“Missed package?” How a simple delivery scam is fooling thousands
We all get packages, sometimes too many to keep track on. And that’s exactly what scammers are counting on. At least 69% of Americans receive a package every month, making it a service that nearly everyone uses. With the growing number of delivery providers, it's easy for people to lose track of their shipments — and that’s exactly when attackers strike.
A simple trick used by scammers is to send out mass emails at random — a tactic we might call a “catch-all” strategy. Most of these emails will likely be caught by spam filters, and many recipients will ignore them. However, a few people may still click on the scam link, which leads them to a malicious page. Let’s break down how this scam works and what it looks like, because unlike the classic scam emails full of bright flashing warnings and countdown timers, this one is far more subtle. Still there are tells to find out :
- Unprofessional Layout and Missing Shipment Details - The email design is sloppy, and key information like a real pickup address and customer account number is missing — not what you'd expect from DHL.
- Suspicious Email and Links - Only an email address is shown (no real address), and the tracking link could redirect you to a phishing site.
- Urgent, Pressuring Language - The email tries to rush you into clicking quickly — a classic tactic scammers use to trick people.
You might be thinking that the email looks similar to many you've seen before, right? That’s true — it doesn’t stand out particularly at first glance. And that’s exactly why this example is so interesting: it strikes a balance between appearing legitimate and hiding the usual red flags often found in scam emails.
One quick trick to check if an email is fake? Look at the sender’s address. Does it really come from DHL or something odd like info@ioxr.art?
Looking further into the email body, there’s a button that clearly encourages the user to click and proceed. It’s designed to appear as though it will take the recipient to DHL’s official tracking page. But let’s take a closer look at the code behind this button to see where it actually leads.
The link actually goes to a site hosted on IPFS — a system that makes it hard to take things down, which is exactly why scammers love it.
While this makes it harder to take malicious content offline, it also raises a red flag — this is not where you’d expect a legitimate DHL email to direct you.
So where does the link take us? Since IPFS is compatible with modern browsers, it opens a landing page — and it becomes clear this isn’t DHL’s site. The page is generic enough that many people might not question it. It doesn’t display much information at all, but it personalizes the scam by pre-filling the login field with the recipient’s email address. That’s a subtle but clever touch — it adds just enough legitimacy to convince some users to proceed.
The site even blocks right-clicking so you can’t inspect the code — a common trick scammers use to hide what they’re really doing
Otherwise, the landing page appears fairly unremarkable. The language selection links at the bottom, for example, are non-functional — clicking them does nothing. But most users won’t bother to test those, so they serve a purely visual purpose: to make the site look more legitimate and avoid raising suspicion.
Now, let’s take a look under the hood and examine the potentially malicious code.
At first glance, most of the code is dedicated to CSS styling — which is unusual, as this would typically be loaded from external files. Embedding so much CSS directly into the page is a strange choice and already raises some suspicion. But beyond the formatting, there are several indicators that strongly suggest this is a phishing site.
1. The URL points to IPFS storage (ipfs.io)
Real login portals (e.g., for Microsoft, Google, etc.) use official domains (like microsoft.com, google.com, outlook.com). ipfs.io is a decentralized file storage system — no legitimate organization will host login pages there.
2. Poor HTML/CSS quality and broken elements
The code is poorly formatted, has broken inline styles, and excessive base64-encoded images. Real corporate web pages are carefully coded, fully polished, and use proper asset management (e.g., not massive inline blobs).
3. Form captures email and password with no backend
The form fields (email, password) do not submit anywhere obvious. Real login forms send credentials securely (HTTPS POST) to legitimate servers. Phishing forms either harvest the info silently or submit it to hidden malicious endpoints.
4. Mix of languages links with no functionality
There are fake "language links" (Arabic, Czech, Danish, etc.) all pointing to the same broken IPFS page. On real sites, language selectors actually change the content dynamically.
The distribution of this scam is fairly evenly spread across the globe:
As previously mentioned, due to the generic nature of the landing page and the broad appeal of the phishing message, this scam can be deployed almost identically worldwide. This increases the attackers' chances of success by allowing them to trick users in multiple regions into handing over their credentials — which can then be repurposed for more targeted, high-value attacks.
The threat is steadily increasing. The dips visible in the data typically correspond to weekends, suggesting that the most successful day to launch an attack is Monday — when people return to full inboxes and are still easing into the workweek. Aside from this pattern, the threat remains consistent and persistent. We fully expect this scam, or variations of it, to continue appearing now and in the foreseeable future.
So, how to protect yourself against these scams?
- Always check the email headers
Look at the sender’s email address closely — is it from a legitimate domain you recognize? Official companies will never use suspicious or unfamiliar domains. - Examine the landing page
Does the page look like what you expected? If something feels off, it probably is. Be especially wary if you're redirected to an unfamiliar URL. - Assess the design and formatting
Most phishing emails are poorly designed. Look for inconsistent fonts, low-quality logos, or broken elements that a professional company would never send. - Watch for time pressure and manipulative language
Scammers often create a false sense of urgency — claiming your package will be returned or your account will be locked unless you act immediately. Take a moment to verify before clicking.
Email scams aren’t going away, but staying alert can keep you safe. Before you click, take a breath, check the sender, and when in doubt, go straight to the company’s official website.
