Update November 2019! New DHL scam is plaguing users. DHL scams, including related emails, messages and websites in this article. If you see a Fake DHL text message 2019 know that it is a DHL phishing scam. If you suspect your computer device is infected, scan your system with a security program.
SIDENOTE: This post was originally published in February 2018. But we gave it an update in November 2019.
DHL Scams are quite widespread across the World. From specially crafted websites that push such scams, to specific messages sent to targeted email addresses, the DHL brand has been used in DHL scams for nefarious reasons. Such reasons include the stealing of DHL credentials, personal information or pushing malware with a hidden agenda in most cases. More and more users fall victim to these scams as they are recurring and keep reappearing every few months. That is due to the fact that every new variant of a scam tends to mimic DHL closer than before, making it more believable with each new attempt. Ultimately, you will be asked to login or visit a URL address and do some action or pay for a shipment via another service. You should avoid any links other than the official DHL ones and you will see how you can differentiate between them and the ones used in DHL scams in this article.
|Type||Phishing, PUP, malware|
|Short Description||Phishing messages trying to trick you into clicking links to get redirected. Once redirected you will be asked to do an action, such as providing personal details, data about credential information or fill in a form. In some cases, clicking a link will download malware on your PC.|
|Symptoms||You receive an e-mail message that is allegedly from DHL. You will be urged to click on a link. You can then get malware on your computer or get redirected from link to a landing page mimicking the DHL website asking you to fill in information.|
|Distribution Method||Phishing Emails, Pop-up messages, Redirects|
|Detection Tool|| See If Your System Has Been Affected by DHL Phishing Scams |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss DHL Scams.|
DHL Scam Emails 2019 – Update November 2019
DHL scam emails are more frequent than before. Users are reporting DHL scam emails by the dozen. The modus operandi of the DHL scam emails has not changed drastically, although a phone number might be involved, making for a DHL scam call every once in a while. If you are having any doubt and if the emails you have received are indeed DHL scam emails then look no further – in this article we have gathered the most common of these scams, what they do and how to protect yourself from them.
Fake DHL Text Message 2019 – Update August 2019
DHL Scams are prominent in August 2019 as much as in the past. DHL scams are phishing type of scams which aim to trick you into clicking on links, download malware and all kinds of malicious activities. DHL scams are mainly pushed via email, as users are not expecting DHL scams in their letters, even if these DHL scams are in the spam folder. The Fake DHL Text Message 2019 is the latest variant which features the following text:
Subject : Re: DHL Notification / DHL_AWB_0011179303/ ETD
We attempted to deliver your item at 2:45 PM on Aug 13th, 2019. (Read enclosed file details)
The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically sent.
If the parcel is not scheduled for re-delivery or picked up within 72 hours, it will be returned to the sender.
Label Number: (Read enclosed file details)
Class: Package Services
Service(s): (Read enclosed file details)
Status: e-Notification sent
Read the enclosed file for details.
You can use folder explorer to open the folder if it doesn’t open by default.
DHL Customer Service.
2019 © DHL International GmbH. All rights reserved.
If you see the DHL Text Message 2019 then know that it is a scam trying to con you, so you should avoid it.
Fake DHL Text Message 2019 – Update February 2019
In February 2019 a new global DHL phishing scam was uncovered carrying the Muncy malware. Computer hackers are using a sender email address which may be mistaken for coming in from DHL themselves — support@dhl[.]com. It uses the subject line of “DHL SHIPMENT NOTIFICATION” in order to raise attention to its contents. it coerces the recipients into opening a malicious attachments containing a script that downloads and executes the dangerous virus. This technique can be used both with standalone virus files and infected documents which can be of all popular types — spreadsheets, presentations, databases and text documents. When they are opened a prompt will appear asking the users to enable the built-in macros in order to correctly view the contents — this will trigger the malicious payload.
The Muncy Trojan will immediately start to scan the infected machine in order to gather personal information that can reveal information both about the victims and their systems. The data can be categorized into two main types:
- Victim Information — This is data that can directly reveal the identity of the users by searching for strings such as a person’s name, address, interests, phone number and even any stored account credentials.
- Machine Identification — Important parameters can be harvested such as installed hardware parts, operating system data and user settings.
Following this all acquired information will be transferred to the hacker operators via a secure network connection. This Trojan behavior also allows the operators to execute remote code, take over control of the compromised machines and steal user files.
