Surge in Fake Shipment Tracking Scams: A Growing Threat in Global E-Commerce
Fake shipment tracking scams are rapidly increasing across the globe, capitalizing on the staggering annual parcel volume of 161 billion that fuels global e-commerce. Insights from Group-IB, a prominent threat intelligence provider, reveal alarming trends in these fraudulent activities. In 2025, the researchers observed a significant rise in fake shipment tracking schemes, a stark contrast to the minimal activity recorded in 2024.
Throughout the past year, the Team detected over 100 fake shipment tracking campaigns monthly, peaking at 218 unique campaigns in June and 208 in December of 2025. This marked escalation reflects the cunning tactics employed by cybercriminals who are taking advantage of the booming parcel delivery services competition.
One of the notable aspects of these scams is their connection to the Darcula platform, a phishing-as-a-service (PhaaS) service predominantly utilized in Chinese-language attacks. This platform provides tools that have been leveraged in cyber scams across more than 100 countries. The alarming sophistication of these scams has raised significant concern among security analysts and enterprises alike.
Understanding the Mechanics of Fake Shipment Tracking Scams
Upon analysis, Group-IB researchers highlighted that many phishing and fake shipment tracking scams utilize inexpensive, disposable domains that are minimally regulated. Cybercriminals often employ extensions like .xyz, .help, .shop, .click, and .top, but they do not shy away from impersonating trusted top-level domains such as .com. This tactic involves creating lookalike variations aimed at mimicking legitimate brands, effectively deceiving unsuspecting victims.
A typical fake shipment scheme unfolds with an attacker setting up a fraudulent phishing domain and establishing a counterfeit website. They further amplify their reach by sending malicious SMS messages that falsely claim failed deliveries. Two predominant techniques are utilized to deceive recipients:
-
Anonymous Number Spoofing: Attackers use numbers formatted like local mobile prefixes to lend an air of authenticity to their texts.
- Sender ID Spoofing: By disguising the sender as a trusted official entity, victims are more likely to engage with the deceitful message.
To enhance the effectiveness of the attack, the scammers deploy URL masking techniques, making the malicious links appear legitimate. The pages are often optimized for mobile devices to increase victim interaction.
Clicking links leads victims to counterfeit sites where they are encouraged to "update address details" or "pay minor fees." Here, unsuspecting users unwittingly submit sensitive personal and financial information, effectively falling into the attackers’ trap and leading to identity theft and financial loss.
The Role of Darcula in the Scam Landscape
While linking a particular threat actor to these scams has proven challenging, the researchers at Group-IB observed shared infrastructure and common characteristics among many phishing websites that point towards the Darcula phishing toolkit.
Emerging in 2023, Darcula has been instrumental in carrying out phishing attacks against diverse sectors, including government entities, airlines, postal services, and financial institutions. The platform provides cybercriminals with an extensive arsenal, offering over 20,000 counterfeit domains designed to spoof recognizable brands and more than 200 phishing templates.
Initially, Darcula was known for commercializing its PhaaS kit via Telegram. However, following exposure by the security vendor Mnemonic, the group removed its public-facing contact information, opting instead to promote its operations through covert channels. This pivot demonstrates the tenacity and adaptability of cybercriminal enterprises amid increased scrutiny by security firms.
Mitigation Strategies for Combatting Scams
In light of the rising tide of fake shipment tracking scams, Group-IB has put forth a series of recommendations aimed at both individuals and businesses seeking to mitigate the risks.
Businesses are urged to undertake specific measures, including:
-
Public Education: Regularly disseminating alerts regarding ongoing phishing attempts can help raise awareness among customers.
-
Strengthening Security Protocols: Utilizing strong authentication measures and domain security protocols like DMARC, DKIM, and SPF can significantly mitigate the risks associated with email fraud.
-
Brand Protection Services: Engaging services that monitor for counterfeit domains and fraudulent websites can preemptively identify threats.
-
Public Verification Tools: Implementing tools that allow customers to verify tracking numbers or official communications can substantially lower the success rates of scams.
-
Collaborations with Mobile Operators: Working alongside mobile service providers to filter out scam SMS patterns and block impersonation attempts before they reach end-users.
- Establishing Clear Reporting Channels: Providing easy access for customers to report suspected scams can enhance the overall security posture.
As e-commerce continues to burgeon, so too does the sophistication of cyber threats. The rising prevalence of fake shipment tracking scams underscores an urgent need for consumers and businesses to remain vigilant and implement robust digital safety practices. Only through collective awareness and proactive measures can the tide of these deceitful schemes be stemmed.