Where’s the package I’m expecting? Watch out for shipping and delivery-related phishing emails that try to track YOUR details

The CDC (The Centers for Disease Control and Prevention) classified “shopping at crowded stores just before, on or after Thanksgiving” on its list of higher-risk activities to avoid, and in its guidance issued ahead of the holiday weekend, it also directly suggested that consumers do more of their shopping online.

Not that much encouragement has been needed.  During the first 10 days of November, the traditional holiday shopping season, U.S. consumers spent $21.7 billion online — a 21% increase year-over-year.  And the sales momentum is just getting bigger. According to DC360 shoppers will spend $38 billion online over 2020 Thanksgiving weekend – that’s over double 2019’s spend over the same weekend.

Of  course, it isn’t just retailers who are looking forward to a record weekend:  threat actors are organizing their infrastructures to try and grab their share of our holiday spending, too.  In a recent report, we showed how phishing emails doubled in November in the run-up to Black Friday and Cyber Monday.

What’s more, they are not just trying to target consumers with fake shopping-related emails and websites.  They are also ramping up phishing and fraud attempts to take advantage of the shipping services that will deliver the goods we have purchased.

Check Point Research (CPR) researchers are witnessing a thorough, systematic operation in which threat actors are leveraging the entire ecosystem of shopping. From special offers, through designated shopping days such as Chinese singles day, Cyber Monday and Black Friday, all the way to the shipping and delivery process to try and trick victims into disclosing their personal details and use those details for financial theft and fraud.

In this report, CPR reveals that during the month of November we have seen a dramatic spike in phishing emails that are impersonating internationally-known shipping companies such as DHL, Amazon & FedEx.


  • Over 440% increase in shipping related phishing emails in November compared to October.
  • Europe tops the phishing surge, followed by North America & APAC.
  • DHL is the company most impersonated globally in shipping-related phishing emails during November, followed by Amazon & FedEx

Surge in Shipping related phishing emails globally

We have observed that during November there has been a 440% increase in shipping related phishing emails, compared to October. Emails impersonating DHL made up 56% of the total volume of shipping-related phishing emails, followed by Amazon with 37%, and FedEx with 7% of total.

Regional data

Numbers in Africa & South America were single-figures

Europe topped the list in terms of total number of phishing emails, and the numbers grew over four times (401%) compared to October. Seventy-seven percent of these emails in November were fake DHL mails.

In the US the increase was similar (427%) comparing November to previous month. The leading impersonated brand was Amazon with 65% of all phishing emails impersonating different Amazon shipping related notifications.

APAC showed a more moderate, though significant, increase (185%) with DHL accumulating almost 65% of the total phishing emails.

Where is my package?

Unlike classic phishing emails that are designed to lure people into giving personal details, credit card info or bank account credentials, these emails are specifically impersonating shipping vendors with different versions of fake messages reporting a “delivery issue” or “Track your shipment” details.

All are trying to lure the recipients to submitting details and stealing credentials or financial data.  We believe hackers have specifically chosen this vector in November, as they know that large numbers of online shoppers are waiting for their packages to arrive and are more attentive to shipping-related emails while they may be more aware of more traditional e-commerce related fraud and phishing attempts.

Examples of shipping related phishing emails

Amazon impersonation email in Japan

DHL Impersonation in USA

Italian Impersonation Amazon Business


How to Protect Against Phishing Scams

  • Never share your credentials– Credential theft is a common goal of cyberattacks. Many people reuse the same usernames and passwords across many different accounts, so stealing the credentials for a single account is likely to give an attacker access to a number of the user’s online accounts. Never share your account credentials and do not re-use passwords.
  • Always be suspicious of password reset emails– If you receive an unsolicited password reset email, always visit the website directly (don’t click on embedded links) and change your password to something different on that site (and any other sites with the same password). By clicking on a link, you can reset the password to that account to something new. Not knowing your password is, of course, also the problem that cybercriminals face when trying to gain access to your online accounts. By sending a fake password reset email that directs you to a lookalike phishing site, they can convince you to type in your account credentials and steal them.
  • Verify you are using a URL from an authentic website: One way to do this is not to click on links in emails, and instead click on the link from the Google results page after searching for it.
  • Beware of lookalike domains: spelling errors in emails or websites, and unfamiliar email senders.
  • Always note the language in the email:  Social engineering techniques are designed to take advantage of human nature. This includes the fact that people are more likely to make mistakes when they are in a hurry and are inclined to follow the orders of people in positions of authority. Phishing attacks commonly use these techniques to convince their targets to ignore their potential suspicions about an email and click on a link or open an attachment.
  • Watch for misspellings:  Beware of misspellings or sites using a different top-level domain. For example, a .co instead of .com. Deals on these copycat sites may look just as attractive as on the real site, but this is how hackers fool consumers into giving up their data.

The statistics and data used in this report present data detected by Check Point’s Threat Prevention technologies, stored and analyzed in ThreatCloud. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from the Check Point Research – The intelligence & Research Arm of Check Point.