In recent years, phishing attempts that imitate courier companies such as UPS or FedEx have grown alarmingly. The most worrying thing is that many users continue to fall for it, mainly because these types of scams appeal to a very effective emotional resource: urgency. The typical message usually alerts you that "your package has been held" or that "delivery information is missing," which generates anxiety and prompts you to act without thinking too much. But in reality, it's a trap carefully designed to steal your personal information or even your money.

How these identity theft scams work

This type of scam is based on phishing, a social engineering technique where criminals impersonate well-known brands to gain your trust. In this case, the hook is a supposed notification about a problem with a shipment. The email may appear legitimate: it uses official logos, corporate colors, and even signs off with credible names, but it always includes a call to action like "click here to resolve the issue."

In some cases, messages have even been seen signed by fake companies like "Express Service," which sound generic but plausible. Other times, they directly impersonate FedEx or UPS. Upon clicking, the user is redirected to a fake form requesting personal or banking information, or to a page for making a supposed customs payment. Obviously, everything entered into these portals goes directly into the hands of cybercriminals.

Keys to detecting a fake shipping message

The first thing experts at the cybersecurity firm ESET recommend is to stop for a second and ask yourself: "Am I really expecting a package?" If the answer is no, there's a high probability that it's a phishing attempt. It's also helpful to carefully examine the sender of the email. In most cases, the email address doesn't match the official one, even if it tries to look similar.

Another detail that should raise suspicion is if the message asks for sensitive information such as your account number, a copy of your ID, or your credit card. FedEx and UPS have been clear: they never request this type of information via email and will never ask you for unsolicited payments in exchange for releasing a shipment.

Finally, a very useful clue is to hover over the link before clicking to see where it actually redirects you. If the domain doesn't correspond to the official site, or you see a strange or overly long URL, it's best not to interact. And while spelling mistakes used to be a key clue, messages are better written these days, so don't rely on well-written text.

How to protect yourself against this type of attack

The best defense is always prevention. When faced with any unexpected message stating there's a problem with a shipment, avoid clicking on links or downloading attachments. If you're really expecting a package, you'll most likely look for the tracking number yourself on the courier company's official website.

You can also contact UPS or FedEx directly through their official channels and verify if there's a real problem. Never respond to suspicious emails or share data on platforms other than official ones. Also, verify that the websites where you enter information have a secure connection (https) and correspond to the company's real domain. ESET insists that a more critical attitude toward messages received via email, WhatsApp, or SMS can make all the difference. Being wary of what seems urgent and pausing to analyze the content is a very effective way to avoid falling into these types of traps, which can have serious consequences for your digital security and financial stability. If you receive any unexpected messages stating there is a problem with a shipment, avoid clicking on links or downloading attachments. If you are truly expecting a package, you should most likely look for the tracking number yourself on the courier company's official website.

You can also contact UPS or FedEx directly through their official channels and verify if there is a real problem. Never respond to suspicious emails or share information on platforms other than official ones. Also, verify that the websites where you enter information have a secure connection (https) and correspond to the company's actual domain.

ESET insists that a more critical attitude toward messages that arrive via email, WhatsApp, or SMS can make all the difference. Being wary of what seems urgent and pausing to analyze the content is a very effective way to avoid falling into these types of traps, which can have serious consequences for your digital security and financial stability.