DPD Czech Phishing – Fake “Buyer Payment Confirmation” & Card Harvesting
This phishing campaign impersonates DPD, a legitimate international parcel delivery service, specifically targeting customers in the Czech Republic. The scam uses the pretext of a “buyer payment confirmation” to trick victims into entering credit card details on a fake payment page.
How it works:
The victim receives a phishing email or SMS claiming that a buyer has paid for a shipment or that a package requires payment confirmation. The link leads to a series of fake DPD-branded pages.
Step 1 – Fake DPD Landing Page (First Screenshot)
The page displays:
A suspicious URL: dpd cz.info orders7657 pw/… (not the official DPD domain)
DPD branding and navigation links (copied from the real DPD website)
A heading: “Potvrzení o zaplacení kupujícím” (Buyer payment confirmation)
A button or link likely leading to the next step (not fully visible in this screenshot)
The page mimics DPD’s legitimate Czech website layout to appear authentic.
Step 2 – Fake DPD Information Page (Second Screenshot)
This page displays legitimate-looking DPD content about the company’s services, corporate social responsibility, and support. Attackers often copy entire sections from real websites to make the phishing page appear credible. The page includes:
DPD’s real branding, mission statements, and navigation menus
Social media links and cookie policy information (copied from the official site)
However, the page is hosted on the fraudulent domain, not dpd.cz.
Step 3 – Bank Selection Page (Third Screenshot)
The victim is directed to a page asking them to select their bank from a list of major Czech and international banks, including:
MONETA
mBank
UniCredit
Raiffeisen BANK
Česká spořitelna
KB (Komerční banka)
Fio banka
and many others
This page is designed to make the victim believe they are about to complete a legitimate payment through their own bank’s secure portal.
Step 4 – Credit Card Harvesting Page (Fourth Screenshot)
After selecting a bank, the victim is taken to a page that requests:
Full credit card number (placeholder: XXXX XXXXX XXXXX XXXXX)
Expiry date (MM/YY)
Cardholder name and surname
The page displays a DPD logo and an amount: 2999 Kč (Czech koruna), along with a transaction number (#163962098).
The goal:
The attacker steals the victim’s credit card details (card number, expiry date, and cardholder name). With this information, they can make fraudulent online purchases, create cloned cards, or sell the data. There is no legitimate payment—the entire “buyer confirmation” and delivery context is fabricated.
Red flags to watch for:
Suspicious URL: The initial page is hosted on dpd cz.info orders7657 pw/…. The official DPD Czech domain is dpd.cz. Any deviation (extra words, misspellings, or different TLDs like .info) is a red flag.
Unusual request for card details: DPD does not process payments through a “bank selection” page that asks for full credit card details on a third-party site. Legitimate DPD payments are handled through integrated payment gateways (e.g., ComGate, GoPay) on the official website.
Context mismatch: The scam combines a “buyer payment confirmation” (suggesting the victim is receiving money) with a request for the victim’s own credit card details. This is illogical—receiving money does not require entering your card information.
Copied content: The second page contains legitimate DPD text, but it is hosted on a fake domain. Attackers often copy entire sections of real websites to make their pages look authentic.
Generic transaction details: The transaction number (#163962098) and amount (2999 Kč) are fabricated and not tied to any real shipment.
No login or tracking number: A legitimate DPD payment confirmation would require a tracking number or reference to a specific shipment. This page lacks any such identifier.
What to do if you encounter this:
Do not select your bank or enter any credit card details.
Do not enter any personal information on these pages.
If you are expecting a package from DPD, go directly to dpd.cz and enter your tracking number to check its status.
If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
Report the phishing page to DPD Czech and to the relevant anti-phishing authorities.
Why this scam is effective:
DPD is a widely used delivery service in the Czech Republic. The scam exploits the common scenario of e-commerce transactions where buyers pay for shipments. The copied legitimate content from DPD’s real website makes the fake pages visually convincing. The bank selection list with well-known Czech banks adds to the illusion of authenticity, making victims believe they are being redirected to a secure banking portal.
Protective measures:
Always type the official URL (dpd.cz) directly into your browser to track shipments or make payments.
Never click links in unsolicited emails or SMS messages claiming delivery issues or payment confirmations.
Be suspicious of any page that asks for your credit card details outside of a well-known, secure payment gateway (e.g., ComGate, GoPay) on the official merchant site.
Check the URL carefully—phishing domains often contain the brand name but add extra words, use different TLDs (.info, .site, .xyz), or have slight misspellings.