Holiday Fraud Delivery Notification Scams: “You have a package for delivery!”

Wednesday, November 8th, 2023


Cyber security risk management solutions from DefenseStorm.

With the holiday season just around the corner, it’s a time for celebrations, travel, and shopping, but it’s also prime time for fraudsters to prey on unsuspecting consumers. Amidst the hustle and bustle of planning and festivities, people become easy targets for scammers.

THE SCAM: With the holiday season just around the corner, it’s a time for celebrations, travel, and shopping, but it’s also prime time for fraudsters to prey on unsuspecting consumers. Amidst the hustle and bustle of planning and festivities, people become easy targets for scammers. A common holiday scam involves fraudulent “Delivery Notification” text and email messages from reputable delivery services like FedEx, DHL, UPS, Amazon, and even the post office. Eager to receive their package, consumers often click on malicious links and even voluntarily provide banking information, resulting in loss of money or personal data.

THE SCHEME: Hilary Chapple [Calgary] unexpectedly received a text from the local post office claiming she had a package ready for delivery. Assuming it was a gift from her brother, she clicked the link, which instructed her to fill out forms and provide banking information to process the delivery. Unfortunately, Ms. Chapple proceeded to fill out all the requested information, and by the next morning, scammers had withdrawn nearly $2,700 from her account. Chapple realized the mistake and immediately contacted her bank. The financial institution (FI) initiated a fraud investigation and reimbursed all the money to her. In this case, Chapple acted quickly, and her FI refunded her money regardless of the fact that it was her error; however, other victims have not been quite as lucky with their outcome, and it wasn’t money they lost.

Tom Hoehn (Long Island, NY) was actually expecting a package delivery, so when he received an email from UPS stating that the package was “undeliverable,” it didn’t even occur to him that it was a phish. The email directed him to click on a provided link to obtain tracking information and reroute the package. The moment that Mr. Hoehn clicked the link, an ominous flashing began on his computer screen with the following message: “You have been hacked. We have encrypted all of your files. Send 150 bitcoins to this address.” Hoehn refused to comply to the request for bitcoins, which was valued at more than $66,000, and his computer was wiped of everything. Like a domino effect, one click to a malicious link resulted in losing everything on his computer, his identity stolen [as confirmed by the IRS], his email hacked, and phishing emails distributed to his entire contact list – which numbered in the thousands.


Both of these cases were fraudulent “Delivery Notification” messages and seemed to come from a reputable company. In the first case, Chapple was a victim of a common scam called smishing, which refers to a cyberattack where fraudsters use text messages to trick individuals into divulging sensitive information. Smishing texts often contain deceptive or urgent messages with a request to confirm personal information or credentials to access accounts. According to the Federal Trade Commission (FTC), “Americans reported $330 million in losses to text scams last year, more than double the reported losses from 2021.”

In Mr. Hoehn’s case, the phishing email contained ransomware  – a type of malicious software that encrypts a victim’s files or locks them out of their computer or data until a ransom is paid to the attacker. Often, fraudsters will request payment in cryptocurrency, like Bitcoin, to maintain a degree of anonymity. If the victim fails to pay, they face the loss of their data.

Both stories share a common theme where the victim trusted the text or email source due to the perceived legitimacy of the message. This trust was built on the fact that either they were anticipating a package or the message appeared credible. As we approach the holiday season, we tend to receive a higher volume of packages from our loved ones and various online retailers such as Amazon, which makes it easier to fall for such scams. According to new research from Citizens Advice, “Parcel delivery scams are by far the most common scam faced by the public so far this year [2022]. Almost half of people (49%) targeted by scammers had been on the receiving end of a malicious parcel delivery scam, with scammers attempting to get hold of personal information or bank details.”

Consumers can protect themselves by remembering the following:

  • Scammers often impersonate credible delivery services: Amazon, UPS, FedEx, DHL, USPS
  • Never click on an unsolicited link from delivery services or couriers. If there is a question about a package, contact them directly using the email or phone number listed on their website.
  • Be wary of ANY unsolicited texts or emails that sound urgent or require immediate action.
  • Use official apps or websites to track deliveries – don’t rely on email/text updates.
  • Reputable businesses will not ask for login credentials or personal information over the phone or text.
  • If you think you’ve clicked on a phish or compromised your account, call your FI immediately to report fraud.
  • The messages/methods to commit fraud may vary, but the outcome remains the same – loss of money and/or personal data. Examples of malicious texts/email messaging:
    • Subject: URGENT: Your package delivery requires immediate payment
    • This is FedEx. We attempted to deliver your package today, but no one was available to receive it. Click the link below to schedule a new delivery date and pay a $20 rescheduling fee.
    • Your package delivery [tracking number 1234567] is showing an issue with delivery. Please click the link below to verify your details and reschedule the delivery.
    • Your UPS package is ready for pick up. To confirm your identity, please click the link below and provide the requested information.

When in doubt, don’t click or reply!

Financial Institutions: Keep Your Customers Protected

  • Educate your customers and members about current scams, especially around the holidays when they tend to pick up.
  • Educate your employees about current holiday scams, particularly those that target customer service in call centers and branches.
  • Remember that consumer spending behavior around the holidays is different from the rest of the year, and your customers and members can help alert you to unauthorized use of their accounts, so establish clear and accessible channels to report fraud.
  • Closely monitor fraud defenses and actively tune them to keep friction in the banking and buying processes to a minimum without exposing gaps that are easily exploited.
  • Look at changes in customer and member behavior in terms of how accounts are accessed and any changes to personal information – while transactional behavior is unreliable during the holiday season, how we interact and manage our bank accounts is consistent and a smart way to detect risk in non-monetary activity.

The DefenseStorm Difference

With DefenseStorm GRID Active Fraud Prevention, FIs can proactively detect fraud before funds leave the organization, but a powerful approach to combating fraud also includes education and awareness. At DefenseStorm, we recognize the growing threat of fraud and want to help you stay protected. In addition to our Fraud Squad on the Case series, we also offer two other resources to help you learn about fraud and other potential threats.

  1. Join us for the quarterly DefenseStorm Fraud Fusion Center roundtable discussion, where industry experts come together to discuss fraud and share important information about best practices and current threats. Our next Fraud Fusion Center features a guest speaker from CISA!    Register Now!
  1. Subscribe to the daily Security Intel Bulletin. Each day, our experts at DefenseStorm compile the most vital emerging cybersecurity news articles for banks and credit unions. Get the latest and most important news about cyber threats delivered right to your email.






Adam Barrett

Sr. Product Manager, Fraud Detection

Adam is the DefenseStorm Fraud Geek with an extreme passion for protecting financial institutions and the people who trust them to provide a safe banking experience. He is currently the Senior Product Manager for DefenseStorm GRID Active Fraud Detection product. With 25 years of experience in banking operations, fraud and risk, you would think he’s seen it all, however, the constantly evolving schemes keep him motivated to stay in the fight.