Group-IB Warns of Rising Fake Shipment Tracking Scam Across MEA

A new Group-IB analysis says fake delivery notifications are being used across the Middle East and Africa to steal personal and banking data, with attackers relying on local-looking SMS messages, spoofed sender IDs and highly interactive phishing pages

Group-IB has warned that fake shipment tracking scams are gaining momentum across the MEA region, as cybercriminals exploit the everyday use of courier and postal services to lure victims into phishing traps. According to the company’s latest blog, the scam typically starts with a text message claiming a parcel could not be delivered, urging the recipient to update address details or pay a small fee before the shipment can be released.

The company said the scheme is effective because it plays on delivery anxiety at a time when parcel tracking has become a routine part of daily life. Group-IB noted that postal and delivery brands are the most frequently abused category in this campaign, followed by financial services, telecoms, mobility services and e-commerce platforms in the MEA region.

According to the report, activity linked to the scam has been tracked since early 2024, but 2025 saw explosive growth, with spikes likely tied to holiday shopping periods. Group-IB said the operation is not limited to simple fake websites, but instead shows signs of coordination through recurring infrastructure patterns, including overlaps in IP addresses, domain registrars and hosting services.

The attackers are using two main SMS delivery methods. One relies on anonymous but region-specific numbers formatted to resemble local mobile prefixes, while the other uses Sender ID spoofing so fraudulent messages can appear inside legitimate text threads from trusted courier brands. Group-IB said this makes the scam significantly more convincing for victims.

Behind the links are phishing pages designed to harvest a wide range of sensitive data. Group-IB’s analysis found embedded scripts, WebSocket connections, session tracking and real-time keylogging, with stolen information including personal details, banking credentials, payment card numbers, CVV codes and one-time passwords.

The company added that the campaign has already expanded beyond fake parcel alerts into other consumer-facing services such as online retail, transportation apps, bill payments, fines, subscriptions and telecom services. Group-IB said the trend highlights how phishing infrastructure can be quickly repurposed across multiple sectors once a scam format proves successful.

Group-IB advised users not to click on unsolicited shipment links and to verify delivery status only through official courier websites, known tracking numbers and trusted e-commerce platforms.