Fake DHL Text Message 2018
A new wave of DHL scams have been detected that are are spoofed to appear as being sent by DHL. This is a very dangerous tactic as it uses the legitimate DHL address and according to the reports this is a global campaign targeting many users at once. The goal of the phishing email scam is to coerce as many victims as possible into clicking on the link in the body contents. This will download an infected document (in most cases a Microsoft Word file) that when opened will request the users to enable the built-in scripts. This will trigger a Trojan infection, the current attack campaign has been configured to deliver the Remcos RAT. Last year theRemcos RAT v1.3.7 infections caused numerous infections around the world.
DHL Scams – Update October 2018
In October 2018 a new wave of DHL scams emerged, possibly being done by another criminal collective. The collected samples associated with it shows that it is not a large-scale attempt. This gives security experts reasons to believe that this may be a test campaign or a small-sized targeted attack. A classic scenario is used by sending email messages that are designed to appear like a legitimate DHL message notification. The following elements are example of what the messages can include:
- Misleading Names — The hackers behind the phishing campaign can all use similar sounding domain names to the real DHL site, signature or domain name. In some cases the sent messages can include the recipient’s real name, personal details and etc. harvested through information gathering techniques or bought on the hacker underground forums.
- Graphics & Design — The criminals can hijack the graphics, layout and overall design from actual DHL messages. They can confuse the users into thinking that they have received a legitimate notification.
- Required Interaction — Many of the collected samples require the recipients to perform some kind of interaction. This is usually the point where malicious behavior can be observed.
The exact contents of the DHL phishing message is a delivery notification. The body contents reads that the users has received a parcel and they need to download a receipt that is to be given to the courier. A view document is attached which will lead to malicious behavior. Depending on the individual hacker configuration there can be several different outcomes.
This can lead to the download of infected malware payloads. In the case of DHL notifications this is usually a document of any of the popular types: presentations, databases, spreadsheets or text files. Whenever they are opened a notification message will be shown asking the users to enable the built-in scripts. If this is done a virus infection will follow. In other cases the virus file can be directly attached and launched.
DHL Scams – Update August 2018
August, 2018 marks the start for the spread of yet another DHL Phishing scam. The scam consists of a message which is delivered to your e-mail.
You can see it in the below screenshot taken from our Support e-mail Inbox:
The email is around 39 KB in size and its contents are the following:
Dear [recipient’s name is included here]
Your DhI express shipment with waybiII number 813347995 from WKDA it on its way and will require a signature
We got an instruction from our client to contact you on the above subject. Below is your Shipping documents/Invoice and copy of DHL receipt for your tracking. Please confirm accordingly if your address is correct, before we submit to our outlet office for dispatch to your regional office.
View Your Shipping Documents/Invoice and Copy of DHL Receipt CLICK HERE:
2018 © DHL International GmbH. All rights reserved.
Office. +1 (800) 321-8807 feel free
Visitingaddress: 180 Park Avenue,
Building 105 , PO Box 950, 07932 Florham Park, NJ
UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited, and may be punishable by law. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message.
© 2018 DHL Express | Customer Service |
As you can see, the scam involves a link labeled “CLICK HERE” as well as a telephone number, which if you dial will probably have a cybercriminal on the other line. Not to mention that if you click the telephone number another number might be dialed.
Do not follow any instructions given in such a message. Make sure you are dealing with an official message from DHL and not a phishing scam.
DHL Scams – Update April 2018
In late March and the beginning of April 2018, another DHL phishing scam emerged. The scam tries to trick users that if they want to track their package, they need to enter their email address and password. This is how the phishing page looks:
As you can clearly see, the design looks really close to that of the original DHL website but it differs. The DHL brand and logo are clearly cropped with some software and pasted on the page. The landing page feels cheap, but if somebody doesn’t look into these details and is expecting a package, might fall for the scam.
DHL Scams – Distribution Ways
DHL Scams might distribute via a third-party installation setup. Applications connected to DHL Scams can intrude your computer, without your knowledge of that. Installer setups like those could be set by default to install additional components. Bundled packages and freeware setups regarded as PUPs could be distributed and push scam messages to your PC and browsers. To avoid installing unwanted applications, you can to search for the Custom or Advanced settings. If you find such, you could probably deselect anything you do not want on your machine.
Note! These types of DHL Scams were seen to be pushed via e-mail address messages on a large scale as seen on the below screenshot. Beware of any messages that have links to DHL services that you don’t remember using.
