Did you go wild spending on Black Friday? In anticipation of a shipping crunch, did you seek further afield sellers to find what your friends and family are looking for? 

With folks worldwide concerned about the status of their holiday shopping, they can be expected to constantly check for updates from their carriers. Shipping companies are already some of the most spoofed brands in the world. Around the holidays, that will only increase. 

Starting in November 2021, Avanan observed a new credential harvesting attack in which attackers spoofed an undelivered package notification from DHL. In this attack brief, Avanan will analyze the company’s most recent discovery of this credential harvesting attack.   


In this attack, hackers are leveraging a spoofed DHL notification. When users click on the link, they will be directed to a credential harvesting page.

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Brand Impersonation, Spoofing
  • Target: Any end-user



In this attack, scammers are using brand impersonation. By showing a page that looks like it comes from a trusted brand, they’re hoping to trick end-users into clicking on a link. That link, however, is a classic credential harvesting link, looking to steal data and other information. 

The email starts with noting that there is an “undelivered” package from DHL. By going online, you can submit your address, as well as other information, to get the delivery on time and at the right place. However, that won’t happen. 

Email Example #1

In this email, hackers present what looks like a message about a package that can’t be delivered. This email utilizes traditional social engineering tactics, such as urgent language about the package being delivered today, to get the user to act:

This email purports to be a notification about an undelivered package. 



In this email attack, hackers have used brand impersonation. What’s particularly clever is the spoof of DHL. Not only is DHL the third-most impersonated brand, according to Check Point Research, but it also delivers packages from around the globe. With folks broadening their purchasing horizons this holiday season, a DHL package is more likely, making the spoof more believable. 

The hackers are utilizing the classic social engineering tactic of urgency to get end-users to click. The thinking, they hope, is that end-users will be in a panic seeing that their package won’t get to their door on time, and will enter their info without thinking. 

Best Practices: Guidance and Recommendations

In order to guard against these attacks, security professionals can do the following:

  • If clicking on the harvesting link, inspect the URL
  • Pay close attention to mistakes in the email. “DHL Office” is not a real place—the closet think would be DHL Express ServicePoint
  • Pay extra attention to emails from brands, especially around the holidays. Check Point Research has found that two of the top five most impersonated brands ship goods (DHL, Amazon)
  • Ensure that the package that has been ordered is actually shipping with DHL. The tracking number provided provided with the original order will show if the package is delivered with DHL and the true delivery status
  • Utilize an email security solution that relies on multiple factors to determine an email is phishing

Subscribe to Our Attack Briefs for More Research