Missed Delivery Notification Scam

20 February 2024

We’ve noticed that scam/phishing emails, which are designed to trick you to hand over personal and payment information, have become more complex and believable recently – they’re even becoming difficult for seasoned cyber-security staff to spot right away.

So that we can help you recognise the signs of phishing emails, we’d like to tell you about an email we received recently, and point out why the email was convincing, but also point out how to tell the difference between a genuine email and a fake one.

The scam email we received looked like this:

A very convincing scam email

The first sign that this is a scam email

There are several signs that this is not an email from Evri (which is a real delivery company in the UK). First up is the generic first line - delivery companies will have the name of the parcel’s intended recipient and is usually included in genuine emails. Next is that the “We tried on: Tue, February 20, 2024 11:43 AM” is the exact time that we received the email. The parcel’s supposed recipient was home at the time, and there was no sign of any attempted delivery (eg. knocking on the door or ringing the doorbell).

Of course, we’ve all had issues with delivery companies reporting that they were unable to deliver packages, even when someone was home, so let’s look at the next indicator of a possible scam; the button link in the email.

The second sign that something is wrong

The button that says “Proced to portal” is misspelled; it should read “Proceed to portal”, especially if coming from a legitimate company.

Scam emails often have misspelled words, so that’s often the biggest indication that something is wrong.

The third sign that something is amiss

If you follow the “Proced to portal” button, you are redirected several times, and end up on this page:

A convincing clone of Evri's site

At first (and second) glance, this is what the Evri homepage looks like.

However, you can tell that this is NOT the Evri website by the URL.

The URL is not displayed in the picture above, but it was fgq DOT tmw DOT temporary DOT site/reschedule-evri/ trackMyParcelForm.php (We’ve written it like this so it can’t accidentally be clicked on)

If you are ever unsure about the validity of a webpage, make sure you know what the legitimate URL is, and check it against the URL of the page you’re visiting.

In this case, the real Evri URL is www.evri.com.

The fourth sign indicating a scam email

If you were to put your postcode in the “Confirm postcode” box, and click “Submit”, you’d be taken to a page that looks like a parcel tracker:

A convincing clone of Evri's site

This page looks like a pretty convincing parcel tracker. However, you can see that, under the red line, it says “Delivered on Tue 20th Feb”.

The fact that it says both “Missed Delivery” and “Delivered” on the same page indicates that it’s not a legitimate site. Legitimate sites have consistent information, especially within the same page.

The final indication that this is a scam email

If you were to click on the “Reschedule new delivery” button, you’re taken to this page:

A much less convincing clone of Evri's site

On this page, you are asked for your name, phone number, date of birth, address, and payment details, which would never be requested during a normal delivery rescheduling!

The most obvious sign that this is a scam is the request for your date of birth. Delivery companies could potentially need your name, address, and very occasionally payment details, but they’d never need your date of birth.

The last indicator is one for the eagle-eyed UK-residents amongst you. The delivery fee calculation is incorrect; the current rate of VAT (sales tax) in the UK is 20%, so £1.04 + VAT = £1.25 not £1.45 … but if you’re the sort of person to spot that, there’s a good chance you spotted the other indicators first!

Be vigilant

As always, the best way to prevent falling victim to scam/phishing emails is to know how to recognise them.

If you are ever unsure about the veracity of an email you receive, we suggest navigating to the company’s website manually (instead of using links sent through emails), and asking if the message you’ve received is genuine.