MailGuard has intercepted a new phishing campaign impersonating Australia Post, using a simple HTML email and a single “Click Here” link to lure recipients into a multi-step credential and payment capture flow.
The objective is clear, prompt the recipient to “fix” a delivery issue, then pressure them into entering card details, a mobile number, and a one-time passcode (OTP). Even though the dollar value is small, the risk is not. These scams are built to harvest payment details and authentication codes that can be reused for fraud.
What the scam looks like
The message we observed uses the subject line: “Parcel Awaiting Instructions”
The sender information is also a strong indicator it is not legitimate:
- Display Name: ausponline_2_asi
- Display Address: ausponline_2_asi@csskundapi.com
- Sending Address: ausponline_2_asi@csskundapi.com
In the email body, the recipient is told a delivery attempt failed due to an “Incomplete delivery address” and is asked to pay a small fee,1.99 AUD, via a “Click Here” link.
How the scam works
Based on analysis from the MailGuard operations team and the captured screens, this campaign follows a straightforward, high-conversion flow:
Step1, Delivery failure prompt
The recipient is presented with a delivery failure message and asked to pay a small “shipping fee” to resolve the issue. The low amount is deliberate, it feels plausible, it lowers suspicion, and it encourages fast action.
Step2, Fake Australia Post “parcel details” page
Clicking through takes the victim to a lookalike page branded as Australia Post showing “Parcel details”, including a fee of 1.99 AUD and a prominent payment button. The page we captured was hosted on anon-Australia Post domain, another major red flag.
Step3, Payment card harvest
The next screen requests credit or debit card details and a phone number, presented in a pop-up that mimics a card payment flow. This is where financial theft begins.
Step 4, OTP capture
A final screen requests a confirmation code, “the code sent to your phone number”. OTP capture is particularly dangerous because it can enable criminals to bypass security controls in real time, including bank authentication, card verification, or account takeover protections.
What to watch for
This campaign includes several signals that should immediately raise suspicion:
- A sender address that does not match the organisation being impersonated (in this case, @csskundapi(dot)com).
- Generic language and minimal personalisation, for example “Hello,” rather than your name.
- Pressure to act quickly to “fix” a delivery issue.
- Requests for card details, mobile number, then an OTP, all within the same flow.
- A destination website that is not the legitimate Australia Post domain.
What to do if a user clicked
If someone in your organisation clicked the link or entered details, treat it as a potential incident:
- Have the user contact their bank immediately if card details were submitted.
- Reset passwords for any accounts that reuse similar credentials, and review MFA settings.
- Review mail and web logs for related click activity across the business.
- Report the email internally so IT or your security partner can block related indicators and warn other users.
Why this matters for businesses
Delivery-themed lures work because they blend into everyday operations, invoices, shipments, procurement, and personal deliveries that often reach corporate inboxes. The“small fee” tactic increases conversion, and the addition of OTP capture suggests an intent to defeat real-time protections, not just collect card numbers.
MailGuard continues to monitor and intercept these campaigns as they evolve, helping reduce the likelihood that staff ever need to make a judgement call on a high-pressure message.
Stay Safe, Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
- Aren’t addressed to you personally.
- Are unexpected and urge immediate action.
- Contain poor grammar or miss crucial identifying details.
- Direct you to a suspicious URL that isn’t associated with the genuine company.
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One Email Is All That It Takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
