Fake Correos Mail page detected

Posted byAnti-phishing Leave a comment on Fake Correos Mail page detected

Analysis Memo: This scam layout was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the hostile origin link has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Actual screenshot of "Fake Correos Mail page detected" phishing interface captured during link moderation on our platform.
Figure 1: Verified screenshot of the live scam infrastructure intercepted by our security systems.

This screenshot shows a package delivery phishing page targeting Spanish‑speaking users. The scam claims a delivery attempt failed and asks the victim to pay a small fee (€1.99) to reschedule, capturing full credit card details in the process.

Threat Analysis: Package Delivery Phishing – Small Fee & Card Harvesting

How it works:
The victim receives an SMS or email claiming a package could not be delivered. A link leads to this page, which asks for:

  • Card number
  • Expiration date (MM/AA)
  • Security code (CVV)

The page shows a fake delivery code and a total of €1.99 – a tiny amount designed to lower suspicion. The “Pagar” button submits the stolen card data to the attacker.

The goal:
The attacker collects full credit/debit card details to make unauthorized purchases, clone the card, or sell the information.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not an official postal or courier service.
  • Small fee trick: Scammers use a negligible amount so victims pay without thinking.
  • Request for CVV for a simple redelivery fee: Legitimate delivery services do not ask for CVV codes to reschedule a delivery.
  • No tracking number that can be verified independently: The “E5/2938456” is fake.
  • SSL badge: The “secure payment” badge is fake – phishing pages often add such graphics to appear trustworthy.

What to do if you encounter this:

  • Do not enter any card details.
  • If you are expecting a package, track it directly on the official courier website using your real tracking number.
  • If you have already entered your card details, contact your bank immediately to block the card and dispute any fraudulent charges.
  • Report the phishing page to the legitimate courier company being impersonated.

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the courier’s official website.
  • Never pay a “redelivery fee” via a link. Legitimate fees are handled in person or through the official site after logging in.
  • Check the URL carefully. Look for misspellings, unusual domains, or free hosting services.
  • Enable transaction alerts on your bank account to catch unauthorized charges early.

Leave a comment

Your email address will not be published. Required fields are marked *