Scammers’ delivery service: exclusively dangerous (2022)

Well-known companies and brands are favorite targets for fraudsters. After all, it is much easier to get people’s attention with the use of a popular name, so scammers have more chance of trapping a gullible user.

In this article, we will analyze phishing and malicious emails sent by fraudsters that claim to come from international delivery services. The most popular of these are DHL (Germany), FedEx and United Parcel Service (USA), TNT (Netherlands). All of these companies are international, with millions of customers using branches in major countries all over the world. They provide similar services, so scammers use the same methods and techniques in their fraudulent mails.

The phishers’ goals include:

  1. Theft of confidential data (bank card credentials, logins and passwords from personal accounts), mainly with the help of fake web pages imitating official pages of the site. In a phishing attack users provides the fraudsters with their personal data by filling the fields on fake sites or sending them via email.
  2. Installing various malicious programs on users’ computers. These programs are used not only to monitor user online activity and steal personal information, but also to organize botnets to distribute spam and launch DDoS attacks.

Headings of fraudulent emails

The From field

Structurally, the address in the From field looks like this: Sender Name . To confuse recipients, scammers can change parts of the address and often make it look very similar to an official address of the delivery service.

There are several groups of email addresses seen in fraudulent emails:

  1. Email addresses which closely resemble companies’ legitimate public addresses. Generally, they use the name of the company (DHL INC, TNT COURIER SERVICE, Fedex, etc.) as the sender name. The name of the mailbox often includes the words info, service, noreply, mail, support which are typical of email addresses used to send official notifications. The server domain name often has a real or very plausible company domain.
  2. Scammers’ delivery service: exclusively dangerous (1)

  3. Addresses which do not resemble legitimate company addresses. The sender name still reflects the company name (FedEx, DHL Service, FedEx.com) but the domain name usually belongs to a free email service or an absolutely different company. The email address could be taken from a real user (taken from public sources or hacked mailboxes) or automatically generated addresses. The latter usually appear as a random sequence of letters, words and numbers.
  4. Scammers’ delivery service: exclusively dangerous (2)

  5. Addresses that resemble e-mail addresses of company employees. The sender name may contain the name and surname of a supposed employee, or the company name, or a position (courier, manager, etc). The name of the email box usually contains the same name and surname as the sender name because any difference in the data may alert the recipient to a fraudulent email. Either the real company domain or other domains not related to delivery companies might be used as a domain name.
  6. Scammers’ delivery service: exclusively dangerous (3)

  7. Addresses which only indicate the sender’s address without a name.
  8. Scammers’ delivery service: exclusively dangerous (4)

While analyzing sender address, remember that scammers do not need to hack the company servers to use the real company domain in the From field. They can simply insert the necessary domain name of the server into the From field.

The Subject field

The subject of the fraudulent mail should capture the imagination of recipients and encourage them to open the message, but it also needs to be plausible. Therefore spammers choose common phrases typical of official notifications from delivery services. After sending a parcel or a document, customers worry about its successful delivery and try to follow its progress by reading any notification from a delivery service.

The most popular subjects are:

(Video) Scammers impersonate real businesses to steal from customers | A Current Affair

  1. Subjects related to the delivery/shipment (shipment notifications, delivery status, shipping confirmation, shipment documents, delivery information, etc.).
  2. Examples:

    Scammers’ delivery service: exclusively dangerous (5)

  3. Subjects related to tracking shipments, order information and invoices (the tracking number of the shipment, tracking the shipment, etc.).
  4. Examples:

    Scammers’ delivery service: exclusively dangerous (6)

  5. Subjects related to notifications about messages and accounts (creation and confirmation of accounts, new messages, etc.).
  6. Scammers’ delivery service: exclusively dangerous (7)

The design of the email

Scammers pay special attention to the design of the email. Their main goal is to make message as believable as possible. After all, if it looks suspicious, a potential victim will most likely delete it despite the attractive subject and plausible sender address. Let’s analyze the basic techniques that fraudsters use to make emails look legitimate.

Graphic design

All major international companies have their own corporate style, including wordmarks, graphic trademarks, corporate fonts, slogans and color schemes. These are used on the official website, in mailings and commercials, and in other design components. Scammers use at least some of these elements when designing fraudulent emails to make them look convincing. Usually phishers focus on logos because these elements are unique to each company and is an immediate identifying mark.

