FedEx Smishing Scam

The holiday shopping season means big business for retailers around the world, but it unfortunately also means big business for hackers. The reasoning is, people tend to be on the lookout for various package delivery emails, lowering their guard when potential phishing emails arrive. Hackers know this and are already on the move with their holiday scams.

Package Delivery Scam

Louis Morton, a security professional based in Fort Worth, Texas, was sent a suspected Smishing message (SMS-based Phishing Attack) by his wife, indicating that a package couldn’t be delivered and action was needed for redelivery. Morton attempted to visit the domain in the phishing link, which looked something like the following (but isn’t exactly the same for safety reasons) 9991_c_fedeex[.]com from a desktop web browser, but found it redirects the visitor to a harmless page with ads for car insurance quotes. This is a typosquatted Fedex domain. But by loading it on a mobile device (or by mimicking one using developer tools), the browser directs them to,, shown below.

fed ex smishing

This attack followed an unusual setup by blocking non-mobile users from visiting the domain. This helps minimize inspection of the site from security researchers, potentially keeping the malicious site online longer.

After You Click The Link

Clicking “Schedule New Delivery” brings up a page that requests your name, address, phone number and date of birth. Those who click “Next Step” after providing that information are asked to add a payment card to cover the $2.20 “Redelivery Fee”. After clicking “Pay Now,” the user is prompted to verify their identity by providing their Social Security Number, driver’s license number, email address and email password. Scrolling down on the page revealed more than a half dozen working links to real resources online, including the company’s security and privacy policies. After clicking “Verify,” the user is redirected to the real FedEx at

Don’t Fall Victim

A hacker’s main weapon of choice is social engineering. Once you’re aware of this, you can confidently watch out for Phishing/Smishing Attacks, Impersonation Attacks, Romance Scams, and other various attacks all based upon social engineering. Being aware of specific holiday-based scams like this shipping delivery scam is essential to keeping you and your family secure.

Other Cybersecurity Best Practices

There are other actions you should take to protect your business from attacks including:

  • Adopt a password manager for better personal/work password hygiene
  • Require two-factor authentication on any SaaS solution and all critical accounts
  • Require 14+ character Passwords in your Governance Policies
  • Train employees to spot and avoid email-based phishing attacks
  • Check that employees can spot and avoid phishing emails by testing them
  • Backup data using the 3-2-1 method
  • Incorporate the Principle of Least Privilege
  • Perform a risk assessment every two to three years


KrebsOnSecurity – ‘Tis the Season for Wayward Package Phish

Stay Connected

Join over 100,000 of your peers and receive our weekly newsletter which features the top trends, news and expert analysis to help keep you ahead of the curve.