Do you also get those weird package notifications via SMS?

Package announcements are helpful and usually spread joy. But currently you should be especially careful. Fraudsters are sending fake SMS with malware! Even the LKA warns.

Fraudsters try again and again with perfidious tricks to get sensitive data. One of them has already been annoying for months – the supposed announcement of a package, about which users are informed by SMS. As early as February 2021, the State Criminal Police Office (LKA) in Mainz warned against these text messages. But the notifications are still in circulation and are even increasing in frequency shortly before Christmas. With the package notifications via SMS, criminals try to install malware on the smartphones of their victims.

If the recipients of the SMS click on a supposed confirmation link with the extension “”, malware is downloaded in the background and installed on the cell phone. “This malware forwards sensitive data unnoticed, spies on the contact list of the injured party and then independently sends SMS with the malware to various phone numbers, which can cause additional costs,” the LKA says. In one case, a woman from Mainz suffered a three-digit amount of damage due to the fake SMS package announcement, officials said.

Photo: atechbook

Not only the police warn

New Zealand’s computer emergency response team CERT NZ also uncovered a new scam in October that hackers are using to install so-called spyware on smartphones. The spying malware is again hiding in packet SMS messages. If recipients follow the link in the SMS, they are prompted to download a package tracking app. In some cases, opening the link also brings up a warning that the smartphone is infected with “FluBot” malware – and a request to install a security update against it. The warning also includes instructions to allow installation from unknown sources in the settings in order to apply the security update. However, users should definitely not do that because that is exactly how they install the spyware on their device.

FluBot is spyware specialized for Android smartphones. The malware can steal login data and passwords from banking apps, for example. To do this, the spyware uses an Android feature called “Screen Overlay”, which allows app to open a separate window on top of another app. FluBot can thus create a real-looking image of an actual banking app and thus trick users into entering their data. However, FluBot only becomes dangerous once you actually install something or grant access permissions. iPhone users are also not affected by the spyware, as iOS does not allow installing apps from unknown sources.

Meshes of this kind are not new. Again and again, cases come to light in which criminals use the supposed package announcement via SMS and mail to obtain sensitive data. The messages often state that a package is supposedly on its way to the recipient or has not yet been picked up by the recipient. Such messages misuse the names of parcel service providers such as DHL, UPS and others. Some of them are also service providers from other countries or freely invented companies.

Also interesting: These are the nasty tricks of phishing scammers

Detect fake packet SMS and email

The fake parcel notifications come via SMS and e-mail. They can be recognized by subject lines such as “Your package was not delivered correctly”. Or they are simply fictitious shipping confirmations. The police are also aware of variants in which recipients of shipments allegedly have to pay additional postage in order for the package to be delivered. Anyone who then curiously taps on the link in the SMS is taken to a fake parcel tracking page. On this page, recipients are first asked to enter a fictitious shipment number, which was also in the text message. They are also asked to fill in an online form with personal data – the actual phishing attack.

In general, users should never click on links in e-mails or text messages whose senders they do not know exactly. On the one hand, because this can trigger the download of malware. On the other hand, because the links could lead to pages on which fraudsters can collect personal data and payment details, or which are massively covered with advertising.

The police also warn against clicking on “unsubscribe” links in such fake package announcements. By doing so, you are effectively just confirming receipt of the message – and can expect even more phishing spam in the future.

Browser extension detects fraudulent stores on the Internet

Victims of fake parcel text messages should not pay high bills

In some cases, the warning not to click on the links in the package text messages may already have come too late. In the worst case, this means that you have already caught malicious software on your smartphone. The scammers can use this software to spy on data or send masses of SMS messages. Without an SMS flat rate, this can quickly become expensive fun. In the event of a dispute with one’s own telephone provider, the North Rhine-Westphalia Consumer Center (vznrw) advises calm – and to fight back.

If they have not already done so, victims who have fallen for the parcel SMS should file a criminal complaint with the police. This is important later on to rule out any fault on your part. In addition, do not pay the mobile phone provider’s bill immediately. If the provider insists on payment of the SMS sent unnoticed, ask specifically what protective mechanisms are in place to prevent such untypical behavior on the part of an individual telephone connection. The consumer protectors also advise sending along a copy of the criminal complaint and explaining that a malware program was responsible.

Victims of the parcel SMS scam can also check whether their household insurance might not cover such cases. The consumer protectors point out that some contracts cover such and other cases of abusive online activities.

Last but not least, you should avoid something like comparisons. This is because some companies offer a cost cap. In other words, those affected pay 100 euros and the case is settled. However, vznrw warns against this. From their point of view, mobile phone customers are being made responsible for all future cases in return for a declaration of obligation. The lawyers of the vznrw therefore advise to delete such clauses. In case of doubt, legal advice is worthwhile.


  • LKA Mainz

With material from dpa