Examples of DHL company logos used in fraudulent emails.

Scammers’ delivery service: exclusively dangerous (8)

Let’s take a closer look at these examples. It’s immediately obvious that the second example is very different from the company’s official logo. Another sign of a forgery is the difference in size between the false logo and the original, as seen in the fourth example where the logo takes almost a third of the message. Here the plan is probably to attract the reader’s attention with a large bright picture rather than plain text. That also explains why the phishing links appear in a larger font: users should respond to it immediately, without trying to read the small print.

In the first example, the scammers are trying to copy the design from the official site (a very popular method). However the logo is placed on the right-hand side rather than on the left. Also they are using a color blend for the logo background rather than making it single-color. The logo in the third example most closely imitates the original DHL logo: the scammers have tried to match its size and design. It’s not really all that difficult to make a logo for a fake notification: there are plenty of versions of the original image available online in several formats, including vector graphics. In addition to the logo the fraudsters use the color spectrum chosen by the company in its official resources and mailings. For example, for DHL it is a combination of yellow and red.

The text design

In most official emails we find a number of set phrases, especially when it comes to standard notifications generated and sent automatically. These messages often include contacts and links to the official resources of the sender. Therefore, to make the text of the fake email look like an original notification from a delivery service the fraudsters use:

  1. Standard phrases typical of official mass mailings: Please do not reply to this email, This is automatically generated email, please do not reply, All rights reserved, Diese Versendung ist automatisch, Bitte beantworten Sie diese nicht, This communication contains proprietary information and may be confidential. Questo e’ un email automatico, Si prega di non rispondere, etc.
  2. Scammers’ delivery service: exclusively dangerous (9)

    (Video) New Scams to Watch Out For in 2022

  3. Links to the official page of the company. Not all links contained in the fraudulent email are phishing – spammers may also use the links which really lead to the official resources on order to make their emails look legitimate and bypass spam filtering.
  4. Scammers’ delivery service: exclusively dangerous (10)

  5. Contact for feedback. The fraudsters often indicate the contact information of the sender or the company (name, surname, position, office address). These contacts might be real or fictitious.
  6. Scammers’ delivery service: exclusively dangerous (11)

The content of the email

When fraudsters send out fake emails convincing readers that it is a real message is only part of the battle. The next step is to persuade the potential victim to do what the scammer requires, such as providing personal information or installing a malicious file. This is where psychology comes into play, and the email content is the main tool.

In fraudulent notifications allegedly sent on behalf of delivery services often use the following tricks:

  1. Notifications of various problems (eg. unsuccessful delivery, lack of information, wrong address, no recipient at the delivery address). These phrases are usually related to the delivery since the companies in question are in the service sector. Therefore, a logistics company warning of a problem with a delivery doesn’t prompt any suspicion, especially if the email contains some details of the situation.
  2. Scammers’ delivery service: exclusively dangerous (12)

  3. A demand to do something or face some consequence. For example, “collect your parcel within 5 days otherwise it will be returned to the sender”.
  4. The scammers use deadlines like this to make recipients react immediately. The phishers hope that users will be so worried about losing the parcel or paying extra costs that they won’t hesitate to provide personal details or open a suspicious attachment.

    Scammers’ delivery service: exclusively dangerous (13)

  5. Phrases about the content of an attachment or link (invoices, detailed information, documents).
  6. Users are unlikely to open unknown attachments or follow unknown links. That’s why scammers imitate official websites and present malware as a document with information a parcel. In addition, if the text of the notification states that the attachment contains, for example, a consignment document, the malicious archive will have a similar name, such as “consignment.zip.” This applies to phishing links as well – scammers name their links with an appropriate phrase from the text, such as “shipping information”.

    This simple trick is intended to reassure recipients that the attachment or link is perfectly legitimate.

    Scammers’ delivery service: exclusively dangerous (14)

  7. Phrases about the need to do something (follow a link, open an attachment, print out a file, etc.).
  8. Assuming the fraudsters have convinced the recipients that the email is real, the next step is to tell the victims how to solve their problems. Fulfilling these instructions is the ultimate goal of the fraudulent email. Here it is important for the scammers not just to tell recipients what they need to do, but to make them understand correctly what is written in the message. To avoid any misunderstanding on the part of the recipients, messages often contains detailed instructions about what to do.

    Scammers’ delivery service: exclusively dangerous (15)

How the text might change

Cheating the user is not the only thing scammers have to do. They also need to bypass spam filters and deliver the email to the email boxes of potential victims. One of the most popular and long-used methods to bypass filtering is to change text fragments within the email. Modern programs designed to send out spam messages include ample opportunities to generate multiple changes in the text. The text of a message which varies from email to email makes the email unique, while different personal information specified within one mailing (such as the number of the shipment, the form of the address, the dates) helps to convince recipients that the email is intended for them. In addition, the fraudsters can send out emails designed in the same style for several months – they only need to change some elements in the text.

(Video) Facebook Marketplace scams to watch out for. They tried to trick me.

Fraudulent notifications from delivery services can change:

  1. The information about the order/shipment, including the tracking number of the shipment, delivery dates, etc.)
  2. Contact details, sender names and company names. Some mass mailings provide an e-mail address or a phone number of a company representative for feedback. This particular data changes from email to email. In addition, names of company representatives and even company names themselves may also vary.
  3. The name of the attachment. It mainly refers to malicious attachments which names vary in messages within one mass mailing while these different names hide one and the same malicious program.
  4. Links. In phishing emails and emails with malicious attachments scammers often specifically change the addresses of the links, masking them with the help of different URL shorteners. Most of these links are quickly blocked by current antivirus programs.
  5. Phrases indicating numbers and dates. These can refer to timetables (days, hours), sums of money and dates (day and month)
  6. The greeting. Here spammers generally use the email address and/or the name of the recipient. Sometimes they use generic expressions (Dear client, Dear customer, etc.) instead.
  7. Other text fragments. Some words are replaced with other phrases that have a similar meaning so the general sense of the sentence remains unchanged.

Let’s analyze some examples of changes in the text of fraudulent emails.

Scammers’ delivery service: exclusively dangerous (16)

Below are some emails from yet another mass mailing.

Scammers’ delivery service: exclusively dangerous (17)

Fake pages

To steal personal information from users, scammers create phishing HTML pages which partially or completely copy the official website of a company. If victims of fraud enters their personal information (bank details, usernames and passwords) on this page, that data immediately falls into the fraudsters’ hands.

To mask the links leading to phishing websites the fraudsters often use popular free URL shorteners. In addition, most services offer customers the ability to view the statistics on the short link which tells fraudsters more about the number of clicks on any links etc. Phishing pages can be located on specially registered domains which usually have a short life span as well as on compromised domains whose owner may not even be aware that the web site is being used for fraudulent purposes.

Let’s analyze a fake email sent on behalf of FedEx in which recipients are asked to update their account information. The text of the email contains a link to the official website of the company while the real address to which the user is redirected is nothing like the legitimate page and is located on a free URL shortener service. This becomes obvious when you hover on the link.

Scammers’ delivery service: exclusively dangerous (18)

After clicking the link, users get to a fraudulent page imitating the official website of FedEx, where they are asked to enter their logins and passwords to access their accounts. Once the users fill in the fields and click “Login”, the entered information is transmitted to the scammers who can then access the victims’ personal accounts. The menu tabs and other links on the phishing page are often inactive, so clicking on them will not take users to the appropriate page. However, in some cases, phishers imitate all links on the page so that users do not have any doubt about its legitimacy. Sometimes the design of the page imitates the official site but does not copy it completely. If you have a closer look at the details, you will see some differences between the designs of the real and the fake pages. However, most users do not pay attention to small details and this carelessness helps the scammers to steal personal information.

Scammers’ delivery service: exclusively dangerous (19)

Below is yet another example of an email sent on behalf of FedEx. This time it contains a malicious link. The email informs recipients that delivery is impossible because of missing information. And now users have to follow the specified link for verification.

Scammers’ delivery service: exclusively dangerous (20)

(Video) The World's Most Complex Catfishing Scam | Investigators

The link leads to a fraudulent page where potential victims are invited to download a program that will supposedly check whether they are really going to receive a parcel. Naturally, the program turns to be the well-known Zeus Trojan, which helps the fraudsters to access the computer and all the personal information on it.

Scammers’ delivery service: exclusively dangerous (21)

Scammers might not only include a phishing link in the body of the email, but also attach an HTML phishing page designed to steal personal data. However this use of HTML attachments as phishing pages is unusual for fraudulent mailings sent on behalf of delivery services.

Fraudulent emails in different languages

To increase the audience of recipients and customers, spammers are mastering new languages. In addition to traditional English and German, current spam traffic includes emails in Hebrew, Albanian and other languages​​ which were found in advertising and fraudulent mailings a few years ago. For example, you may come across fake notifications from international delivery services written in Italian and Dutch. These emails do not have any special features that distinguish them from English- or German-language messages – to cheat users, the fraudsters resort to the same tricks.

For example, this Italian-language fake notification from FedEx tells users to confirm their identity by following a fraudulent link.

Scammers’ delivery service: exclusively dangerous (22)

Yet another mass mailing in Italian contained a malicious archive which included the Zeus/Zbot Trojan used to steal personal data. The fraudulent email claimed that the user profiles on the website had been updated and there was more detailed information about it in the archive.

Scammers’ delivery service: exclusively dangerous (23)

Another fake notification written in Dutch on behalf of TNT informs recipients that new accounts have been formed for them, with details in the attachment. The archive attached to the email contains Backdoor.Win32.Andromeda, a malicious file that allows the scammers to control the infected computer without the user knowing.

Scammers’ delivery service: exclusively dangerous (24)

Malware in fraudulent emails

Spam is one of the most popular ways of spreading malware and infecting computers on the Internet. Attackers have various tricks to make victims install malicious software on their computers. Email traffic includes a variety of private emails, such as wedding invitations, dating offers and other similar messages. However, fake notifications from well-known companies and brands providing different services remain the most popular cybercriminal trick. International delivery services are also used by spammers as a cover for malicious spam.

Malware spread in fake notifications from delivery services is divided into:

  1. Trojan programs developed to perform unauthorized operations in order to delete, block, modify or copy data, to disrupt computer or network performance. Trojans distributed in spam include Backdoors, Trojan-Downloaders, Trojan-Proxies, Trojan-PSWs, Trojan-Spies, Trojan-Bankers and others
  2. Worms, malicious programs capable of unauthorized self-proliferation on computers or computer networks. Those copies go on to spread themselves further.

What is dangerous about malicious programs?

(Video) Broke Kids Steals New Shoes

  1. They can steal usernames and passwords from users’ accounts, as well as financial or other information sought by the attackers.
  2. They can create botnets for distributing spam, DDoS attacks and other criminal activity
  3. They can provide fraudsters with control over victim computers, including the ability to run, delete or install any files or programs.

Current malicious programs integrate broad-ranging fraudulent functionality. In addition, some malicious programs can download other malware, providing additional opportunities. These might include stealing usernames and passwords entered in the browser or seizing remote control over the whole computer.

Malicious objects in fraudulent notifications can be embedded directly in the email or downloaded from a link provided in the body of the message. The most dangerous thing about it is that malware can be run and installed without users being aware or installing any software themselves. Typically, malicious ZIP (less often RAR) files enclosed in fraudulent emails have an executable .exe extension.

How to recognize phishing emails

Below are a number of features that can help to identify a fraudulent email.

  1. The sender address. If the sender address includes a random sequence of letters, words or numbers, or the domain has no connection with the official address of the company, the emails should undoubtedly be considered fraudulent and deleted without opening.
  2. Grammar and spelling mistakes. Wrong word order, incorrect punctuation, grammar and spelling mistakes can also be a sign of a fraudulent mailing.
  3. Graphic design. Scammers are doing their best to make the email look very similar to the original. To this ends they are trying to imitate other companies’ corporate styles using some of their elements such as color schemes and logos. Inaccuracies and noticeable design errors are among the signs of a fake email.
  4. The content of the email. If the recipient of the email is asked under various pretexts to urgently provide or confirm personal information, download a file or a link – especially while being threatened with sanctions for not doing so – the email may well be fraudulent.
  5. Links with different addresses. If the address of the link specified in the body of the email and address of the actual link to which you are redirected do not match, you are definitely looking at a fraudulent email. If you are viewing your email from the browser, the actual link can be usually seen in the bottom left of the browser window. If you use an email client, the actual link can be displayed in a popup window if you hover the cursor over the link in the text. Fraudulent links can also be attached to a text phrase in the email.
  6. Attached archives. Generally, ZIP and RAR archives are used by cybercriminals to hide malicious executable EXE-files. Therefore, you should not open these archives or run the attached files.
  7. Lack of contacts for feedback. Legitimate emails always provide contact information for feedback – either the company or the sender’s personal contacts.
  8. Form of address. Fraudulent emails do not necessarily use the first name or the surname to address the recipient; sometimes a universal form of address (“client”, etc.) is used.

FAQs

Why am I getting texts about a package? ›

This type of text message is a scam called smishing. Smishing is a form of phishing that involves a text message or phone number. Victims will typically receive a deceptive text message that is intended to lure the recipient into providing their personal or financial information.

How do you tell if someone is scamming you online? ›

Common online scam signs
  1. Tries to gain trust. An online scam will often try to gain your trust in some way. ...
  2. Asks for action. ...
  3. Asks for personal info. ...
  4. Overpays you. ...
  5. Promises something. ...
  6. Wire transfer request. ...
  7. Pretends to be a family member. ...
  8. Offers something you want.
Oct 16, 2021

Can money be sent through courier? ›

Unfortunately, you cannot send cash via courier companies such as DHL, UPS, FedEx, TNT or DPD. This includes any legal tender such as bank notes and coins.

How long does a parcel take from UK to Kenya? ›

Kenya
ServiceCompensationDelivery aim
International Signedup to £50 up to £250 for an additional fee5-7 working days
International Standardup to £206-7 working days
International Economyup to £20Up to 8 weeks

How do I stop fake delivery texts? ›

Type in “block” using your device's search function. For Android phones, look for the three dots in the top right-hand corner of your text. Click on it and select “People” and “Options.” Next, select “Block” to stop receiving spam text messages from that number.

How do I stop fake parcel messages? ›

If you have lost personal information to a scammer you can contact IDCARE or call 1800 595 160.
...
If you receive one of these scam SMS messages or emails:
  1. report it to Scamwatch.
  2. delete the message.
  3. do not click on any links or call any telephone numbers associated with the message.
Feb 9, 2022

What can a scammer do with my phone number? ›

Your phone number is an easy access point for scammers and identity thieves. Once they know your number, they can use it to send you phishing texts, trick you into installing malware and spyware, or use social engineering attacks to get you to hand over your personal identifying information (PII).

How do you tell if you're talking to a scammer? ›

Know what to look for

you don't know contacts you out of the blue. you've never met in person asks for money. asks you to pay for something or to give them money through unusual payment methods such as gift cards, wire transfers or cryptocurrencies.

What are the characteristics of a scammer? ›

How to spot a scam - the warning signs
  • 1) Unusual payment requests. Being asked to pay upfront, to change bank details, or to pay via a money transfer service, can all be big warning signs.
  • 2) Authority. ...
  • 3) Urgency. ...
  • 4) "Don't tell anyone" ...
  • 5) Playing on your emotions. ...
  • 6) Too good to be true?

Do I need to pay money if receiving a parcel from abroad? ›

If you are receiving a shipment from abroad there is no duty-free amount. Exemptions are only available when traveling. Your friend paid the cost of shipping and was given an option, either to have duty and taxes charged back to them or to have you pay duty and taxes.

Which company gives cash on delivery? ›

1. BlueDart Cash On Delivery Courier-Service Company In India.

Who offers cash on delivery? ›

As mentioned, GrubHub is one of the rare delivery services that accept cash payments. Most of the competition refuses straight up (Instacart, Postmates, Uber Eats, DoorDash, and many others). GrubHub also accepts many other payment options, including credit and debit cards, PayPal, Apple Pay, eGift, and Android Pay.

Why do I have to pay to receive a package from UK? ›

Why do I have to pay for a parcel from the UK? Because the United Kingdom has become a so-called "third country" as a result of the exit from the EU, they are no longer in the European customs union. As a result, free movement of goods is no longer possible and export and import declarations must be made.

How long does customs clearance take in Kenya? ›

Assuming all goes well (including the fact that the pre-clearance process is undertaken), the entire customs clearance process should take you approximately two days. Once your cargo is given the green light to be removed from the customs area, delivery to your residence can then be scheduled.

How much is parcel to Kenya? ›

Country Conditions for Mailing - Kenya
Weight not over (lbs.)Parcel Post Rate
1$16.75
219.50
322.65
425.30
21 more rows

Can you get scammed by opening a text message? ›

Text message or SMS phishing—also called “smishing”—occurs when scam artists use deceptive text messages to lure consumers into providing their personal or financial information.

What happens if you open a spam text? ›

Clicking on a link from a spam text could take you to a fake website explicitly set up to steal your money or personal information. In some cases, the website could infect your phone with malware, which may spy on you and slow down your phone's performance by taking up space on your phone's memory.

Why am I getting so many spam texts all of a sudden? ›

If you are getting spam texts, it's more than likely that whoever is sending you a spam text message is trying to get access to your personal information—bank accounts, passwords, social security number, online IDs and more.

Can someone hack my bank account with my phone number? ›

With your phone number, a hacker can start hijacking your accounts one by one by having a password reset sent to your phone. They can trick automated systems — like your bank — into thinking they're you when you call customer service.

Can someone hack my phone by texting me? ›

Android phones can get infected by merely receiving a picture via text message, according to research published Monday. This is likely the biggest smartphone flaw ever discovered.

What are signs that your phone is hacked? ›

One or more of these could be a red flag that some has breached your phone:
  • Your phone loses charge quickly. ...
  • Your phone runs abnormally slowly. ...
  • You notice strange activity on your other online accounts. ...
  • You notice unfamiliar calls or texts in your logs. Hackers may be tapping your phone with an SMS trojan.

How do you know if someone online is real? ›

The 8 Ways to Spot Fake Online Profiles
  1. Fake online profile power words. ...
  2. Nonsensical messages. ...
  3. They only have one photo. ...
  4. They have empty profiles. ...
  5. Empty social networks. ...
  6. They're “famous” or “royals” ...
  7. They're way too forward or flirty. ...
  8. They request your personal information.

How do scammer know your name? ›

Spammers often release information-gathering programs called “bots” to collect the names and e-mail addresses of people who post to specific newsgroups. Bots can get this information from both recent and old posts.

Can a scammer video call? ›

Fake Video Calls Be Gone!

Fake calls using software like ManyCam do work, but unless you're using exceptional hardware, most of the time, a fake video call is easy enough to spot. Mobile apps like WhatsApp and FaceTime have built-in security mechanisms to prevent fake video calling and other such scams.

Videos

1. How Apple AirTags are becoming Dangerous ⚠️
(Mrwhosetheboss)
2. The dangers of romance scams and how not to get caught out.
(SBS Insight)
3. SCAMMING THE SCAMMERS w/ Scammer Payback, Jim Browning, Karl Rock & Pleasant Green [BIGGEST COLLAB]
(Trilogy Media)
4. I Got Scammers ARRESTED On Their CCTV Cameras!
(Scambaiter)
5. The Level1 Show August 30 2022: US Chips Not For Sharing
(Level1Techs)
6. r/Scams | is this another scammer?
(EmKay)

You might also like

Latest Posts

Article information

Author: Edmund Hettinger DC

Last Updated: 10/10/2022

Views: 5941

Rating: 4.8 / 5 (78 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Edmund Hettinger DC

Birthday: 1994-08-17

Address: 2033 Gerhold Pine, Port Jocelyn, VA 12101-5654

Phone: +8524399971620

Job: Central Manufacturing Supervisor

Hobby: Jogging, Metalworking, Tai chi, Shopping, Puzzles, Rock climbing, Crocheting

Introduction: My name is Edmund Hettinger DC, I am a adventurous, colorful, gifted, determined, precious, open, colorful person who loves writing and wants to share my knowledge and understanding with you.