Real-Time Phishing Campaigns Use Fake Shipment Alerts To Steal Banking Data In MEA

In 2022, Statista says that more than 161 billion packages were sent around the world This article explores phishing fake shipment. . This shows that courier services are the backbone of modern e-commerce.

A huge "fake shipment tracking" phishing scheme is now taking advantage of the fact that people all over the world depend on this. Threat actors are using real-time phishing campaigns to steal personal information and banking credentials by taking advantage of people's fear of missing a delivery. Most of these attacks are happening in the Middle East and Africa (MEA). How the Phishing Campaign Works Attackers start the scam by sending fake SMS messages that say a package delivery has failed.

Most of the time, these texts tell victims to change their address or pay extra fees and tariffs to get the package.

Scammers use local-looking anonymous numbers or fake Sender IDs to make sure these alerts look real. Statista says that in 2022, there will be a lot of packages sent around the world. (From: group-ib) This type of spoofing lets fake messages get past basic checks by going straight into the real message threads of trusted couriers that are already on the victim's phone.

When a victim clicks on the link, they are taken to a fake website hosted on cheap, disposable top-level domains like .xyz, .help, or .shop. These phishing pages are very advanced on the inside. Group-IB researchers did an HTML analysis and found embedded scripts that open a WebSocket connection, which lets attackers record keystrokes in real time.

As victims type in their credit card numbers, addresses, and one-time passwords, the information is sent right away to servers controlled by the attacker. The bad scripts also make unique UUID tokens to keep track of each victim's session, which shows that the backend operation is very well organized. MEA Phishing Aims at Banks (Source: group-ib) A lot of this infrastructure is similar to Darcula, a Chinese-language Phishing-as-a-Service (PhaaS) platform.

Darcula runs mostly through hidden Telegram channels and gives cybercriminals more than 20,000 fake domains and hundreds of phishing templates. The main draw is postal services, but this well-organized operation is quickly spreading to look like online stores, transportation apps, and phone companies. Reducing the Risk of Phishing These fake shipment scams are growing quickly, so both individuals and businesses need to take steps to protect themselves.

In 2025, fake shipment tracking scams became much more common (Source: group-ib) Group-IB says that the attackers use a lot of high-pressure social engineering tactics, so the best way to stop credential theft is to look for red flags. Don't ever click on tracking links that are sent to you by SMS, WhatsApp, or email. To check the status of your package, go to the official courier website and enter your tracking number.

Check unsolicited tracking numbers against your real purchase history and invoices. Look closely at website URLs for domain extensions that you don't know or don't see often, like .sbs, .top, or .click. Keep in mind that real courier companies won't ask for payment right away for simple tasks like changing your address. To stop brand spoofing, companies should use strong domain security measures like DMARC and SPF.

Companies need to keep their customers up to date on phishing attempts and give them safe, official ways to verify their identity.