The "DHL Your Parcel Has Been Delivered" email scam represents a persistent phishing campaign that impersonates the legitimate international shipping company DHL to deceive recipients into downloading malware or surrendering personal credentials. These fraudulent emails claim that a package has been delivered and prompt victims to click malicious links or download infected attachments to view delivery details. The scam exploits the trust people place in recognizable courier brands and the common experience of tracking online orders, making it particularly effective against unsuspecting users.

'DHL Your Parcel Has Been Delivered' Email Scam — cybersecurity illustration
Photo by Ann H on Pexels

This threat has been circulating since at least 2018 with periodic resurgences, typically intensifying during holiday shopping seasons when package deliveries are frequent. Unlike a traditional virus that self-replicates, this is a social engineering attack that relies entirely on human interaction—the email itself isn't dangerous until you click the link or open the attachment. What makes it dangerous is what comes next: credential-harvesting websites, banking trojans, ransomware payloads, or information-stealing malware that can compromise your entire system and financial accounts.

Think you clicked a link from one of these emails? Immediately disconnect your computer from the internet (unplug the ethernet cable or disable Wi-Fi). Do not enter any passwords or banking information. Call us at (770) 695-6672 right away—the first hours after infection are critical for preventing data theft and containing the damage. We can assess whether malware was installed and take immediate remediation steps before sensitive information is exfiltrated.

Threat Profile

Threat Type Phishing email campaign / Malware distribution vector
Impersonated Entity DHL Express (legitimate courier service)
Primary Payload Varies—commonly Emotet, TrickBot, Formbook, Agent Tesla, or credential phishing pages
Distribution Method Mass email campaigns with spoofed sender addresses
Target Platforms Windows (primary), macOS (secondary), mobile devices via phishing links
First Observed 2018 (ongoing with periodic campaigns)
Attachment Types Malicious JavaScript (.js), ZIP archives, Office documents with macros (.doc, .xls), PDFs with embedded links, HTML files
Common Subject Lines "Your parcel has been delivered", "DHL Shipment Notification", "Delivery Confirmation Required", "Package Awaiting Collection"
Risk Level High—can lead to banking trojan infection, ransomware deployment, or complete credential compromise
Detection Names Email.Phish.DHL, Trojan.Phishing.DHL, JS/TrojanDownloader (for JavaScript attachments), varies by payload
Associated Threat Actors Multiple cybercrime groups using phishing-as-a-service infrastructure
Geographic Distribution Worldwide, with concentration in English-speaking countries and major commercial centers

How It Spreads

The DHL phishing scam relies entirely on mass email distribution to reach potential victims. Cybercriminals send millions of fraudulent emails using compromised mail servers, botnets, or specialized phishing platforms that allow them to spoof legitimate DHL email addresses in the "From" field. These emails are designed to appear authentic, often incorporating DHL's actual logo, color scheme, and formatting to establish visual credibility. The sender address may appear as variations like "noreply@dhl.com" or "tracking@dhl-delivery.com" (with slight misspellings or different domain extensions that pass casual inspection).

The emails typically arrive unsolicited, claiming that a package has been delivered to your address or is awaiting collection at a local facility. To heighten urgency, they may include fake tracking numbers, reference fees that need immediate payment, or warn that packages will be returned if not claimed within 24-48 hours. The psychological pressure to act quickly combined with the plausible scenario (most people receive legitimate packages periodically) creates an effective trap. Some variants target businesses specifically, referencing commercial shipments or customs documentation that requires immediate attention from office managers or accounting departments.

Distribution vectors for this scam include:

  • Direct phishing emails with malicious attachments (JavaScript files, ZIP archives containing executables, macro-enabled Office documents)
  • HTML emails with embedded links directing to fake DHL tracking portals that harvest credentials or trigger drive-by downloads
  • Compromised email threads where attackers hijack existing business communications and inject malicious messages into legitimate conversation chains
  • SMS phishing (smishing) variants sending text messages with shortened URLs claiming to be from DHL
  • Malvertising campaigns that display fake "package delivery issue" pop-ups on legitimate websites
  • Seasonal intensification during Black Friday, Cyber Monday, and December holidays when package volumes are highest and people expect delivery notifications

What It Does On Your Machine

The actual damage from this scam depends entirely on what payload is delivered or what information you surrender. If you click a link, you may be directed to a convincing replica of the DHL tracking website that requests login credentials, personal information, or credit card details under the pretense of paying a delivery fee or customs charge. These credential-harvesting sites immediately transmit whatever you enter to the attackers, who can then use that information for identity theft, unauthorized purchases, or access to other accounts if you reuse passwords across services.

If you download and open an attachment, the consequences are typically more severe. JavaScript attachments execute immediately when opened and serve as downloaders for secondary malware payloads. These often retrieve banking trojans like Emotet or TrickBot, which establish persistent footholds on your system, steal saved passwords from browsers and email clients, log keystrokes to capture banking credentials, and can spread laterally to other computers on your network. Office document attachments with embedded macros require you to click "Enable Content" or "Enable Macros"—doing so triggers malicious code that downloads and executes malware from remote command-and-control servers.

Once malware is installed, typical behaviors include establishing persistence through registry modifications and scheduled tasks, communicating with remote servers to exfiltrate stolen data, and potentially downloading additional malicious modules. Information-stealing variants like Agent Tesla or Formbook will harvest credentials from dozens of applications including FTP clients, email programs, web browsers, and VPN software. Some campaigns use these phishing emails as the initial infection vector for ransomware operations, with the ultimate goal of encrypting your entire system and demanding payment for decryption keys.

Typical artifacts from JavaScript-based payload delivery: %TEMP%\wsc[random].js // Initial JavaScript downloader %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\update.lnk %LOCALAPPDATA%\[random GUID]\svchost.exe // Disguised malware binary Registry persistence (Run key): HKCU\Software\Microsoft\Windows\CurrentVersion\Run "WindowsUpdate" = "%LOCALAPPDATA%\[GUID]\svchost.exe" Scheduled task: \Microsoft\Windows\SystemUpdate // Runs disguised malware at logon Network connections (if payload includes info-stealer): Connections to suspicious domains ending in .ru, .top, .xyz SMTP traffic on non-standard ports (data exfiltration)

Manual Removal — Step by Step

01

Disconnect from network immediately

As soon as you suspect infection, disconnect your computer from the internet by unplugging the ethernet cable or disabling Wi-Fi. This prevents the malware from communicating with command-and-control servers, exfiltrating stolen data, or downloading additional payloads. Do not skip this step—data theft often occurs within minutes of infection.

02

Boot into Safe Mode with Networking

Restart your computer and repeatedly press F8 during boot (or Shift+F8 on some systems) to access the Advanced Boot Options menu. Select "Safe Mode with Networking" to load Windows with minimal drivers and services. This prevents most malware from launching automatically and makes removal safer. On Windows 10/11, you can also access Safe Mode through Settings > Update & Security > Recovery > Advanced startup > Restart now, then Troubleshoot > Advanced options > Startup Settings > Restart > press 5 for Safe Mode with Networking.

03

Open Task Manager and terminate suspicious processes

Press Ctrl+Shift+Esc to open Task Manager and examine the Processes tab for suspicious entries—especially anything with random names, processes running from %TEMP% or %APPDATA% locations, or high CPU/network usage from unfamiliar programs. Right-click suspicious processes, select "Open file location" to identify where they're running from, then "End task" to terminate them. Document the file locations for later deletion.

04

Remove malware persistence mechanisms

Press Windows+R, type "regedit" and press Enter to open Registry Editor. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Look for suspicious entries with random names or pointing to files in user directories. Delete any entries you identified from the process investigation. Also check Task Scheduler (press Windows+R, type "taskschd.msc") for suspicious scheduled tasks and delete them.

05

Delete malware files and folders

Using File Explorer, navigate to the locations you identified in Task Manager (typically %TEMP%, %APPDATA%, or %LOCALAPPDATA% folders). Delete the entire folder containing the malicious executable—not just the .exe file, as associated configuration files and data may remain. Also check your Downloads folder and Desktop for any suspicious attachments you opened from the phishing email and delete them permanently. Empty the Recycle Bin afterward.

06

Run comprehensive malware scans with reputable tools

Reconnect to the internet and download Malwarebytes (free version is sufficient) from malwarebytes.com. Run a full system scan—this typically takes 30-60 minutes. Malwarebytes excels at detecting phishing-related malware and information stealers. Also run a scan with your existing antivirus if you have one. Consider running a second-opinion scanner like HitmanPro or AdwCleaner for thorough coverage, as different tools detect different threat families.

07

Reset web browsers to default settings

Many phishing campaigns install browser extensions or modify browser settings to monitor activity or inject additional phishing pages. In Chrome, go to Settings > Advanced > Reset and clean up > Restore settings to their original defaults. In Firefox, go to Help > More Troubleshooting Information > Refresh Firefox. In Edge, go to Settings > Reset settings > Restore settings to their default values. This removes malicious extensions and hijacked homepage/search settings.

