The full story is available here [may be paywalled].

The gist is that cybercriminals are sending e-mails posing as the United States Postal Service saying that you missed a delivery. You didn’t. But clicking the “linked invoice” which you are then supposed to present at your local post office takes you to a ZIP file that, when opened, installs malware on your computer.

Be safe! Don’t open e-mails (or attachments) if you are not expecting a package. If you are unsure, print the e-mail and take it to your local post office (or show them the e-mail from your phone or mobile device) and they will help you.