Whether it's for work or personal, most of us get endless shipping alerts about the progress of our online orders, often from third-party shipping companies that are acting on behalf of online retailers. That's why parcel delivery scams are so popular with scammers. MailGuard's threat intelligence team has identified a sophisticated new phishing campaign impersonating a FedEx shipping notification, designed to harvest comprehensive personal information and credit card details from unsuspecting recipients.
The attack begins with a deceptively authentic email bearing the subject line "FedEx Shipment 772980724289: This shipment is scheduled to be sent" and appears to originate from legitimate-sounding addresses such as TrackingUpdates or auto-reply. However, analysis of the sender infrastructure reveals a network of compromised educational and business email accounts spanning multiple countries, including institutions in Taiwan, India, Palestine, and Brazil.
How the Scam Unfolds
This phishing operation employs a carefully orchestrated five-stage approach designed to gradually extract increasing levels of sensitive information:
Stage 1: The Initial Hook Recipients receive what appears to be a standard FedEx tracking notification, complete with realistic shipment details, tracking numbers, and delivery schedules. The email's professional appearance and familiar FedEx branding create an immediate sense of legitimacy that bypasses initial user suspicion.
Stage 2: Creating Urgency Upon clicking the tracking link, victims land on a convincing replica of the FedEx tracking portal. The page displays an "Important Message" claiming that payment confirmation of $1.99 AUD is required within 14 days to complete delivery. This low-cost payment request is strategically designed to appear reasonable while creating artificial urgency.
Stage 3: Personal Information Harvesting The second page requests comprehensive personal details under the guise of address verification. Victims are prompted to provide their full address, date of birth, phone number, and email address. The professional presentation and security badges (including fake Visa and MasterCard verification logos) maintain the illusion of legitimacy.
Stage 4: Financial Data Extraction The third stage targets payment information, requesting complete credit card details including cardholder name, card number, expiry date, and CVV code. The page maintains the FedEx branding and includes trusted payment processor logos to reinforce victim confidence.
Stage 5: Two-Factor Authentication Bypass In the final stage, the scam attempts to circumvent modern security measures by requesting a "One Time Password (OTP)" sent via SMS. This technique allows criminals to potentially bypass two-factor authentication protections and complete fraudulent transactions in real-time.
Stage 6: False Confirmation After collecting all required information, victims receive a confirmation message thanking them for their information, with a promise of future contact. The page then redirects to the legitimate FedEx website, creating a false sense of security and potentially delaying the victim's realisation that they've been compromised.
Technical Analysis
The campaign demonstrates several sophisticated elements that distinguish it from basic phishing attempts:
Red Flags to Watch For
Organisations should train their teams to identify these warning signs:
Organisational Impact
The data harvested through this campaign poses significant risks beyond individual victim impact. Compromised employee credentials can provide entry points for broader organisational attacks, including business email compromise (BEC) schemes, credential stuffing attacks, and targeted social engineering campaigns against other staff members.
The combination of personal and financial information collected enables criminals to:
MailGuard's advanced threat detection algorithms identified this campaign through behavioural analysis and threat intelligence correlation, enabling our customers to remain protected even when traditional signature-based detection methods fail. Our "zero zero-day" technology recognized the attack patterns before widespread distribution, demonstrating the critical importance of AI-powered email security solutions.
The rapid identification and blocking of this threat prevented potentially significant security breaches across our client base, highlighting the value of proactive threat hunting and real-time protection capabilities.
Organisations should implement comprehensive email security protocols that extend beyond traditional filtering approaches:
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters! Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.