Global logistics service DHL has once again been impersonated in a phishing email scam detected by MailGuard.
The email uses a display name of “package-team,” and is titled “Confirm your package”. It informs users that their package has arrived at the local post office “but hasn’t been delivered yet”. It asks them to “pay 1.99 $” if users want to “confirm and view" the package's shipping details. A link is provided for them to do so.
While the email includes DHL’s logo and other branding elements, the sender email address provided in the “From:” field does not appear to be a valid DHL address – a red flag pointing to the email’s illegitimacy. In addition, the email contains several formatting and spelling errors. It actually originates from a mass mailer.
Here’s what the email looks like:
Unsuspecting recipients who click on the link are led to a page that also employs DHL’s branding. This page includes a reCAPTCHA feature that asks users to verify that they are human. This feature is likely employed by cybercriminals to thwart automated checks by email security filters. Here’s what the page looks like:
Users are then led to another page that asks users for their credit card details, including their card number, the card's expiration date and security code. Here’s a screenshot of this page:
This is actually a phishing page hosted on Namecheap, a domain name registration and web hosting company. Once users fill in all required fields in the page above, the attacker harvests them for later use. Users are met with a final message saying that their request is being processed with their bank, and to keep the page open, as per the below:
We strongly advise all recipients to delete these emails immediately without clicking on any links. Please share this alert with your social media network to help us spread the word around this email scam.
Well-known companies such as Australia Post, FedEx and DHL are popular targets for scammers to impersonate because they are trusted names with large customer bases. With the recent spike in online shopping, triggered by the closure of many physical stores due to the COVID-19 pandemic, it is not uncommon to receive notifications related to package deliveries like these. This email is similar to another DHL-themed phishing email we intercepted towards the end of the last year, which also asks users to confirm payment in order to complete the delivery of a package
In this case, cybercriminals are preying on the curiosity of DHL customers who may actually think a package has not been delivered to them despite being available at their local post office. Here are some techniques that cybercriminals behind this scam have employed to trick users and rob them of their credit card details:
- Claiming that a new package is “ready” but hasn’t been delivered, along with a warning that users have “24 hours” to retrieve their package. This intrigues and motivates users to take immediate action if they wish to avoid any further delay in receiving their package. Cybercriminals behind this scam hope in their urgency, recipients don’t pause to check for the legitimacy of the email,
- Incorporating DHL’s logo and branding elements in the email and in the phishing pages. This helps to convince users that those pages actually belong to DHL, and
- Employing a reCAPTCHA feature. Security features like these are commonly expected in notifications belonging to well-established companies like DHL, further boosting the email’s credibility.
Despite these techniques, recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the email doesn’t address the recipient directly and that it includes several spacing and formatting errors (e.g. “1.99 $”).
The logistics giant issues the following advice for those who have received suspicious emails purporting to be from DHL:
“If you suspect having received fraudulent emails, SMS or found a website or social media account that tries to pass off as DHL, we encourage you to let us know at your earliest convenience, so that we can quickly take actions to stop the fraud.
Please report all suspicious activity to our dedicated Anti-Abuse Mailbox at firstname.lastname@example.org”.
As a precaution, MailGuard urges you not to click links within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from.
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.