Beware the Holiday Scam: Fake Deliveries Target Christmas Eve Shoppers

Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, has detected a sharp increase in the number of fake delivery websites just weeks before Christmas. Group-IB’s Computer Emergency Response Team (CERT-GIB) identified 587 fake postal resources in the first 10 days of December, which is 34% more compared to the last 10 days of November. Overall, since the beginning of November, CERT-GIB detected 1,539 phishing websites impersonating postal operators and delivery companies. These phishing resources are believed to be part of a single scam campaign. Scammers capitalize on the rush for last-minute gifts by sending SMS messages, often disguised as “urgent” delivery or “failed” delivery notifications. The messages that mimic well-known postal services prompt the recipients to visit scam websites and leave their personal and payment details. Group-IB continues the outreach campaign to inform the impersonated postal organizations.

Verifying the authenticity of delivery notifications, refraining from clicking on suspicious links, and cross-checking information with trusted sources are essential steps to safeguard against fake delivery scams.

Fake delivery scams have reached their peak in December, the busiest time of the year for delivery companies due to the increased volume of online orders. Scammers create hundreds of websites mimicking legitimate postal brands daily. The highest volume of phishing resources was created on December 8, 2023, according to CERT-GIB.  The campaign affects postal brands in 53 countries. Most of the detected phishing pages target users in Germany (17.5%), Poland (13.7%), Spain (12.5%), UK (4.2%), Turkey (3.4%) and Singapore (3.1%). 

In addition to targeting postal services, this scheme is also employed to attack telecom operators, banks, and toll services. Group-IB’s experts note that scammers use several evasion techniques to ensure that their rogue resources are not detected by authorities and cybersecurity researchers. They limit access to their scam websites based on geographic locations and allow access only from specific countries where they target victims. Fake postal brands’ websites work only on certain devices and operating systems. Another notable feature of this ongoing campaign is that fake resources live only for a few days, making it challenging for security experts to investigate the scheme and for traditional anti-scam solutions to detect it.

“With last-minute shopping and the desire to get parcels on time, people tend to be less cautious,” says Vladimir Kalugin, Operations Director (Digital Risk Protection) at Group-IB. “Scammers exploit this sense of urgency by sending fake delivery notifications. The high volume of packages being shipped during the holiday season makes it easier for scammers to hide among legitimate delivery services. We recommend users verify sender details, search through official channels cautiously due to scammers’ mimicry, treat messages as alerts, independently access official websites, and be aware of the ongoing schemes.”

The impersonated brands are the ones that suffer from such campaigns. Unhappy customers act fast. Brand owners need to be swift in taking action against scammers. Detection at early stages is the key to minimizing the digital risks to the affected brands and to safeguarding the potential victims. Effective monitoring and blockage should involve an automated machine-learning digital risk protection system fuelled by scam intelligence —  regular updates to its knowledge base about cybercriminals’ infrastructure, tactics, tools. Group-IB’s Digital Risk Protection solution, part of the Unified Risk Platform, can reveal fraudulent infrastructure at early stages and initiate the takedown process. Group-IB Attack Surface Management’s capabilities now cover typosquatting detection, so companies can investigate typosquatted domains under their care along with all relevant details.