Akankasha Dewan 02 December 2020 14:36:01 AEDT 5 MIN READ

Another parcel delivery scam: Phishing email spoofing DHL hits inboxes amid the year-end shopping season

MailGuard has intercepted a phishing email scam purporting to be from popular shipping company, DHL.

Titled “Your package will be sent within 48 hours” the email masquerades as a notification from “DHL Customer Care” and includes the company’s branding & logo. However, the email actually originates from a third-party email server.

The email body informs users to complete payment of their shipping fee in order to receive a package. A link is provided for them to do so, along with an “expected delivery date” of the parcel.

Here’s what the email looks like:




Unsuspecting recipients who click on the link to “Pay Now” are led to an intermediary site, before being redirected to a fraudulent DHL-branded page containing an “Important Message” and a web form that changes after users click "next". This message informs users to confirm payment “within the next 14 days” in order to complete the delivery as soon as possible. Users are asked to insert various details in the web form, including their credit card information, names, addresses and finally, a verification code as per the below:





As you can see, this page employs DHL’s branding & logo, including details related to the status of the parcel delivery, along with a tracking code. The domain used in the URL of this page, however, does not belong to the shipping company. It's actually a phishing page hosted on a compromised website and is designed to harvest the above-mentioned credentials of users.

We strongly advise all recipients to delete these emails immediately without clicking on any links. Please share this alert with your social media network to help us spread the word around this email scam.

Well-known companies such as Australia Post, FedEx and DHL are popular targets for scammers to impersonate because they are trusted names with large customer bases. Most recently, MailGuard reported two similar DHL scams in September and October this year.

The timing of this scam is particularly opportunistic. The year-end shopping season is in full swing, with mega shopping events like Black Friday & Cyber Monday resulting in many people shopping online to take advantage of lucrative deals & sales. In addition, with Christmas and New Year approaching, this is the busiest part of the year for shopping & parcel delivery. Scammers know that receiving notifications related to parcel delivery isn't likely to be unusual in this period, and hence use lures like these to trick users. We’re all eager to get our shopping on time, so we might not think twice before clicking a link in parcel-delivery notifications.

In this particular case, cybercriminals are preying on the curiosity of DHL customers who may think a ‘package’ is actually on its way. This motivates them to enter their personal details without hesitating. Here are some techniques that cybercriminals behind this scam have employed to trick users:

  • the inclusion of specific details, like expected package delivery date and a tracking code, suggests the email is sent from an official source belonging to DHL, boosting its credibility,
  • the use of a subject like “Your package will be sent within 48 hours” and an “important message” informing them that the link to confirm payment will expire in 14 days. This intrigues and motivates users to take immediate action if they wish to receive their package. Cybercriminals behind this scam hope in their excitement to retrieve their package, recipients don’t pause to check for the legitimacy of the email and,
  • the presence of security features like a verification code, to confirm payment. These features are commonly present in notifications from well-established companies like DHL, further convincing users that those pages actually belong to DHL.

Despite these techniques, several red flags are present in the email that should alert users of its illegitimacy. These include the fact that the recipient isn't addressed directly in the email, and that it contains spacing & grammatical errors, like "05 December the end of the working day". 

We all love getting something (aside from a bill) in the mail, and with online shopping more popular than ever (especially since the COVID-19 pandemic), it’s sometimes hard to keep track of what parcels we’re expecting. Cybercriminals know this, and often prey on people’s busy lives and curiosity trick them.

DHL advises users to report any suspicious emails or activity to its dedicated Anti-Abuse Mailbox at phishing-dpdhl@dhl.com. More details can be found here.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 


One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates