Akankasha Dewan 28 October 2020 18:41:39 AEDT 5 MIN READ

Another package delivery scam: Phishing email impersonating New Zealand Post asks users to pay custom duty

MailGuard has intercepted a phishing email impersonating New Zealand Post (NZP), New Zealand’s national postal service.

Titled “your package is still awaiting confirmation”, the email uses the display name “New Zealand Post. ST” and includes NZP’s logo. However, the email address in the “From:” field doesn’t use a domain belonging to NZP. The email actually originates from a domain registration and hosting company. It informs recipients that their package could not be delivered as “no customs duty has been paid”, and includes details related to a package delivery, like when the package was scheduled to be delivered and payment reference number. The email also warns recipients that if “package is not received within 30 days”, NZP would “claim a deduction compensation of 0.49 NZD for each day of detention” – a warning likely included to cause panic among recipients and motivate them into taking quick action. Recipients are asked “to confirm the sending” of their package via a link, and the email ends with a sign-off from “New Zealand Post customer service”, along with a disclaimer that it is an auto-generated email.

Here’s what the email looks like:

New Zealand Post


Recipients who click on the link are led to a page employing NZP’s logo, along with that belonging to Windcave, a payment gateway service. Titled “Payment Checkout”, the page asks for users’ credit card details in order to proceed with the payment, likely the customs duty fee. Interestingly, while the domain used in the page’s URL doesn’t belong to NZP, it does begin with the letters “nzpo”, and could be mistaken for a page legitimately belonging to NZP. The page is actually hosted on a newly-registered domain that appears to used specifically for this phish.

Here is what the page looks like:

 NZP 2

Once users input their credit card details and submit the above form, the attacker harvests those details for later use, and the user is met with a page asking for a verification code.

Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click them.

Well-known companies such as New Zealand Post are popular targets for scammers to impersonate because they are trusted names with large customer bases. With the recent spike in online shopping, triggered by the closure of many physical stores due to the COVID-19 pandemic, it is not uncommon to receive notifications related to package deliveries like these. At MailGuard, we regularly intercept parcel delivery scams like this one intercepting DHL, and this one involving Australia Post.

In this case, cybercriminals are preying on the curiosity of NZP customers who may actually think a package has not been delivered because "custom duty has not been paid". This motivates them to enter their confidential financial details without hesitating.

Here are some techniques that cybercriminals behind this scam have employed to trick users:

  • The use of a display name like “New Zealand Post” along with the mention of several package tracking details (like payment reference number). These are common elements of notifications belonging to well-established organisations like NZP, boosting the email’s credibility,
  • An alarming subject & body; informing recipients that their package “could not be delivered” in an email titled “Your package is still awaiting confirmation” creates a sense of curiosity and urgency, motivating users to take action immediately without checking on the email’s authenticity, and
  • Incorporating NZP’s logo in the email and in the phishing pages. This helps to convince users that those pages actually belong to NZP.

Despite these techniques, recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the email doesn’t address the recipient directly, and that the email is phrased clumsily.

NZP lists the following scam-related advice on its security page:

“Many scams look genuine and sometimes it is hard to tell that they are fake. If you are not sure, do not respond or click on links in messages. If you think you have been a target of a scam contact Netsafe’s ‘The Orb’ immediately. If you believe the scam involves New Zealand Post in any way please contact us and let us know.”

Another parcel delivery scam?

Fake parcel email scams are a favourite of cybercriminals. We all love getting something (aside from a bill) in the mail, and with online shopping more popular than ever, it’s sometimes hard to keep track of what parcels we’re expecting.The criminals behind this scam prey on people’s busy lives and curiosity.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 

One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates