Parcel delivery scams are popular with cybercriminals, and MailGuard has uncovered a new phishing campaign impersonating Australia Post, that uses a fake redelivery notice to harvest personal information and credit card details.
The email claims that a courier attempted to deliver an order, but no one was available at the address provided. It warns that Australia Post requires the recipient to confirm a new delivery time, and that without confirmation within 24 hours, the shipment will be returned to the sender.
What the Email Looks Like
The message, shown below, includes a red button labelled “Arrange Redelivery.”
While the email attempts to impersonate Australia Post branding, it is not legitimate. The campaign has been observed being sent from unique Hotmail and Outlook addresses using personal names, such as “Kobe Marin”, rather than from an official Australia Post domain.
Example phishing content shown using AusPost branding. Not affiliated with AusPost.
How The Scam Works
The email is an HTML message containing a Google sharing link that redirects to a phishing website.
Example phishing content shown using AusPost branding. Not affiliated with AusPost.
After clicking the link, recipients are first taken to a fake Australia Post-branded “Verify you’re human” page. The page asks users to “tap and hold” a button to proceed, creating the impression of a simple security check.
Example phishing content shown using AusPost branding. Not affiliated with AusPost.
The next page presents a fake delivery scheduling interface. Recipients are asked to select a new delivery date and time, with available time slots shown across Saturday 20 June 2026 and Sunday 21 June 2026.
Example phishing content shown using AusPost branding. Not affiliated with AusPost.
Once a time slot is selected, the site asks for delivery information, including:
-
First name
-
Last name
-
Phone number
-
Date of birth
-
Address
-
City
-
Postcode
The page also displays a rescheduling fee of $10.60 AUD.
Example phishing content shown using AusPost branding. Not affiliated with AusPost.
The next stage requests payment card details, including cardholder name, card number, expiry date, and CVV. The payment page again shows a $10.60 AUD fee and presents the transaction as a payment required to confirm the reschedule.
Example phishing content shown using AusPost branding. Not affiliated with AusPost.
The scam also includes a fake “3D Secure Verified” payment verification page, which appears to connect to the victim’s bank while displaying the transaction amount and merchant as Australia Post.
Example phishing content shown using AusPost branding. Not affiliated with AusPost.
The final page is a confirmation page, which then redirects to the legitimate Australia Post website. This final redirect is designed to make the interaction appear authentic after the victim has already submitted personal and financial information.
Why This Campaign Is Concerning
Parcel delivery scams remain effective because they exploit a familiar and routine moment in everyday life.
Many people are used to receiving delivery notifications, missed delivery notices, parcel updates, and requests to reschedule deliveries. This campaign uses that familiarity to create urgency without appearing overly dramatic.
The warning that the parcel may be returned to sender within 24 hours adds time pressure, while the small $10.60 AUD fee may seem low enough to avoid close scrutiny.
That combination is dangerous.
A small payment request can be used to collect full card details, while the surrounding delivery form collects enough personal information to support further fraud, identity theft, or targeted scams.
For businesses, these campaigns are also a workforce risk. Employees receiving personal delivery notifications during the workday may click quickly, particularly if the message appears routine and low value.
Warning Signs to Watch For
There are several warning signs in this campaign:
-
The email is not sent from an official Australia Post domain.
-
The sender address uses a personal Hotmail or Outlook account.
-
The email asks the recipient to click a button to arrange redelivery.
-
The link redirects through a Google sharing link to a phishing website.
-
The website is not hosted on the legitimate Australia Post domain.
-
The site requests personal information and credit card details.
-
The payment request is framed as a small redelivery or rescheduling fee.
The final page redirects to the legitimate Australia Post website to make the process appear genuine.Recipients should never enter personal or payment details through links in unexpected delivery emails. Instead, they should visit the official Australia Post website or app directly and use the official tracking number provided by the sender or retailer.
This campaign is a reminder that phishing does not always rely on complex technical deception. Often, it relies on routine behaviour.
A missed delivery. A small fee. A familiar brand. A quick form. A payment page that looks secure.
Each step appears ordinary in isolation, but together they create a pathway for scammers to collect personal and financial information.
Stay Safe, Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
- Aren’t addressed to you personally.
- Are unexpected and urge immediate action.
- Contain poor grammar or miss crucial identifying details.
- Direct you to a suspicious URL that isn’t associated with the genuine company.
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One Email Is All That It Takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
