Skip to main content

Anatomy of a Scam: The Fake Delivery Email

February 28, 2026 · Gautier
3 mins
Cyber Security

Phishing is no longer just a matter of emails riddled with spelling mistakes. Today, hackers use sophisticated phishing kits that perfectly mimic portals of official institutions or delivery services like FedEx or DHL. Here is the technical autopsy of a scam attempt.

The Sender: Beyond the Display Name

Cybercriminals often use Display Name Spoofing. They configure the sender’s name to appear as “Delivery Service” or “Official Support,” but the actual underlying address is completely unrelated.

  • The Header: If you examine the email’s “source code,” look for the Return-Path line. If it differs from the official domain, it’s a major red flag.
  • Authentication: Modern email servers (Gmail, Outlook) often flag these emails as “unverified” because they fail DKIM or SPF signature tests.

Learn more: Technical breakdown of a phishing attack

https://www.youtube.com/watch?v=k7HeshxhwPk

The Link: The Art of Redirection

Scammers don’t send you directly to the final scam site. They use layers of camouflage to bypass anti-spam filters:

  • URL Shorteners: Using bit.ly or t.co to hide the final destination.
  • Typosquatting: Creating a domain that looks like the official one with just one letter changed (e.g., fedex-support.com instead of fedex.com).
  • Hidden URLs: The link text says “Click here,” but the actual URL hidden behind it points to a pirate server.

Pro Tool: Unshorten.it – This tool helps expand and verify shortened URLs, revealing the true destination before you click.

The Landing Page: The “Phishing Kit”

Once you click, you arrive at a perfect copy of the official website. But pay attention to the technical details:

Warning: An SSL certificate (the green padlock) is now free and automated. HTTPS only encrypts the communication; it does not guarantee that the site owner is honest.
  • Form Fields: The site will ask for your card number, but also your date of birth or ZIP code. This data is used later to bypass 3D Secure protections or for identity theft.
  • Bot Detection: Some phishing sites detect if you are using a VPN or a security scanner to display a blank page to experts while still trapping regular users.

Your Anti-Phishing Checklist

Before filling out any form, screen the email using these four checkpoints:

  • Is the sender’s email address strictly identical to the one used by the official service?
  • Does the destination URL (visible by hovering over the button) contain the exact brand name?
  • is the tone of the message alarmist or asking for money unexpectedly?
  • Is the tracking number or case ID recognized if you type it manually on the official website?

Hybrid Vigilance

Technology (antivirus, filters) helps, but the weakest link remains the human. By taking 10 seconds to analyze the URL and the sender, you neutralize 99% of phishing attacks.

Related Articles