We’ve all got used to shopping online, and over the last year more than ever. As restrictions on travel were enforced during the lockdown, home deliveries have seen an unprecedented boom. Scammers have been using this to their full advantage to exploit the fact that we get so many deliveries from several service providers to harvest credit card details.
The common premise is a missed delivery slot with a prompt to reschedule. Here we look at one from DPD and see how it unfolds.
Before we get into the details, it’s worth pointing out something very important! If you view emails in an application like Outlook or in your browser, certain content may be blocked by default unless you have the sender marked as safe. This is to protect you from malicious links and other content that would otherwise be downloaded automatically.
This behaviour doesn’t happen on mobile phones, where content is usually always displayed. This is at least in part down to the extra security that exists on phones, where applications are ‘sandboxed’ from each other preventing leaking of data between them. This keeps them self-contained and greatly limits the damage one may do over another.
Unfortunately, it makes phishing emails harder to spot, because where they may be heavily branded, they often look real. One easy way to check it is to click on the sender to reveal the email address rather than just the display name.
2 things stand out
- The message comes from firstname.lastname@example.org which is not the address I would expect a delivery email from DPD to come from
- I didn’t order any whisky!
I’m curious to see how good this scam is. Let’s open Windows Sandbox, and take a closer look…
Never miss a parcel again
My first impression is that this page looks really good. A lot of effort has gone into it to make it look like a real DPD page. The branding and wording is pretty spot on. You have to look hard to see the flaws
- Like the sender email address, the domain is always a giveaway. Again, nothing to do with DPD
- The site is not secure – never enter personal details on a website that doesn’t have a validated security certificate
- None of the links aside form ‘Reschedule’ on the page actually work. They are clickable, but nothing happens. (Except the ‘where has my parcel been’ which gives a brief history of your parcel. Nice touch!)
Clicking through to Reschedule, we get some options. More oddities – I get 2 delivery slots for tomorrow and the day after, for 3 GBP or 1 GBP. Neither of these options is available to select though.
Many phishing emails originate from overseas. The creators, while clearly very smart, haven’t formatted the currency correctly for the UK. Formatting the payment options like this is more common on the continent than here, where you would expect it to read as £3.00 or £1.00.
We click continue and get to the shipping details. I need to enter something, so I do (as I write, we’re in the run up to London Mayoral Elections. Sorry Count Binface, you were in my Twitter feed. Nothing personal. Good luck!)
Now we get to the meat of it. Having to go through a bit of admin rather than straight to the payment is a nice ploy, giving an air of legitimacy to the process. Unfortunately, we’ve only got one option. Enter our credit or debit card details. Oh well, let’s continue.
Here’s what we’ve been waiting for. We enter some (fake of course) card details. At no point have I been asked to confirm whether I want the £3 or the £1 re-delivery, so I’m not sure what I’m paying for, but by now I’ve forgotten about that.
I click Continue and… nothing happens. I click again, still nothing. Maybe the site is broken? Refresh and try again, same thing. Nothing happens.
Now, you may simply forget about it and move on. It’s only £3 and I can’t remember what it was I ordered anyway right now. It’ll probably turn up, right?
No. If we had given our real details over, the scammer now has
- Our home address, which is likely to be the registered address of our bank card
- Our full card details, the card number, the name as it appears on the card, the card expiry, and the CVV
With this info, you can process any online order. If you got this far and entered the real details, you should call your bank immediately (not DPD! They don’t know anything about it!) and report the issue and stop all payments from your card.
Take a moment
This is a pretty good example of a sophisticated credit card harvest via phishing. The process, the branding, and the ploy is pretty well spot on. The amounts requested are pretty tiny, and the admin steps you have to go through lure you into a false sense of security. But the end result could cost you far more. Always spend a few minutes and check that the site is real
- Check the sender address matches what you expect
- Check the site domain matches the sender (Google ‘DPD’ if unsure)
- Check the other links on the site
- Check your memory! Did you put an order in? Are you expecting a delivery?
A few minutes of caution is a far smaller price to pay than the alternative.
For more details on Phishing, check out our blog Phishing: How Does It Work