Whether it's for work or personal, most of us get endless shipping alerts about the progress of our online orders, often from third-party shipping companies that are acting on behalf of online retailers. That's why parcel delivery scams are so popular with scammers. MailGuard's threat intelligence team has identified a sophisticated new phishing campaign impersonating a FedEx shipping notification, designed to harvest comprehensive personal information and credit card details from unsuspecting recipients.
Campaign Overview
The attack begins with a deceptively authentic email bearing the subject line "FedEx Shipment 772980724289: This shipment is scheduled to be sent" and appears to originate from legitimate-sounding addresses such as TrackingUpdates or auto-reply. However, analysis of the sender infrastructure reveals a network of compromised educational and business email accounts spanning multiple countries, including institutions in Taiwan, India, Palestine, and Brazil.
How the Scam Unfolds
This phishing operation employs a carefully orchestrated five-stage approach designed to gradually extract increasing levels of sensitive information:
Stage 1: The Initial Hook Recipients receive what appears to be a standard FedEx tracking notification, complete with realistic shipment details, tracking numbers, and delivery schedules. The email's professional appearance and familiar FedEx branding create an immediate sense of legitimacy that bypasses initial user suspicion.
Stage 2: Creating Urgency Upon clicking the tracking link, victims land on a convincing replica of the FedEx tracking portal. The page displays an "Important Message" claiming that payment confirmation of $1.99 AUD is required within 14 days to complete delivery. This low-cost payment request is strategically designed to appear reasonable while creating artificial urgency.
Stage 3: Personal Information Harvesting The second page requests comprehensive personal details under the guise of address verification. Victims are prompted to provide their full address, date of birth, phone number, and email address. The professional presentation and security badges (including fake Visa and MasterCard verification logos) maintain the illusion of legitimacy.
Stage 4: Financial Data Extraction The third stage targets payment information, requesting complete credit card details including cardholder name, card number, expiry date, and CVV code. The page maintains the FedEx branding and includes trusted payment processor logos to reinforce victim confidence.
Stage 5: Two-Factor Authentication Bypass In the final stage, the scam attempts to circumvent modern security measures by requesting a "One Time Password (OTP)" sent via SMS. This technique allows criminals to potentially bypass two-factor authentication protections and complete fraudulent transactions in real-time.
Stage 6: False Confirmation After collecting all required information, victims receive a confirmation message thanking them for their information, with a promise of future contact. The page then redirects to the legitimate FedEx website, creating a false sense of security and potentially delaying the victim's realisation that they've been compromised.
Technical Analysis
The campaign demonstrates several sophisticated elements that distinguish it from basic phishing attempts:
- Domain Spoofing: The fraudulent sites utilise domain names designed to appear official while hosting the malicious content on compromised infrastructure
- Progressive Information Gathering: Rather than requesting all information at once, the attack spreads data collection across multiple pages to reduce user suspicion
- Visual Authentication: Fake security badges and payment processor logos are strategically placed to build trust
- Mobile Integration: The OTP request specifically targets mobile phone numbers, enabling potential SIM-swapping or SMS interception attacks
Red Flags to Watch For
Organisations should train their teams to identify these warning signs:
- Generic greetings that don't include your name or specific account information
- Unexpected shipping notifications from services you haven't used
- Payment requests for packages you didn't order
- URLs that don't match the official company domain
- Requests for comprehensive personal information beyond what's necessary for package delivery
- Urgent language designed to pressure immediate action
Organisational Impact
The data harvested through this campaign poses significant risks beyond individual victim impact. Compromised employee credentials can provide entry points for broader organisational attacks, including business email compromise (BEC) schemes, credential stuffing attacks, and targeted social engineering campaigns against other staff members.
The combination of personal and financial information collected enables criminals to:
- Conduct unauthorised financial transactions
- Perform identity theft and account takeovers
- Launch targeted attacks against the victim's organization
- Sell comprehensive identity packages on dark web marketplaces
MailGuard's Detection and Response
MailGuard's advanced threat detection algorithms identified this campaign through behavioural analysis and threat intelligence correlation, enabling our customers to remain protected even when traditional signature-based detection methods fail. Our "zero zero-day" technology recognized the attack patterns before widespread distribution, demonstrating the critical importance of AI-powered email security solutions.
The rapid identification and blocking of this threat prevented potentially significant security breaches across our client base, highlighting the value of proactive threat hunting and real-time protection capabilities.
Recommended Security Measures
Organisations should implement comprehensive email security protocols that extend beyond traditional filtering approaches:
- User Education: Regular security awareness training should emphasize verification procedures for unexpected security communications, regardless of apparent sender legitimacy.
- Multi-Factor Authentication: Implement robust MFA across all business systems to mitigate the impact of credential compromise.
- Incident Response Planning: Establish clear procedures for reporting and responding to suspected phishing attempts, ensuring rapid containment of potential breaches.
- Advanced Email Protection: Deploy AI-powered email security solutions capable of behavioral analysis and real-time threat detection rather than relying solely on signature-based filtering.
Stay Safe, Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
- Aren’t addressed to you personally.
- Are unexpected and urge immediate action.
- Contain poor grammar or miss crucial identifying details.
- Direct you to a suspicious URL that isn’t associated with the genuine company.
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One Email Is All That It Takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters! Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
