Skip to content

Courier Cons

Don’t blame the messenger: Incoming e-mails purporting to be from FedEx, UPS or DHL aren’t really from the courier services. But they intend to deliver trouble.

In one fast-growing scheme, these e-mails say there’s a package for you that cannot be delivered, with instructions to click on a link for more information or to print a copy of the delivery order for personal retrieval.

Clicking that link downloads any of a number of malicious computer infections. At the very least, some slow your computer’s performance and trigger phony security alerts, followed by repeated pop-up warnings to purchase fake antivirus protection—known as “scareware.” Some viruses use your computer to send spam to others. Others are even more dangerous, unleashing “keystroke loggers” that can allow the hacker to capture your passwords and online banking and credit card information.

Targeting delivery companies

Since this scam first gained notice last summer, “it has become one of the most commonly encountered disguises used by cybercriminals hell-bent on distributing malware,” says Graham Cluley of the IT security firm Sophos, who writes a blog on online threats.

This scam isn’t limited to delivery companies. Similar e-mails have been sent under such guises as confirming or sending invoices for airline tickets or linking victims to websites promising information about parking violations.

But delivery services make ideal targets because “people do receive parcels,” Cluley says, which accounts for the eightfold increase in these dangerous e-mails over the last nine or 10 months. “FedEx, UPS and DHL are pretty much evenly targeted.”

In reality, it’s unlikely that the bona fide courier would even have your e-mail address. UPS officials say that the company “may send official notifications on occasion, but they rarely include attachments.” Crooks, however, buy the e-mail addresses of their intended victims or collect them when they get responses from other spamming attempts.

Other ruses falsely using the names of these well-known couriers involve e-mails—and to a lesser extent phone calls—claiming you have a package or check for a prize, but you must pay for shipping charges or taxes on these via a wired payment or credit card. In one recent case, a woman in Oregon lost $17,000 after receiving a phony FedEx e-mail saying that that sum was needed to cover taxes and paperwork for the $500,000 jackpot she had won.

Telephone messages left by scammers often provide an overseas number to call back, trapping victims into paying outrageous long-distance charges—on top of anything paid for alleged delivery fees.

Be suspicious

The bottom line: Be suspicious of any e-mail or phone call from a delivery service. If you receive an e-mail, do not click on any attachments or links; instead, forward it to FedEx at, UPS at or DHL via its website.

You can also notify the FBI’s Internet Crime Complaint Center.

To detect and remove viruses, scan your computer at least weekly with updated antivirus software that you purchase. If you’re shopping around, consider buying a “security suite,” such as the newer protection programs from McAfee and Norton that some experts say are better at remedying malicious spyware.

To learn more about online security, visit the National Cyber Security Alliance or the federal government’s OnGuard Online.

Sid Kirchheimer is the author of “Scam-Proof Your Life” (AARP books/Sterling).