for fraudsters to thrive. Combined with the holiday shopping season, when online orders and package tracking are at an all-time high, Canadians are more likely to fall victim to these scams. Equifax has reported up to 87 fraud cases from the same IP addresses in a single day—an alarming increase compared to prior weeks.

Consumers are encouraged to follow basic protocols to avoid becoming victims of these bad actors:

• Verify communications: Canada Post does not send unsolicited text messages or emails about deliveries unless requested. If you receive such a message, avoid clicking links or providing personal information. Instead, contact Canada Post directly at their official customer service line.

• Look for red flags: Scams often include poor grammar, unusual tracking numbers, or non-standard website URLs. These details can indicate fraudulent activity.

• Guard against deepfakes: Be cautious of calls requesting sensitive information. Signs of deepfakes include slightly unnatural speech patterns or inconsistencies in video or audio quality. Always verify the legitimacy of requests through official channels.

• Report suspicious activity: Notify the Canadian Anti-Fraud Centre (CAFC) of any suspected scams. This helps authorities track and respond to these evolving threats. The CAFC is Canada's national anti-fraud call center and central fraud data repository. It collects information and criminal intelligence on matters such as mass marketing fraud, advance fee fraud, internet fraud, and identity theft complaints.

• Monitor your accounts: Check bank and credit card statements regularly for unauthorized transactions. If you suspect fraud, report it immediately to your financial institution.

"Individuals are more susceptible to social engineering manipulation when they are pressed for urgent action. The Canada Post has a public website describing what it will and will not communicate to customers by text and phone," said Jason Soroko, Senior Fellow at Sectigo. "This makes decision making by customers clearer than having to guess whether a text message or a deepfake voice on the phone demanding money is from Canada Post or not. Ideally, this messaging should be broadcast more than it is."

Here's the notice Canada Post has on its website regarding the strike: "The Canadian Union of Postal Workers (CUPW) has started a national strike. Canada Post's operations will be shut down for the duration of a national strike. Customers will experience delays."

According to a Global News report: "The ongoing Canada Post strike is having a significant impact on Canadian businesses during the busy holiday shopping season, costing firms at least $76.6 million per day, according to the Canadian Federation of Independent Business. After 17 days of a nationwide Canada Post strike, small- and medium-sized businesses have lost out on an estimated $765 million in earnings, CFIB said in a statement on Monday."

From the Financial Post: "The Canada Post strike, now in its third week, is set to cost Canada's small- and medium-sized businesses more than $1 billion by Wednesday, according to the Canadian Federation of Independent Business (CFIB). The prolonged labour dispute, which began on Nov. 15, has paralyzed operations at the Crown corporation, disrupting supply chains and dealing a significant blow to small businesses during the critical holiday season."

According to the Financial Post article:

"... the Canadian Chamber of Commerce... sent an open letter to Labour Minister Steven MacKinnon and Public Services and Procurement Minister Jean-Yves Duclos last Friday. The chamber warned that the strike is yet another blow to Canadian supply chains, which have already been battered by recent port and rail disruptions, and highlighted its significant impact on e-commerce businesses that rely on holiday revenue.

Mediation efforts between Canada Post and the CUPW broke down last week, with federal mediators suspending talks indefinitely. Labour Minister MacKinnon has ruled out binding arbitration for now, emphasizing that the parties themselves must resolve the impasse."

One last bit of advice from a cybersecurity vendor expert:

"The timing of these fraudulent campaigns targeting Canada Post users during a strike and holiday season shows how threat actors skillfully exploit real-world events to maximize their success rates. They're using sophisticated methods like deepfakes to impersonate authority figures, which can be particularly convincing," said Stephen Kowski, Field CTO at SlashNext Email Security+. "Always take a moment to verify any unusual requests for personal information or payments through official channels, even if it seems like it's from a trusted source. Remember, a bit of skepticism can go a long way in protecting yourself from becoming a victim of these increasingly clever scams."