Another day of lockdown…
…another “package delivery notification” scam.
Here’s another reminder to think before you click, even if it adds a few seconds to your day to review what the offending email is asking you to do.
We’d like to think that you’d easily spot that this one is bogus – we’ll explain why in the article – but we can equally well see why it might seem harmless enough to click through.
Many scams of this sort that we’ve written about before rely on squeezing you to act, luring you to click, or a bit of both.
For example, delivery scams often entice you by telling you what cool “item” is on its way, such as a mobile phone that someone is sending you as a gift.
At the same time, they pressurise you to act quickly by warning you that delivery will be delayed or even cancelled if you don’t pay a necessary fee to release the article from storage.
To avoid sounding greedy, and to imply that they’re not fraudsters, the amount to pay is often very modest, such as $1, which doesn’t sound like the sort of money a scammer would ask for if they were in it for the cash.
That’s because they aren’t in it for the money up front – indeed, they never intend to bill you at all, because it’s your personal data that they’re after instead.
This time, the crooks are following a much more relaxed formula that doesn’t say much more than, “Hey, here’s how to track your delivery,” which is the sort of message you might reasonably expect when you order something, or when someone orders something for you:
Incoming Package Notification!
This it to notify you that you have an incoming shipment registered in your email [REDACTED]. Please follow the URL below to track your shipment.
And that’s all there is to the email.
OK, so the exclamation point after the word “Notification” probably wouldn’t be there in a genuine notification – it’s a notification, after all, not a warning or an alert.
More importantly, however, hovering over the link would show you a website name you’ve never heard of (this scam used a hacked webserver belonging to a construction company in Bahrain, as it happens).
If you click through just to see what this is all about, you’ll see a similarly simple web page:
As unexceptionable and as unscammy as the page itself looks, the address bar is a fortunate giveaway that this is a scam.
The URL (which we’ve masked out here) wasn’t on a lookalike or soundalike domain name, so it looked completely different to any website you might expect for a DHL server.
Also, there’s no padlock, because the URL started with http://
(insecure) rather than https://
(session encrypted).
Ironically, the web service used by the company whose website was hacked did support HTTPS, and the site had a valid HTTPS certificate, but the crooks neglected to take advantage of the encrypted connection.
As we’ve said before, the presence of an HTTPS certificate doesn’t mean you can trust the site and its content, just that your connection can’t easily be snooped on.
But the absence of an HTTPS certificate on legitimate sites is so unusual these days that you should take it as an immediate warning sign that all is not well.
Of course, if you don’t spot the warning signs and you do put in your password, the data doesn’t go to DHL but straight to the crooks, who are likely to try out your password not only on your real DHL account but on any other account they can think of that you might have. (That’s why you never use the same password on more than one site!)
What to do?
- Don’t be fooled just because you’re expecting a delivery. The crooks don’t have to know you are waiting for a delivery to get the timing right. Especially during the coronavirus pandemic, they can simply assume you are and they’ll be right for a lot of people a lot of the time.
- Treat delivery messages as notifications only and ignore the links. It’s a bit more hassle, but avoid clicking on links at all in messages like these. When you order items online, make a note of the right website to use for tracking the item, and go there yourself if there is any problem reported with delivery.
- Check the URL in the address bar. These days, most cybercriminals are using HTTPS websites, because everyone expects a padlock in the address bar. But the padlock doesn’t say you are on the correct site, merely that you are on a site with an HTTPS certificate. Consider going to your laptop if you can, and checking out the link from there. It’s worth the extra trouble because the address bar is bigger and tells you more.
- Use a third-party security product on your phone. Sophos Intercept X for Mobile adds to the built-in protection in your phone because it helps to keep you away from risky websites to start with.
- Change passwords at once that you put into sites you later realised were bogus. The sooner you change your current password, the less time the crooks have to try and use it. If you get as far as a “pay page” where you enter payment card data and then realise it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your actual card so you get the right phone number.)
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Dow
In this line, “As unexpectionable and as unscammy as the page itself looks”, I think you meant to type “unexceptionable.”
Paul Ducklin
That’s a complicated word to spell given its meaning. Thanks, fixing now!
Richard
“… hovering over the link wouldn’t show you a website name you’ve never heard of …”
Surely you mean it *would* show you a website you’d never heard of?
Or that it wouldn’t show you a website you’d *ever* heard of?
Double-negatives aren’t not hard to get right. :)
Paul Ducklin
Fixed, thanks.
Wendy Sanderson
I am fed up getting these stupid email popping up how can I stop them there are so many help.
Anonymous
Click on the name/department of the person that sent you the mail and it won’t relate to dhl or any other delivery company. Here’s one from one of the 250 Spam delivery messages currently sitting in my junk mail [REDACTED].
Nancy
What do I do if I clicked on the link before realizing it was a bogus email?
Dear customer.
Your package will be returned to the sender.
You have exceeded the delivery time.
For the return of your package.
Confirm your postal address correctly:
View Document in attached file.
Regards,
Helen Simmons
Customer Care
DHL International GmbH. All rights reserved.
Paul Ducklin
As long as you didn’t enter any personal information (e.g. credit card details) you should be fine. If you did tell the crooks your card number, call your bank right away and get your card cancelled and a new one issued, and keep your eye on your statements!
Catherine Hinkle
My emails are being sent with “DHL Customer Support” in my To: line. What is this? And how do I remove it? I have nothing to do with DHL so I am perplexed. Has my account been hacked?
Bukalaka
I have entered my credit card number and sent it too but it showed this message- “The transfer is declined”. Then after 2-3 days I realised that the website was a scam. What do I do ?
The money is still the same in my credit card… does it mean that I’m not hacked ??
Paul Ducklin
If you entered your card data and submitted the fake form then you can assume that the crooks *do* have as much of your card data as you typed in. Even if that is just long number plus expiry date, your account is at risk. If you entered the short code printed on the back as well, you can consider that to be serious risk.
If I were you I would report the incident to your card provider as soon as you can and get another card.
Fritz Jörn
1. Normally notices are addressed to you personally by name, not with a general “Dear Customer” or the like.
2. Be sure to scroll to the end of the message. My newest was full of blank spaces – before an original message to a french stranger ([REDACTED] in Nambsheim, order from July 2019, Paiement Paypal) – became visible far below the first visible page.
3. Before clicking any link in the message, I “reply” to the mail (without really replying!), then change to “text only”. So I can see the real link addresses, leading elsewhere … My latest wants to send me to “[REDACETED BUT DEFINITELY NOT THE RIGHT SITE].com”.
4. If you get frequent spams with the same subject, add a “rule” for your inbox to move these messages into a separate (sub)folder like “rejected-spam” and delete them some time later.
Stacy H
Your package [REDACTED] is waiting for delivery.We recommend you take the time to read our Terms and Conditions. Thangjfgjgfjfjggggfjfgjfjfjfjg67686786k you for cdcdcddvdvyour valued tom
Please confirm the payment of the shipping cost (2.99) to ship the package to your home.
You can follow its route by clicking below:. Maybe try a search?your valued custo
Tracking the package
Best regards
Accessibility 2021 @ DHI International . All rights reserved.
Thanks,
Paul Ducklin
Note all those weird extra characters that showed up when you did copy-and-paste… in the email as viewed they were probably set up via HTML tags to be tiny or in an invisible colour, making it easy for the crooks to make each email very slightly different (this can confuse basic spam scanners).
Lehlgonolo
Hi I have received messages that say Im selected to win a phone and must answer 9 questions and I won and I must give my bank details for the shipment fee but so far I didn’t because I don’t trust them , how possible is that winning but still must pay some fees . I asked them to post it to my address but they always say they didn’t find anyone at the address I gave them
Paul Ducklin
It isn’t free if you have to pay! This is called “advance fee fraud” because it means you pay money (or hand over bank details) in advance but never get the “free” item you paid for. In this case you are giving the crooks access to your account… in return for nothing! Don’t do it…
charles hardcastle
The word is “unexceptional”. Don’t try to sound erudite if you don’t know the words. It seems people are just making them up nowadays, for instance: tooken, boughten, furthest, (there really is no such word, it is distance so it is “farthest). And so on.
Paul Ducklin
Well, I disagree with your claim that there is no such word as “unexceptionable”, and the editors of both the Oxford Dictionary of English and the New American Oxford Dictionary disagree with you, too.
In fact, both of those dictionaries include a special sidebar in which they discuss the differences between “exceptional” and “exceptionable”, and between “unexceptional” and “unexceptionable.” Although the Oxford lexicographers admit that the negative versions of these words (the ones that start un-) are sometimes used interchangeably these days, they also insist that these word can, and do, usefully convey different meanings.
When use the word “unexceptional”, I generally use it to say that something is “satisfactory but not outstanding.” When I use the word “unexceptionable” I mean to say that something is “not open to objection”, i.e that it “doesn’t stand out as obviously bad”. So an unexceptional phishing message is one that wouldn’t win any prizes for looks or inventiveness at an awards ceremony held by cybercrooks. An unexpectionable phish is one that you would be inclined to accept.
Indeed, I think you could usefully describe the fake message in this article as both unexceptionable *and* unexceptional.
Interestingly, the same dictionaries are perfectly happy with the the words “further” and “furthest”, along with “farther” and “farthest”. (The dictionaries particularly note that “further” is far more commonly used than “farther”, for what that is worth).
So, despite your insistence that neither word even exists, I think we can say that the use of both “furthest” and “unexceptionable” is, in a word, unexceptionable.
Chandra Carrier
I got one this am from DHL saying that my package is scheduled for delivery but won’t be delivered until I pay $3.99 Cnd. When I clicked on it, stupidly, I noticed that the address bar was not DHL. Also, Outlook stopped it and I didn’t go any further. Which prompted me to look it up and ended up here. Ty for all your hard work at keeping us informed!!
Paul Ducklin
It’s a pleasure. Glad you found the information you needed here!
Anonymous
I had an email this morning from what looked like DHL but below it said BHL. It claimed they have tried to deliver a parcel and even showed a photo of it! And of course the expected £2 fee and details of my credit card etc. Definite scam.
Paul Ducklin
Good old BHL! Competitors of Hedex, Royal Nail, Canada Gost and the US Postal Tervice, I guess…
Not Falling For It
I received a similar email this evening. The tracking number in the email was completely different than the tracking number from the actual shipper.
Also the logo design was different. In the hoax email, the letters are “BHL”. They are in red with no white space in the letters and only two red lines before the B and after the H. The real DHL letters have white spaces and three lines before the D and after the L.
This email said they had tried to deliver a package, but no one was present to sign for it.
Tim Harris
I been inundated with emails from an apparently bogus DHL Express to pay customs for a package that’s waiting for me. I have clicked on the links to see where it takes me and I may have put credit card information in but without completing the transaction, that is without clicking ‘pay.’ I then just closed the window. Would this mean the scammers now have my credit card information?
Paul Ducklin
Possibly. Probably. At least, you should assume that they do, because with the right JavaScript in their fake page they can not only capture completed data (after you click [Pay] or [Submit] or whatever) but also get feedback about each keystroke as you type it in. (Indeed, it you make a mistake and hit backspace to correct it, they’ll get the wrong data plus the backspaces plus the right data!)
This is the same trick that search engines use to “guess” what you are searching for as you type it in and to make those often eerily accurate predictions before you finish typing in the whole phrase.
HtH.
Louise Viau
Expecting a package I filled in the information requested by the scammers when they indicated they were having trouble delivering. As I happen to live in a very rural area, the scenario seemed quite plausible. Once I hit the send button an ad appeared for bath beads. This was the moment I realized it was a scam since a courier company would not issue such an ad. I was on the phone cancelling my card within five minutes of making the transaction. Too bad I didn’t have such clarity of thought BEFORE I made this transaction. Unfortunately this is the second time this year my card has been compromised – the first time I had no idea how my information was gleaned. I have had several near misses, but by checking with sites such as this one for potential scam activity, I have been able to avoid larger financial catastrophes. Experiences like this make the victims feel violated and stupid – fool me once and shame on you, but fool me twice and shame on me.
Monika Barnett
This is so helpful! Thank you all! I am waiting for a package and innocently clicked on the DHL notification. When I put in the tracking number issued by the actual shipper, it got me to a website that said noting but: blank –
I then closed the browser. Would the scammers have gleaned anything at all from my click?
Paul Ducklin
Assuming that the tracking number is unique to the scam message you received (sometimes they are; sometimes they aren’t), the crooks will be able to tie the click to a specific person on their (probably very long) list. This could, I suppose, get you added to a database of “possible victims who recently took the first step”, but whether or not the crooks care about this level of detail any more, I have no idea.
I regularly check out scammy links, mainly to see if there’s a worthwhile Naked Security warning I can write up from them, but often don’t. I have no evidence that this affects the amount or type of scammery I subsequently get either way… I seem to get plenty of scams and spams anyway.
Years ago, you’d see advice such as “never try to unsubscribe from spam lists… you just make the spammers keener than ever.” It sounds like there might be science in that, but my experience has been that once you’re on a list, that’s that. Whether you beg, wheedle or threaten them to get taken off, or studiously ignore them for evermore…
…seems to have no measurable effect. It costs them nothing, so they might as well spam everyone every time.
Which is a long way of saying that I don’t think you told them anything they didn’t know already, assuming that you *only typed in the tracking number they gave you*, any not any data about yourself they might not have known. So if I were you I wouldn’t worry about it.
Just remember that anything you type into a web form, even if you never click the [OK] button, or immediately use the [Backspace] key, can be captured. So it’s what you typed in that really matters…
Jan
Hi I get such an email, and opended the attachment on my phone, but before anything was loaded I closed the window as I realise this looks suspicious.
the attachment was:Transport_doc_09142022.html
Is there any potential danger or no need to worry. I did not enter any information or so. Just clic on the attachment
Thanks
Jan
Paul Ducklin
Opening an attachment is generally a bit more dangerous than clicking a link – especially on a laptop computer, because an attachment that claims to be an HTML file might actually be something more dangerous. On your phone, you are probably OK as long as you didn’t do anything more than open it and then close it without clicking anything in it or entering any data.
If you are on Android you could always download an anti-virus (search Sophos in Google Play for our free one) and scan your device to look for security problems…