08

Change all critical passwords immediately

If you entered any credentials on a phishing page or if info-stealing malware was detected, change passwords for all critical accounts from a different, clean device. Start with email, banking, and financial accounts, then move to social media and other services. Use strong, unique passwords for each account—consider using a password manager like Bitwarden or 1Password to generate and store them securely. Enable two-factor authentication wherever available.

09

Monitor financial accounts and credit reports

If you provided credit card information or banking credentials to a phishing site, contact your bank immediately to report the potential compromise. Request new cards if necessary. Monitor your accounts daily for unauthorized transactions. Consider placing a fraud alert on your credit reports with the three major bureaus (Equifax, Experian, TransUnion) to prevent identity theft. This step is crucial—phishing victims often don't realize the full extent of theft until fraudulent charges appear weeks later.

10

Reboot normally and verify system stability

Restart your computer in normal mode and observe behavior carefully for the next few days. Watch for unusual network activity, unexpected pop-ups, performance degradation, or programs starting automatically that shouldn't. Run another quick scan with Malwarebytes after 24-48 hours to catch any lingering components. If problems persist or you're uncertain about complete removal, bring the system to our shop for professional verification—some sophisticated threats have multiple persistence mechanisms that are easy to miss.

Prevention

  1. Verify delivery notifications independently. If you receive an unexpected delivery notification, don't click links in the email. Instead, open a new browser tab and go directly to the courier's official website, then enter any tracking numbers manually. Legitimate delivery services never require you to click links to view basic tracking information.
  2. Examine sender addresses carefully. Hover over the sender's name in your email client to reveal the actual email address. Phishing emails often use addresses like "dhl-delivery@notification-center.com" or "tracking@dhl-usa.net" instead of the legitimate "noreply@dhl.com". Look for misspellings, extra hyphens, or unusual domain extensions (.xyz, .top, .info).
  3. Never enable macros in email attachments. Legitimate companies never send documents requiring you to enable macros. If you receive an Office document that prompts "Enable Content" or "Enable Macros" to view it, delete it immediately. Microsoft Office disables macros by default specifically because they're a primary malware infection vector.
  4. Maintain updated security software. Keep Windows Defender or your chosen antivirus solution up to date and running real-time protection. Modern security software can detect many phishing emails before they reach your inbox and block malicious downloads before they execute. Enable automatic updates to ensure you have the latest threat definitions.
  5. Use email filtering and anti-phishing features. Enable spam filtering in your email client and mark phishing emails as spam when you receive them. Gmail, Outlook, and other major providers use machine learning that improves when users report phishing attempts. Consider enabling advanced protection features like Gmail's "Check suspicious links" or Outlook's anti-phishing policies.
  6. Educate everyone who uses shared computers. Phishing attacks target the least security-aware user on a system. Make sure family members, employees, or anyone with access to your computers understands the basics: don't click unexpected links, don't open attachments from unknown senders, and verify delivery notifications independently. One person's mistake can compromise an entire household or business network.
  7. Implement two-factor authentication everywhere possible. Even if credentials are stolen through phishing, 2FA provides a critical second layer of defense. Use authenticator apps (Google Authenticator, Microsoft Authenticator) rather than SMS-based 2FA when possible, as SMS can be intercepted through SIM swapping attacks.
  8. Keep software updated and patched. Many malware payloads exploit known vulnerabilities in outdated software. Enable automatic updates for Windows, browsers, Adobe products, Java, and other commonly targeted applications. Uninstall software you don't use—it's one less potential vulnerability to worry about.
Our 90-Day Warranty
When we remove malware from your system, we back our work with a 90-day warranty. If the same threat returns within three months, we'll re-clean your computer at no additional charge. We also provide detailed prevention guidance tailored to your specific situation to help ensure you stay protected. Our goal isn't just to fix the immediate problem—it's to make sure you understand how the infection happened and how to prevent it from happening again.

Bring It In

If you clicked a link in a DHL phishing email, opened an attachment, or entered credentials on a suspicious page, don't take chances with manual removal—especially if sensitive financial information or business data is at stake. The malware distributed through these campaigns is sophisticated, often includes multiple components, and is specifically designed to evade detection while stealing valuable information. What looks like successful removal may leave hidden backdoors or keystroke loggers operating in the background, continuing to capture passwords and banking credentials long after you think the problem is resolved.

Computer Repair Roswell has extensive experience identifying and eliminating phishing-related infections. We use professional-grade forensic tools to detect hidden persistence mechanisms, verify complete malware removal, and assess whether data exfiltration occurred. Bring your computer to our Roswell shop at 950 Mansell Road, or call us at (770) 695-6672 to discuss your situation. We offer same-day service for urgent infections and transparent pricing with no surprises. Don't let a phishing email compromise your financial security or identity—get professional verification that your system is truly clean.