Holiday shipping season is officially here, and so are the scammers. With more people shopping online, cybercriminals are finding unique ways to target personal information. A new NordVPN study shows an 86% surge in malicious postal service websites, with cyber attackers targeting shoppers who are tracking gifts, checking delivery updates, and clicking anything that looks like a carrier alert.
NordVPN explains that these scams are a form of social engineering as attackers impersonate real delivery carriers and lure victims to fake tracking or payment pages. The goal isn’t just a missing package; it’s collecting login credentials, billing or payment data, and sensitive personal info. If users provide that data, they’re not just out of the fee, they’ve helped attackers harvest credentials that can be reused in future fraud.
The Biggest Findings You Need to Know
NordVPN’s Threat Protection Pro data paints a clear picture: scammers follow the packages.
- Malicious postal service websites jumped 86% heading into the holidays.
- DHL is the top impersonated brand, with fake sites up 206% month-over-month.
- DPD Group ranks second, with scams rising 16%.
- USPS sites saw the biggest explosion — a staggering 850% increase.
- 38% of people have already faced delivery scams, often via text.
- Consumers lost $470M to text scams in 2024, up 5x from 2020.
These fake sites and smishing messages often look identical to the real thing, especially now that scammers are using AI to craft near-perfect clones. NordVPN’s post gives real-world examples beyond fake site.
One common scheme by attackers is to claim your package is held due to unpaid fees. That’s when they’ll direct you to a real-looking site that asks for payment or personal details. Nord says, even if you pay, the package never arrives, but now you’ve exposed yourself to future attacks.
“Becoming a victim of an impersonated fraudulent website isn’t just about losing money or missing out on Christmas gifts for your loved ones. It also exposes you to further risks of fraud and extortion. When your billing or shipping address, login credentials, or bank and payment card details are compromised, it can lead to engineering attacks and severe financial losses. While technology plays a vital role in protecting yourself, the growing scale of brand impersonation makes insurance coverage increasingly essential,” says Tomas Sinicki, managing director at NordProtect.
Why These Scams Work So Well
NordVPN warns that package-tracking messages are the perfect bait. They hit during the busiest season, when people are expecting deliveries and willing to click without thinking. The post explains what scammers also know:
- Text messages get 98% open rates, making smishing incredibly effective.
- Shortened URLs make fake links harder to evaluate. Because SMS messages are character-limited, attackers use URL shorteners, which hide the real destination and trick even careful users.
- People react quickly when told a package is “on hold,” “needs customs fees,” or “requires immediate action.”
- A single click can send you to a cloned site built to steal login info, addresses, and payment details.
- SMS is easier to fake and harder for filters to catch. Unlike email, SMS lacks advanced spam filtering, and spoofed sender numbers make it even more convincing.
- People are less cautious with texts. Most users instinctively open text messages and treat them as urgent, especially during the holiday rush.
And because many scam pages swap just one letter or symbol in the URL or use a convincing spoofed sender, these fakes are getting extremely hard to spot. Since attackers can use AI to generate convincing fake sites and messages with just a few prompts, it dramatically lowers the barrier to entry and increases overall volume.
“Scammers are evolving at an unprecedented pace, using AI not just to automate attacks but to make them deeply convincing,” says Marijus Briedis, chief technology officer at NordVPN. “With the holiday shopping season in full swing, consumers must remain vigilant against increasingly sophisticated phishing schemes targeting delivery services.”
How to Protect Yourself Online
NordVPN’s security experts warn that vigilance is your first line of defense, but tech tools can fill the gaps. Start with these basics:
- Never click tracking links in a text or unsolicited email. Go directly to the carrier’s official site.
- Preview links before clicking — hover to see the real URL.
- Verify the sender carefully — best to avoid shortened URLs altogether, as tiny URL changes often signal a fake.
- Be skeptical of urgent language like “immediate action required.” Legit carriers rarely demand that.
- Manually verify tracking numbers on official carrier sites instead of clicking links.
- Report suspicious messages to the carrier or to the FTC.
And if a site asks for surprise delivery fees, personal data, or card info? Close it immediately, it’s a scam.
Extra Protection for a Stress-Free Holiday
Human judgment isn’t perfect, and scammers count on that. NordVPN is offering up to 77% on 27-months of privacy-first online protection. The VPN giant recently added real-time email protection to its Threat Protection Pro security suite.
Not only can you get fast, reliable servers with more than 8,400 VPN servers across 167+ locations and protection on up to 10 devices, but you also get extra security tools. NordVPN’s Threat Protection Pro automatically blocks known malicious websites, prevents scam domains from loading, and scans downloads for malware, giving you a real buffer between you and a dangerous click. Plus, it compares every visited URL against a constantly updating database of dangerous sites. In today’s fast-changing world, it uses machine learning to analyze suspicious pages in real time, including those not yet on blocklists.
Backed by a 30-day money-back guarantee, you can try NordVPN completely risk free and lock in savings at the link below.
