Beware the DHL delivery message email – it could be a package scam

Another day of lockdown…

…another “package delivery notification” scam.

Here’s another reminder to think before you click, even if it adds a few seconds to your day to review what the offending email is asking you to do.

We’d like to think that you’d easily spot that this one is bogus – we’ll explain why in the article – but we can equally well see why it might seem harmless enough to click through.

Many scams of this sort that we’ve written about before rely on squeezing you to act, luring you to click, or a bit of both.

For example, delivery scams often entice you by telling you what cool “item” is on its way, such as a mobile phone that someone is sending you as a gift.

At the same time, they pressurise you to act quickly by warning you that delivery will be delayed or even cancelled if you don’t pay a necessary fee to release the article from storage.

To avoid sounding greedy, and to imply that they’re not fraudsters, the amount to pay is often very modest, such as $1, which doesn’t sound like the sort of money a scammer would ask for if they were in it for the cash.

That’s because they aren’t in it for the money up front – indeed, they never intend to bill you at all, because it’s your personal data that they’re after instead.

This time, the crooks are following a much more relaxed formula that doesn’t say much more than, “Hey, here’s how to track your delivery,” which is the sort of message you might reasonably expect when you order something, or when someone orders something for you:

Incoming Package Notification!

This it to notify you that you have an incoming shipment registered in your email [REDACTED]. Please follow the URL below to track your shipment.

And that’s all there is to the email.

OK, so the exclamation point after the word “Notification” probably wouldn’t be there in a genuine notification – it’s a notification, after all, not a warning or an alert.

More importantly, however, hovering over the link would show you a website name you’ve never heard of (this scam used a hacked webserver belonging to a construction company in Bahrain, as it happens).

If you click through just to see what this is all about, you’ll see a similarly simple web page:

As unexceptionable and as unscammy as the page itself looks, the address bar is a fortunate giveaway that this is a scam.

The URL (which we’ve masked out here) wasn’t on a lookalike or soundalike domain name, so it looked completely different to any website you might expect for a DHL server.

Also, there’s no padlock, because the URL started with http:// (insecure) rather than https:// (session encrypted).

Ironically, the web service used by the company whose website was hacked did support HTTPS, and the site had a valid HTTPS certificate, but the crooks neglected to take advantage of the encrypted connection.

As we’ve said before, the presence of an HTTPS certificate doesn’t mean you can trust the site and its content, just that your connection can’t easily be snooped on.

But the absence of an HTTPS certificate on legitimate sites is so unusual these days that you should take it as an immediate warning sign that all is not well.

Of course, if you don’t spot the warning signs and you do put in your password, the data doesn’t go to DHL but straight to the crooks, who are likely to try out your password not only on your real DHL account but on any other account they can think of that you might have. (That’s why you never use the same password on more than one site!)

What to do?

  • Don’t be fooled just because you’re expecting a delivery. The crooks don’t have to know you are waiting for a delivery to get the timing right. Especially during the coronavirus pandemic, they can simply assume you are and they’ll be right for a lot of people a lot of the time.
  • Treat delivery messages as notifications only and ignore the links. It’s a bit more hassle, but avoid clicking on links at all in messages like these. When you order items online, make a note of the right website to use for tracking the item, and go there yourself if there is any problem reported with delivery.
  • Check the URL in the address bar. These days, most cybercriminals are using HTTPS websites, because everyone expects a padlock in the address bar. But the padlock doesn’t say you are on the correct site, merely that you are on a site with an HTTPS certificate. Consider going to your laptop if you can, and checking out the link from there. It’s worth the extra trouble because the address bar is bigger and tells you more.
  • Use a third-party security product on your phone. Sophos Intercept X for Mobile adds to the built-in protection in your phone because it helps to keep you away from risky websites to start with.
  • Change passwords at once that you put into sites you later realised were bogus. The sooner you change your current password, the less time the crooks have to try and use it. If you get as far as a “pay page” where you enter payment card data and then realise it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your actual card so you get the right phone number.)

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.