Credit Card Fraud: Missed Delivery

DPD
Continuing our expose on Phishing, let’s take a look at this real example of a common scam where you’re asked to enter bank card details to re-schedule a missed delivery.

The Setup

We’ve all got used to shopping online, and over the last year more than ever. As restrictions on travel were enforced during the lockdown, home deliveries have seen an unprecedented boom. Scammers have been using this to their full advantage to exploit the fact that we get so many deliveries from several service providers to harvest credit card details.

The common premise is a missed delivery slot with a prompt to reschedule. Here we look at one from DPD and see how it unfolds.

Mobile Email

Before we get into the details, it’s worth pointing out something very important! If you view emails in an application like Outlook or in your browser, certain content may be blocked by default unless you have the sender marked as safe. This is to protect you from malicious links and other content that would otherwise be downloaded automatically.

This behaviour doesn’t happen on mobile phones, where content is usually always displayed. This is at least in part down to the extra security that exists on phones, where applications are ‘sandboxed’ from each other preventing leaking of data between them. This keeps them self-contained and greatly limits the damage one may do over another.

Unfortunately, it makes phishing emails harder to spot, because where they may be heavily branded, they often look real. One easy way to check it is to click on the sender to reveal the email address rather than just the display name.

View Sender

2 things stand out

  • The message comes from webmaster@whiskyjournal.co which is not the address I would expect a delivery email from DPD to come from
  • I didn’t order any whisky!

I’m curious to see how good this scam is. Let’s open Windows Sandbox, and take a closer look…

Never miss a parcel again

My first impression is that this page looks really good. A lot of effort has gone into it to make it look like a real DPD page. The branding and wording is pretty spot on. You have to look hard to see the flaws

  • Like the sender email address, the domain is always a giveaway. Again, nothing to do with DPD
  • The site is not secure – never enter personal details on a website that doesn’t have a validated security certificate
  • None of the links aside form ‘Reschedule’ on the page actually work. They are clickable, but nothing happens. (Except the ‘where has my parcel been’ which gives a brief history of your parcel. Nice touch!)
Web Page

Clicking through to Reschedule, we get some options. More oddities – I get 2 delivery slots for tomorrow and the day after, for 3 GBP or 1 GBP. Neither of these options is available to select though.

Many phishing emails originate from overseas. The creators, while clearly very smart, haven’t formatted the currency correctly for the UK. Formatting the payment options like this is more common on the continent than here, where you would expect it to read as £3.00 or £1.00.

Web Page

We click continue and get to the shipping details. I need to enter something, so I do (as I write, we’re in the run up to London Mayoral Elections. Sorry Count Binface, you were in my Twitter feed. Nothing personal. Good luck!)

Web Page

Payment Due

Now we get to the meat of it. Having to go through a bit of admin rather than straight to the payment is a nice ploy, giving an air of legitimacy to the process. Unfortunately, we’ve only got one option. Enter our credit or debit card details. Oh well, let’s continue.

Web Page

Here’s what we’ve been waiting for. We enter some (fake of course) card details. At no point have I been asked to confirm whether I want the £3 or the £1 re-delivery, so I’m not sure what I’m paying for, but by now I’ve forgotten about that.

I click Continue and… nothing happens. I click again, still nothing. Maybe the site is broken? Refresh and try again, same thing. Nothing happens.

Web page

Now, you may simply forget about it and move on. It’s only £3 and I can’t remember what it was I ordered anyway right now. It’ll probably turn up, right?

No. If we had given our real details over, the scammer now has

  • Our home address, which is likely to be the registered address of our bank card
  • Our full card details, the card number, the name as it appears on the card, the card expiry, and the CVV

With this info, you can process any online order. If you got this far and entered the real details, you should call your bank immediately (not DPD! They don’t know anything about it!) and report the issue and stop all payments from your card.

Take a moment

This is a pretty good example of a sophisticated credit card harvest via phishing. The process, the branding, and the ploy is pretty well spot on. The amounts requested are pretty tiny, and the admin steps you have to go through lure you into a false sense of security. But the end result could cost you far more. Always spend a few minutes and check that the site is real

  • Check the sender address matches what you expect
  • Check the site domain matches the sender (Google ‘DPD’ if unsure)
  • Check the other links on the site
  • Check your memory! Did you put an order in? Are you expecting a delivery?

A few minutes of caution is a far smaller price to pay than the alternative.

For more details on Phishing, check out our blog Phishing: How Does It Work

Like this article?

Share on Twitter
Share on LinkedIn
Share by Email

Subscribe to our monthly newsletter

Get the best IT tips and Office ideas in your inbox
Subscribe Now

Further reading

How To Set Up Signatures In Outlook

Geoff Courts 5 April 2024

Email signatures are important and have a number of purposes. A well designed signature can be a real benefit to your company brand. They also provide all your contact details, can be used to help with marketing campaigns, and if you’re a business, provide important required information about your company registration. Here’s some guidance on adding signatures in Outlook.

Read More »
Outlook

How To Find The Conflicts Folder in Outlook

Hubert 5 April 2024

In Outlook, the Conflicts folder is like a record of problems when your emails don’t sync well with the mail server. If there’s trouble syncing, you might end up with extra copies of the same email. These issues get listed in the Sync Issues folder. You wouldn’t often need to look in this folder, but over time it can get quite big, so you might occasionally need to see it to empty some space.

Read More »
wifi

How To Get Best Experience From Your Wireless Access Point

Ash 5 April 2024

We all know that Wi-Fi can be much more convenient for your office setup than connecting everything via cable, and as Wi-Fi speeds and connectivity get better, more offices are switching to wireless. However, many people have concerns that wireless is less reliable than cabled, and they worry that they will struggle with weak signals or frequent disconnections. This blog will provide you with all the knowledge you need to get the best wireless experience and keep you at your desk rather than under it, fiddling with cables.

Read More »
Scroll to Top