Attackers Impersonate DPD In "Convincing" New Smishing Scam

Attackers Impersonate DPD In “Convincing” New Smishing Scam

A new “convincing” scam has been identified that mimics a major international parcel delivery firm, DPD.

The group Which? provided insight into the operation behind this smishing campaign, in which spammers try to steal the recipients’ personal information.

In the scheme, the consumers are sent a text message stating that their parcel was not delivered. They are then told to arrange their redelivery by following a link. The fake DPD website then asked the users to provide their personal details to arrange delivery and pay a fee.

Although the site looked very similar to the DPD official site, Which? noticed an error in the date format used which could have tipped off an attentive online user. But the majority of victims would be misled by the fake site.

The researchers were not able to take a screenshot of the site on their devices. They suspected that the site’s security measures were preventing them from doing so.

DPD told users to download its ‘Your DPD’ app to avoid getting bogged down by the scammers via text messages and emails.

Only emails that use one of the following three domains are authentic:, and

“With texts, we advise consumers to double check the links within the notifications to confirm that they are legitimate. These links should only be for or We have worked with Action Fraud and regional police focus in the last couple of years on awareness campaigns and will continue to do so.”

This new scam coincided with the COVID-19 pandemic, and was triggered by the increasing popularity of online shopping.

“Cyber-criminals will always take advantage of any opportunity to trick people into giving up their valuable personal and financial information. Over the last year, there’s been a significant increase in this type of activity, and we’ve seen scams using the branding of well-known organizations such as DPD and Royal Mail to exploit people into sharing sensitive data. We urge anyone who has received a text message or email requesting their personal data to remain vigilant and always question why a company might need this information, and to double check with DPD directly if you’re unsure. We’d also encourage anyone who has received an email or text message of this nature to report it to the NCSC’s text reporting number at 7726, or to their Suspicious Email Reporting Service,” said commenting on Which?’s investigation, Tony Pepper, CEO of Egress.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.