Credit Card Fraud: Missed Delivery

Continuing our expose on Phishing, let’s take a look at this real example of a common scam where you’re asked to enter bank card details to re-schedule a missed delivery.

The Setup

We’ve all got used to shopping online, and over the last year more than ever. As restrictions on travel were enforced during the lockdown, home deliveries have seen an unprecedented boom. Scammers have been using this to their full advantage to exploit the fact that we get so many deliveries from several service providers to harvest credit card details.

The common premise is a missed delivery slot with a prompt to reschedule. Here we look at one from DPD and see how it unfolds.

Mobile Email

Before we get into the details, it’s worth pointing out something very important! If you view emails in an application like Outlook or in your browser, certain content may be blocked by default unless you have the sender marked as safe. This is to protect you from malicious links and other content that would otherwise be downloaded automatically.

This behaviour doesn’t happen on mobile phones, where content is usually always displayed. This is at least in part down to the extra security that exists on phones, where applications are ‘sandboxed’ from each other preventing leaking of data between them. This keeps them self-contained and greatly limits the damage one may do over another.

Unfortunately, it makes phishing emails harder to spot, because where they may be heavily branded, they often look real. One easy way to check it is to click on the sender to reveal the email address rather than just the display name.

2 things stand out

  • The message comes from webmaster@whiskyjournal.co which is not the address I would expect a delivery email from DPD to come from
  • I didn’t order any whisky!

I’m curious to see how good this scam is. Let’s open Windows Sandbox, and take a closer look…

Never miss a parcel again

My first impression is that this page looks really good. A lot of effort has gone into it to make it look like a real DPD page. The branding and wording is pretty spot on. You have to look hard to see the flaws

  • Like the sender email address, the domain is always a giveaway. Again, nothing to do with DPD
  • The site is not secure – never enter personal details on a website that doesn’t have a validated security certificate
  • None of the links aside form ‘Reschedule’ on the page actually work. They are clickable, but nothing happens. (Except the ‘where has my parcel been’ which gives a brief history of your parcel. Nice touch!)

Clicking through to Reschedule, we get some options. More oddities – I get 2 delivery slots for tomorrow and the day after, for 3 GBP or 1 GBP. Neither of these options is available to select though.

Many phishing emails originate from overseas. The creators, while clearly very smart, haven’t formatted the currency correctly for the UK. Formatting the payment options like this is more common on the continent than here, where you would expect it to read as £3.00 or £1.00.

We click continue and get to the shipping details. I need to enter something, so I do (as I write, we’re in the run up to London Mayoral Elections. Sorry Count Binface, you were in my Twitter feed. Nothing personal. Good luck!)

Payment Due

Now we get to the meat of it. Having to go through a bit of admin rather than straight to the payment is a nice ploy, giving an air of legitimacy to the process. Unfortunately, we’ve only got one option. Enter our credit or debit card details. Oh well, let’s continue.

Here’s what we’ve been waiting for. We enter some (fake of course) card details. At no point have I been asked to confirm whether I want the £3 or the £1 re-delivery, so I’m not sure what I’m paying for, but by now I’ve forgotten about that.

I click Continue and… nothing happens. I click again, still nothing. Maybe the site is broken? Refresh and try again, same thing. Nothing happens.

Now, you may simply forget about it and move on. It’s only £3 and I can’t remember what it was I ordered anyway right now. It’ll probably turn up, right?

No. If we had given our real details over, the scammer now has

  • Our home address, which is likely to be the registered address of our bank card
  • Our full card details, the card number, the name as it appears on the card, the card expiry, and the CVV

With this info, you can process any online order. If you got this far and entered the real details, you should call your bank immediately (not DPD! They don’t know anything about it!) and report the issue and stop all payments from your card.

Take a moment

This is a pretty good example of a sophisticated credit card harvest via phishing. The process, the branding, and the ploy is pretty well spot on. The amounts requested are pretty tiny, and the admin steps you have to go through lure you into a false sense of security. But the end result could cost you far more. Always spend a few minutes and check that the site is real

  • Check the sender address matches what you expect
  • Check the site domain matches the sender (Google ‘DPD’ if unsure)
  • Check the other links on the site
  • Check your memory! Did you put an order in? Are you expecting a delivery?

A few minutes of caution is a far smaller price to pay than the alternative.

For more details on Phishing, check out our blog Phishing: How Does It Work

Like this article?

Share on twitter
Share on Twitter
Share on linkedin
Share on LinkedIn
Share on email
Share by Email

Subscribe to our monthly newsletter

Get the best IT tips and Office ideas in your inbox

Further reading

Free Up Space On Your PC using Storage Sense

Running out of space on your PC used to be a chore. Finding where all those hidden files were and deleting them, particularly if they related to Windows Updates, wasn’t always easy. Now that Solid State disks are commonly installed and tend to be smaller (because they are more expensive) they may fill up quickly especially if you store a lot of images, videos and (less of a problem these days with streaming) music.

Read More »

Want to hear what customers have to say?

Watch out customer story videos and find out today...

Cookie Notice

This website uses cookies to ensure you get the best experience on our website. Learn More.

Scroll to Top

Subscribe to our monthly newsletter.
Get the best IT tips and Office ideas in your inbox.

We promise to keep your information safe. Unsubscribe at any time. Read our privacy policy.

Get the Ebook

"Five High-Value Business Initiatives That’ll Provide Massive Impact and Help You Get Noticed at Work"

Get this empowering Ebook in your inbox — when you subscribe to the Macnamara Newsletter. What’s in the Newsletter? Insightful articles, invites to exclusive events, powerful ideas, free training resources. Don’t miss out – subscribe today.

We promise to keep your information safe. Unsubscribe at any time. Read our privacy policy.

Get the Ebook

"Five Ideas That'll Help you Tame Unruly Systems and Team Members"

Get this empowering Ebook in your inbox — when you subscribe to the Macnamara Newsletter. What’s in the Newsletter? Insightful articles, invites to exclusive events, powerful ideas, free training resources. Don’t miss out – subscribe today.

We promise to keep your information safe. Unsubscribe at any time. Read our privacy policy.

Get the Ebook

"Five Powerful Ideas That’ll Take Your Personal and Business Development to the Next Level"

Are you an Office Manager who’s looking for next-level ideas? You need to read this Ebook — you’ll get it for free when you subscribe to the Macnamara Newsletter. What’s in the Newsletter? helpful articles, invites to events, powerful ideas, free training resources. Don’t miss out – subscribe today.

We promise to keep your information safe. Unsubscribe at any time. Read our privacy policy.

Get the Ebook

"Your Ultimate Guide To Office Delegation"

Get this empowering Ebook in your inbox — when you subscribe to the Macnamara Newsletter. What’s in the Newsletter? Insightful articles, invites to exclusive events, powerful ideas, free training resources. Don’t miss out – subscribe today.

We promise to keep your information safe. Unsubscribe at any time. Read our privacy policy.