Cybercriminals continue impersonating popular shipping company DHL in phishing scams designed to steal confidential data.
MailGuard intercepted a new phishing email masquerading as a DHL delivery alert. The domain used in the email address provided in the ‘From:’ field also appears to belong to the shipping company. However, this address has been spoofed, and the email actually originates from a hosting provider based overseas.
The email body uses high-quality branding elements from DHL, including its logo. It informs recipients that ‘the delivery attempt failed because nobody was present at the shipping address’, warning that if the delivery is not rescheduled or picked up within 72 hours, it will be returned to the sender. Multiple details related to the delivery are provided, including a Waybill number and shipping address. The email also includes an HTML attachment.
Here’s what the email looks like:
Unsuspecting recipients who open the HTML attachment are presented with a login page that asks for their email address and password in order to view a PDF document. This is a phishing page that employs Adobe’s branding and logo:
Once these credentials are entered and submitted, the user is redirected to an external website where the information is harvested for later use. This is a compromised website hosted on Namecheap. Here is a screenshot of the page:
Users are then finally redirected to a domain associated with the user's email address. For example, if the email address was firstname.lastname@example.org, It would redirect to google.com.
We strongly advise all recipients to delete these emails immediately without clicking on any links. Please share this alert with your social media network to help us spread the word around this email scam.
Well-known companies such as Australia Post, FedEx and DHL are popular targets for scammers to impersonate because they are trusted names with large customer bases. Most recently, MailGuard reported a similar DHL-themed email scam in January this year.
The timing of this scam is particularly opportunistic. With the End of Financial Year (EOFY) approaching, many users will be shopping online to take advantage of lucrative deals & sales. This is one of the busiest parts of the year for shopping & parcel delivery. Scammers know that receiving notifications related to parcel delivery isn't likely to be unusual in this period, and hence use lures like these to trick users. We’re all eager to get our shopping on time, so we might not think twice before clicking a link in parcel-delivery notifications.
In this particular case, cybercriminals are preying on the curiosity of DHL customers who may think a ‘package’ is actually on its way. This motivates them to enter their personal details without hesitating. Here are some techniques that cybercriminals behind this scam have employed to trick users:
- The inclusion of specific details, like expected package delivery date, a Waybill number and high-quality branding elements belonging to DHL suggests the email is sent from an official source belonging to DHL, boosting its credibility,
- The use of a header in the email body like ‘Your shipment is on its way’ and a warning that the package will be returned to the sender if the delivery isn’t rescheduled within 72 hours. This intrigues and motivates users to take immediate action if they wish to receive their package. Cybercriminals behind this scam hope in their excitement to retrieve their package, recipients don’t pause to check for the legitimacy of the email,
- The inclusion of an attachment and a fraudulent page employing Adobe's logo and branding. Adobe is a popular software company used commonly among businesses, so the inclusion of these elements further help to convince users that the attachment and external page are legitimate and,
- The presence of support links, for example to DHL’s contact page. These features are commonly present in notifications from well-established companies like DHL, further convincing users that those pages actually belong to DHL.
We all love getting something (aside from a bill) in the mail, and with online shopping more popular than ever (especially since the COVID-19 pandemic), it’s sometimes hard to keep track of what parcels we’re expecting. Cybercriminals know this, and often prey on people’s busy lives and curiosity trick them.
As a precaution, MailGuard urges you not to click links within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from, and
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.