Akankasha Dewan 09 June 2021 17:19:46 AEST 5 MIN READ

Don’t be fooled by this DHL-themed phishing email claiming ‘you have a package pending delivery in Terminal 1’

MailGuard has intercepted another phishing email that impersonates popular shipping company DHL, masquerading as a delivery alert in order to trick users.

Titled ‘Package tracking’, the email uses a display name of ‘DHL express’ and contains a package tracking code. The shipping company's logo is also included. However, the domain used in the sender address provided in the email’s ‘From:’ field doesn’t belong to DHL. The email actually originates from a potentially compromised domain.

The email body informs recipients that they have a ‘package pending delivery in Terminal 1’. Users are directed to pay a shipping fee within 48 hours in order to complete delivery. There are extra characters in both the subject and body of the email – likely included in an attempt to bypass spam detection.

Here’s what the email looks like:



Unsuspecting recipients who click on the link are led to an intermediary page that automatically redirects them to multiple pages employing DHL’s logo and branding. These pages ask users to insert various details, including their names, addresses and credit card information, as per the below screenshots:





As you can see, these pages are designed to look like official pages belonging to DHL, complete with support links purporting to be from the company. However, the domains used in the URLs of these pages, however, do not belong to the shipping company. These are actually phishing pages hosted on a domain that appears to be made specifically for phishing purposes.

Once users submit all the information required by these pages, the attacker harvests them for later use, and users are met with a prompt asking for a code that has been sent to them, supposedly by their bank, as per the below:


We strongly advise all recipients to delete these emails immediately without clicking on any links. Please share this alert with your social media network to help us spread the word around this email scam.

Well-known companies such as Australia Post, FedEx and DHL are popular targets for scammers to impersonate because they are trusted names with large customer bases. Most recently, MailGuard reported a similar DHL-themed email scam at the end of May.

The timing of this scam is particularly opportunistic. With the End of Financial Year (EOFY) approaching, many users will be shopping online to take advantage of lucrative deals & sales. This is one of the busiest parts of the year for shopping & parcel delivery. Scammers know that receiving notifications related to parcel delivery isn't likely to be unusual in this period, and hence use lures like these to trick users. We’re all eager to get our shopping on time, so we might not think twice before clicking a link in parcel-delivery notifications.

In this particular case, cybercriminals are preying on the curiosity of DHL customers who may think a ‘package’ is actually awaiting delivery ‘in terminal 1’. This motivates them to enter their personal details without hesitating. Here are some techniques that cybercriminals behind this scam have employed to trick users:

  • The inclusion of specific details, like a tracking code, and a DHL-related display name, suggests the email is sent from an official source belonging to DHL, boosting its credibility,

  • The inclusion of a message in the email that warns users that the parcel will be returned ‘within 48 hours if no action is taken’. This motivates users to take immediate action if they wish to receive their package. Cybercriminals behind this scam hope in their excitement to retrieve their package, recipients don’t pause to check for the legitimacy of the email and,

  • The presence of security features like a verification code, to confirm payment. These features are commonly present in notifications from well-established companies like DHL, further convincing users that those pages actually belong to DHL.

Despite these techniques, several red flags are present in the email that should alert users of its illegitimacy. These include the fact that the recipient isn't addressed directly in the email, and that it contains spacing & grammatical errors, including within the email’s display name and subject line.

We all love getting something (aside from a bill) in the mail, and with online shopping more popular than ever (especially since the COVID-19 pandemic), it’s sometimes hard to keep track of what parcels we’re expecting. Cybercriminals know this, and often prey on people’s busy lives and curiosity trick them.

DHL advises users to report any suspicious emails or activity to its dedicated Anti-Abuse Mailbox at phishing-dpdhl@dhl.com. More details can be found here.


As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from, and
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 


One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates