• ESET Expert

Parcel delivery scams are on the rise: Do you know what to watch out for?


As package delivery scams that spoof DHL, USPS and other delivery companies soar, here’s how to stay safe not just this shopping season.


Where there are users to be scammed and money to be made, cybercriminals won’t be far behind. So it was during the pandemic, when internet users eager to get hold of the latest COVID news were susceptible to scams. At one point, Google claimed to be blocking 18 million daily phishing emails related to the unfolding situation.


The pandemic also led to a surge in e-commerce which will long outlast the virus. There was an estimated 56% increase in online sales between 2019 and 2021, and the numbers are only predicted to grow. That presents another opportunity for online fraudsters masquerading as delivery companies.

With the holiday season approaching, it means you should be on the lookout for delivery scams designed to steal your data and your cash, or even infect your computer.


How common are fake delivery scams?

E-commerce has never been easier. In just a few mouse clicks or swipes of our smartphone, we can have items from all over the world delivered to our doorstep. But this ease of use can also be our undoing. Can you remember all the items you ordered over the past two weeks, where they were bought, and what company is shipping them? Scammers are primed to take advantage, by sending out phishing emails and texts impersonating delivery companies, which claim something is wrong and urge users to click through.


According to the latest ESET Threat Report, the May-August 2022 period saw a six-fold increase in detections of shipping-themed phishing lures versus the January-to-April 2022 period. These emails often involved fake DHL and USPS requests to verify shipping addresses and contributed to ESET’s blocking 28% more phishing URLs than in the first four months of the year, amounting to almost 4.7 million. This bumped the category of phishing sites faked with the logos of delivery and logistics firms into third place behind social media and finance (banking) among the top targets for phishers.


What are the bad guys after?

So what happens if you click on malicious links in these emails? Usually, they’ll take you to a fake site where you’ll be asked to enter more details to prove your identity, or pay a non-existent fee. But sometimes, just by clicking, you could unwittingly download malware to your device.

To recap, fraudsters may be after your account passwords, which can be used to hijack these online accounts, or other personal and financial information, such as banking logins or credit card details, for follow-on fraud. Any of this can also be done via malware that steals information like passwords from your PC, or even extort you via ransomware.


Phishing and its variants was the most common cybercrime type by volume of reported incidents last year, according to the FBI, making cybercriminals over US$44m. However, the real cost is likely to be much higher, as scams are often not reported.


What do delivery scams look like?

We all get so many parcels delivered to our homes today that it can be tough keeping track of them. We’ve become accustomed to seeing messages in our inbox or on our phone from logistics companies, updating us about scheduled delivery times and other information. Sometimes we’re required to reply. It is these messages that the scammers try to mimic.

They could be:




  • a request for an additional payment to complete delivery:


  • a demand for payment due to a supposedly incorrect delivery address:


  • a request for email verification (password) in order to track a (non-existent) parcel:


  • a request for name, full address and phone number, due to “delivery failure”:


There are also multiple varieties of smishing (phishing via text) scams of this sort, which leverage the fact that many delivery companies also update their customers via SMS. They use similar techniques – creating a sense of urgency that rushes the recipient into making the wrong decision. In the case of smishing, users may be even more likely to click through as:

  • They may be distracted and on the move

  • There’s no way to check for a fake sender domain (only a phone number, which can be easily faked)

  • There are typically fewer words in a text, and therefore fewer opportunities to spot poor grammar

  • There’s no logo for the bad guys to spoof

How to stay safe from the scammers

Fortunately, there’s plenty you can do to combat the risk of delivery scams in the run-in to the busy shopping season. Consider the following:

  • Don’t click on links to enter personal information, including login credentials and financial information, from an unsolicited email or text message

  • Regularly back up your device

  • Look out for the tell-tale signs of a phishing scam: urgency, out-of-the-blue requests for financial or other information, imposter URLs, spelling and grammatical errors, and requests for money in return for delivery

  • If you receive an email that looks suspicious, visit the official website of the delivery company rather than follow a link embedded into the message

  • Download reputable multi-layered security software with anti-phishing capabilities to all your devices

As the holiday season approaches, there’s an even greater chance that we’ll either lose track of what we’ve bought or we’ll be expecting gifts purchased by others. Get delivery-scam smart today to avoid a potentially fraught start to the holidays.


Now, why not go ahead and test yourself to see if you can spot some of the tricks and techniques that phishers use? The test below, by ESET Chief Security Evangelist Tony Anscombe, comes complete with brief pointers on why each message is real or fake.

Tags: