Beware of fraudulent DHL campaign scam

by Lorraine Williamson

In a recent press release from the Spanish National Cybersecurity Institute (INCIBE), it has been reported that a fraudulent campaign is underway, impersonating the reputable courier company DHL.

The campaign involves deceptive emails and SMS messages urging recipients to click on malicious links, leading to fraudulent websites where personal and banking information is solicited.

Fraudulent DHL campaign details

The phishing and smishing attacks involve the impersonation of DHL, a renowned courier service. However, the fraudulent emails lack the typical format of DHL communications. Moreover, they display an unusual structure and a lack of corporate logos and images. Additionally, the content is presented in various languages, and the provided links divert to domains and pages unrelated to DHL.

Detected subjects in phishing campaign

  1. “DHL Service XXXXXXXXXX – Case Created”
  2. “Your Order is Ready for Dispatch”


How to identify fraudulent messages

The fraudulent messages exploit the pretext of a failed shipment, claiming that a payment for customs is required to proceed with the delivery promptly. Clicking on the provided link redirects users to a purported service platform, detailing the shipment status. The victim is again prompted to make the customs payment. If the process continues, the fraudulent page requests personal information, including address, date of birth, phone number, and email. Subsequently, credit or debit card details are solicited, comprising the cardholder’s name, card number, expiration date, and CVV. Clicking “Next” at this stage sends the user’s information to the cybercriminal.


Other variants of the fraudulent campaign

Various URLs are employed in this campaign, each following a similar process. Initially, users are asked to confirm their identity through a test to give the illusion of accessing an official service.


After this step, a form is presented, requesting information similar to that in the previous example. Following this, users are prompted to provide their bank card details.

Cogesa Expats


A verification code is then requested, purportedly sent via email or mobile device for payment confirmation. However, this code never arrives. Any combination of numbers will advance the process, confirming a successful payment and shipment confirmation within the next seven days.


The cybercriminals use these verification steps to enhance the credibility of the fraud, mimicking the typical procedures of legitimate online purchase websites. Unfortunately, reaching this point exposes users’ data to the cybercriminals, necessitating immediate action to prevent potential cybercrimes.


Protective measures

If you have received such an email or SMS but haven’t clicked on the link, mark it as spam, block the sender, and delete the message from your inbox.


However, if you have accessed the link and proceeded with the payment, follow these recommendations:

  1. Capture screenshots of the entire process and preserve all possible evidence of the fraud and attached links.
  2. Over the coming months, monitor the internet for the presence of your personal data through egosurfing and exercise the right to be forgotten.
  3. When receiving similar emails or SMS in the future, verify their authenticity from official sources.
  4. Report the fraud to INCIBE and/or contact INCIBE’s Cybersecurity Assistance Service to help other users avoid falling victim to such scams.
  5. If you have a DHL delivery pending, verify its status through the official DHL link.
  6. Explore DHL’s dedicated section on fraud awareness for additional information.


Stay informed about these types of frauds and social engineering attacks through the “Citizenship” section on INCIBE’s platform. Remain vigilant to protect yourself and others from falling prey to such cybercrimes.

Also read: Be aware of the sextortion scam

Baycrest Wealth

You may also like