Akankasha Dewan 10 December 2020 17:30:51 AEDT 5 MIN READ

Year-end parcel delivery scams continue: DHL impersonated once again in phishing email

As we head deeper into the year-end shopping season, cybercriminals continue using parcel delivery related lures to trick users.

MailGuard has intercepted another phishing email scam purporting to be from global shipping company, DHL. Titled “Warning!”, the email uses a display name of “DHL service” and contains a sign off from “DHL Tracking services”. However, the domain used in the email address provided in the “From” field doesn’t belong to DHL. It actually originates from an external hosting platform. This platform may have been compromised, or set up by the attackers for fraudulent purposes.

Similar to another DHL-themed phishing email we intercepted recently, this email asks users to confirm payment in order to complete the delivery of a package. A link is provided for them to do so. It also contains an “important message”, informing users to confirm payment within the next 14 days.

Here’s what the email looks like:


Unsuspecting recipients who click on the link to “deliver” their package are led to a page titled “DHL Tracking” that asks for their credit card details, as per the below screenshot:


As you can see, this page employs DHL’s branding & logo, and looks like a legitimate page belonging to the company. The domain used in the URL of this page, however, does not belong to the shipping company. It's actually a phishing page hosted on a compromised website and is designed to harvest the above-mentioned credentials of users. In addition, all the hyperlinks included in this page don’t lead to legitimate pages. Instead, users who click on any of these links are led back to the phishing page itself.

Once users enter & submit their credit card details, the attacker harvests them for later use, and users are sent to another fake DHL-branded page asking users to enter a verification code sent to them via text message:


We strongly advise all recipients to delete these emails immediately without clicking on any links. Please share this alert with your social media network to help us spread the word around this email scam.

As mentioned above, this phishing email is similar to the one we intercepted recently, which also purports to be from DHL. It’s not surprising for cybercriminals to launch multiple email scams related to parcel delivery during this period, especially those impersonating well-known shipping & courier companies (Australia Post, FedEx & DHL) that have a wide user base. The shopping season is in full swing, with mega shopping events like Black Friday & Cyber Monday resulting in many people shopping online to take advantage of lucrative deals & sales. In addition, with Christmas and New Year approaching, this is the busiest part of the year for shopping & parcel delivery. Scammers know that receiving notifications related to parcel delivery isn't likely to be unusual in this period, and hence use lures like these to trick users. We’re all eager to send and receive our shopping on time, so we might not think twice before clicking a link in parcel-delivery notifications.

Here are some techniques that cybercriminals behind this particular scam have employed to trick users:

  • The use of a display name like “DHL service” and the presence of legitimate-looking phishing pages, complete with support & security links, suggests the email is sent from an official source belonging to DHL, boosting its credibility,

  • The inclusion of a subject like “Warning!” and an “important message” informing them that the link to confirm payment will expire in 14 days. This evokes urgency, motivating users to take immediate action to complete delivery of their package. Cybercriminals behind this scam hope in their urgency, recipients don’t pause to check for the legitimacy of the email and,

  • The presence of security features like a verification code, to confirm payment. These features are commonly present in notifications from well-established companies like DHL, further convincing users that those pages actually belong to the shipping company.

Despite these techniques, several red flags are present in the email that should alert users of its illegitimacy. These include the fact that the recipient isn't addressed directly in the email, and that it contains awkward spacing & formatting.  

We all love getting something (aside from a bill) in the mail, and with online shopping more popular than ever (especially since the COVID-19 pandemic), it’s sometimes hard to keep track of what parcels we’re sending & expecting. Cybercriminals know this, and often prey on people’s busy lives and curiosity trick them.

DHL advises users to report any suspicious emails or activity to its dedicated Anti-Abuse Mailbox at phishing-dpdhl@dhl.com. More details can be found here.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 


One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates