Site icon Sophos News

Beware the DHL delivery message email – it could be a package scam

Another day of lockdown…
…another “package delivery notification” scam.
Here’s another reminder to think before you click, even if it adds a few seconds to your day to review what the offending email is asking you to do.
We’d like to think that you’d easily spot that this one is bogus – we’ll explain why in the article – but we can equally well see why it might seem harmless enough to click through.
Many scams of this sort that we’ve written about before rely on squeezing you to act, luring you to click, or a bit of both.
For example, delivery scams often entice you by telling you what cool “item” is on its way, such as a mobile phone that someone is sending you as a gift.
At the same time, they pressurise you to act quickly by warning you that delivery will be delayed or even cancelled if you don’t pay a necessary fee to release the article from storage.
To avoid sounding greedy, and to imply that they’re not fraudsters, the amount to pay is often very modest, such as $1, which doesn’t sound like the sort of money a scammer would ask for if they were in it for the cash.
That’s because they aren’t in it for the money up front – indeed, they never intend to bill you at all, because it’s your personal data that they’re after instead.
This time, the crooks are following a much more relaxed formula that doesn’t say much more than, “Hey, here’s how to track your delivery,” which is the sort of message you might reasonably expect when you order something, or when someone orders something for you:

Incoming Package Notification!
This it to notify you that you have an incoming shipment registered in your email [REDACTED]. Please follow the URL below to track your shipment.

And that’s all there is to the email.
OK, so the exclamation point after the word “Notification” probably wouldn’t be there in a genuine notification – it’s a notification, after all, not a warning or an alert.
More importantly, however, hovering over the link would show you a website name you’ve never heard of (this scam used a hacked webserver belonging to a construction company in Bahrain, as it happens).
If you click through just to see what this is all about, you’ll see a similarly simple web page:

As unexceptionable and as unscammy as the page itself looks, the address bar is a fortunate giveaway that this is a scam.
The URL (which we’ve masked out here) wasn’t on a lookalike or soundalike domain name, so it looked completely different to any website you might expect for a DHL server.
Also, there’s no padlock, because the URL started with http:// (insecure) rather than https:// (session encrypted).
Ironically, the web service used by the company whose website was hacked did support HTTPS, and the site had a valid HTTPS certificate, but the crooks neglected to take advantage of the encrypted connection.
As we’ve said before, the presence of an HTTPS certificate doesn’t mean you can trust the site and its content, just that your connection can’t easily be snooped on.
But the absence of an HTTPS certificate on legitimate sites is so unusual these days that you should take it as an immediate warning sign that all is not well.
Of course, if you don’t spot the warning signs and you do put in your password, the data doesn’t go to DHL but straight to the crooks, who are likely to try out your password not only on your real DHL account but on any other account they can think of that you might have. (That’s why you never use the same password on more than one site!)

What to do?

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Exit mobile version