DHL Scams might distribute itself by using similar websites which are hosting phishing landing pages. Websites like those use the DHL brand without permission and to an extent you might not differentiate the original with the fake website. Clicking on just one redirect link or an advertisement could send malware to your computer system. In addition, banners, pop-ups as well as more kinds of adverts could be placed on top of browser pages to push more links and phishing messages. Any browser could be affected and any operating system for that matter.
DHL Scams – In-Depth Overview
Many scams related to DHL are circling the Internet nowadays and seem to increase every month. This article will reveal the vast majority of scam types which suggest that you have to use the DHL Service in some way or form to receive some shipment or reward via DHL. The scam is not exactly new as versions of it can be observed from years ago. Although, every year the scam gets more and more sophisticated and has built a higher popularity amongst users. People that fall victim to such scams is surprisingly growing instead of decreasing.
Websites that are hosting such DHL Scams can load pop-ups and other advertising content as you are browsing to help popularize it. Heaps of advertisements might show, promoting a way to obtain a shipment or something else via the DHL brand.
DHL Scams – Ursnif Malware Delivery
When this is done the infection script download a dropper which will first generate a lot of Internet traffic that may seem random. This is done in order to make detection more difficult.
In the end the dropper will download and extract an extract a second-stage file. It will establish a connection with a hacker-controlled server which uses signatures that are identical with Ursnif malware samples. Further information about the Ursnif malware samples detected in the DHL scams reveals that the third-stage of the malware also installs itself as a persistent threat. This means that it will manipulate the Windows Registry making it very hard to remove.
This infection allows the hackers not only to spy on the users, but also execute commands, hijack their data and take over control of their machines at any given time.
”DHL Parcel Arrival Notification” Scam
This scam is a recurring one, which means that it keeps showing up, year after year, months after months. The scam shows you a notification of a “DHL Parcel Arrival”.
You can preview a variant of the DHL Parcel Arrival scam message below:
From the above image, you can see an e-mail message with stating that you have a DHL Parcel awaiting delivery. That message can also be sent via SMS to targeted phone numbers, containing nearly the same message. Here is what such a message contains:
From: DHL Express
Date: Sat 20/05/2017 14:37
Subject: Attention: You have 1 New Parcel for delivery
You have 1 New Parcel for delivery. Our courier was unable to deliver the parcel to you due to incorrect delivery details.
To receive your parcel, Please see and check attached shipping documents.
CLICK HERE TO VIEW STATUS
With kind regards, DHL Express
CONFIDENTIALITY CAUTION: This message is intended only for the use of the individual or entity to whom it is addressed and may be confidential in nature. If you are not the intended recipient, please notify us immediately by return e-mail and please do delete this message. You should not disseminate, distribute, copy or disclose any information contained herein to any third party. **Please consider the environment before printing this email**
Somewhere inside the message there will be a link. That link may look like the official URL address of the DHL service but do not get fooled. The link will redirect you to a phishing page that may look very similar to a legitimate DHL-hosted page, but has a suspicious URL that is not located on the DHL official domain. In this case, the link ““http://parkietserwis.pl/lib/ckeditor/plugins/allmedias/meant/views.php”” will land you on a page with a long address, such as “http://wensli.com/ckfinder/userfiles/home/set/s1xc2ivesfegjjb9o2byvpg7.php?rand=13InboxLightaspxn.1774256418&fid&1252899642&fid.1&fav.1”, as seen below:
Afterward, you will be prompted to enter your email address and password to the DHL service. In case you are wondering why, it is due to the fact that the cybercriminals want to steal your DHL account and related online identity. If you proceed and enter both of these details, you will be redirected with a message that you have entered an “invalid password”, tempting you to enter your details “correctly” and carefully. If you go the rounds one more time, you will get the following page to display:
Here is where you should get suspicious. Why would the company need your address sent again, if you indeed ordered something? In case you did not get suspicious and went on and filled the details on that page as well, you will finally get redirected to the official page of the DHL website. You should be wary of any such websites and if you doubt the contents of a message that is supposedly from DHL you should ask your family household if anybody ordered something via the service or login by entering the official URL into the address bar.
”DHL Shipment Notification” DHL Scams
The DHL Scams have many variations, but what you will see the most are the following messages, displayed in the below screenshots:
”DHL Shipment Notification” DHL Scams will generate an email message with content of something in the lines of the following:
From: DHL Customer Support
Date: Thu 30/03/2017 14:58
Subject: DHL Shipment Notification : 1860915879
Notification for shipment event group “Delivered ” for Thu, 30 Mar 2017 14:57:31 +0100.
AWB Number: 1860915879 Pickup Date: Thu, 30 Mar 2017 14:57:31 +0100 Service: N Pieces: 2 Cust. Ref: G Description: DOMESTIC EXPRESS
Ship From: Ship To:
NBL S. A. NA * – 49796 NA
EVENT CATEGORY Thu, 30 Mar 2017 14:57:31 +0100 – Shipment delivered – Signed By – M C
Shipment status may also be obtained from our Internet site in USA under http://track.dhl-usa.com or Globally under http://www.dhl.com/track
Please do not reply to this email. This is an automated application used only for sending proactive notifications
You are receiving this email because a notification is configured to receive notifications from Proview.
However, most of the time these messages aim to do the same procedure as the one previously described on the “Parcel” type of scam. That procedure involves redirecting you to a phishing landing Web page and stealing your information (including personal data and credential details). After you input the details on any similar page, you will get your DHL account hijacked, or even worse – your identity stolen and used for other online purchases.
Another DHL Phishing Scam that has been seen in July 2018 is the following email:
Your Shipment has just arrived at our Regional Office and ready for delivery today, but we were unable to confirm your delivery address.
Please Download and print the attached receipt to duly complete the Identity check required for verification of your delivery address and forward to nearest DHL office.
Your shipment will be on hold Until the security check is completed.
Please endeavor to be as accurate as possible to reduce time of clearance and recipient confirmation.
NOTE: IF YOUR PACKAGE IS NOT DELIVERED OR PICKED UP WITHIN 48 HOURS, IT
WILL BE RETURNED TO THE SENDER. CONTACT US FOR FURTHER ASSISTANCE
Thank you for using our services.
DHL Express Services
(c) 201-2019 DHL International
1 attachments (total 53.9 KB)
CONFIDENTIALITY NOTICE: This message is from DHL and may contain
confidential business information. It is intended solely for the use of
the individual to whom it is addressed. If you are not the intended
recipient please contact the sender and delete this message and any
attachment from your system. Unauthorized publication, use,
dissemination, forwarding, printing or copying of this E-Mail and its
attachments is strictly prohibited.
A user with a nickname Al Crosby reported it in the comment section of this article.
All of the scams described above, plus others which are similar to them might be advertised or promoted in some shape or form. Do not believe in messages that look suspicious and when you do not recollect if you indeed ordered something described inside the messages. Beware of such scams as they try to look like DHL more convincingly by using similar or the same design as the DHL site network.
Below you will see how to differentiate the usage of the DHL brand from scams and the real thing. You will also find good tips on what to do or not do, so you can avoid getting scammed. At the end of the day, you should also scan your computer in case a malware is causing such messages to show up on your computer screen.
DHL Scams – How to Avoid Them?
In this section, you will find out how to differentiate between DHL Scams and messages from the official DHL brand, following a simple set of rules and guidelines. So, if you are reading this article, you should now know that there is a multitude of scams involving a DHL shipment or parcel notifications. Below you will see what you should research.
Refer to the following link that is of the official page for DHL Fraud Awareness and Prevention.
As you now know about the existence of the scams and the official page of DHL Fraud Awareness, refer to the following guidelines on how to avoid most scams related to the shipping brand:
- Never pay before your goods get delivered
- Do not provide any details about you, your addresses or similar information via email or unknown Websites
- Do not open email attachments, as DHL does not send such, neither it requests users to open such
- Always use DHL.com to refer to pages in connection with the service
- Avoid messages with grammatical or typographical errors
- Avoid emails that are not addressed to you by name
- Avoid messages sent by a service you don’t expect to hear from
- Avoid messages that do not include a tracking number or specific details about your order or address
- Avoid clicking on links to provide your email address for verification
- Avoid payments to someone whose identity you can’t confirm
The guideline rules listed above were constructed by the SensorsTechForum team, via a research done on the matter. These rules are based on common sense and depending on the various scams related to DHL.
Some of these scams related to DHL can be removed by closing the message or browser. In case the scam pages continue to bother you even after that, then you probably have something else on your computer generating them.
How to Get Rid of DHL Scams Completely
All that is required to remove some DHL Scams is to ignore the message, never respond to it and delete it. Other scams require a bit of action, such as thoroughly scanning your computer machine with security software to determine whether you have some malware component that is pushing DHL spoofed messages to your computer, browser or email address.
We highly recommend that all computer users scan their system for active infections and malware using a security program. That could prevent many malicious actions and stop malware of distributing further.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter