Package Tracking Phishing – Credit Card Harvesting
This phishing page impersonates a postal or courier service, likely targeting an international audience. The page claims to provide tracking information for a package (Tracking Number: SG904951986) while simultaneously requesting sensitive financial details under the guise of “pay by card.”
How it works:
The victim receives a phishing email or SMS claiming a package is awaiting delivery, that a customs fee is due, or that a redelivery fee must be paid. The link leads to this page, which displays:
A fake tracking number (SG904951986)
A description: “Standard package”
Fields for Full Name, Phone Number, and a complete credit card form (Card Number, Expiry Date, CVV)
When the victim fills out the form and clicks “Confirm,” all personal and financial information is sent directly to the attacker.
The goal:
This is a direct financial phishing attack. Unlike more sophisticated multi-step phishing pages that first collect login credentials and then payment details, this page combines both. The attacker obtains:
The victim’s full name and phone number (useful for identity theft or follow-up scams)
Complete credit card details (card number, expiration, CVV), which can be used for fraudulent online purchases, cloned cards, or sold on criminal marketplaces
Red flags to watch for:
No carrier branding: The page lacks any official logo or name of a legitimate carrier (e.g., USPS, FedEx, DHL, Royal Mail, etc.). Legitimate tracking pages always clearly display the carrier’s branding.
Vague tracking number: The tracking number “SG904951986” does not follow the standard format of any major carrier. Real tracking numbers are carrier-specific and can be verified on the official website.
Request for payment without context: The page demands credit card details but provides no explanation of what the payment is for (customs, redelivery, insurance, etc.). Legitimate carriers clearly state the reason for any fee.
Poor design and generic fields: The form is minimal, lacks security icons, and does not use HTTPS padlock indicators that legitimate payment pages display.
No delivery details: There is no recipient address, sender information, or estimated delivery date—all of which are standard on legitimate tracking pages.
What to do if you encounter this:
Do not enter your name, phone number, or any credit card details.
Do not click “Confirm” or any other buttons on the page.
If you are expecting a package, go directly to the official website of the carrier you believe is handling the shipment and enter your real tracking number.
Report the phishing page to the legitimate carrier being impersonated (if identifiable) and to anti-phishing organizations.
Why this scam is dangerous:
This type of phishing page is often distributed via SMS (“smishing”) with messages like “Your package could not be delivered. Please update payment information.” Because the requested amount is never specified, victims may assume it is a small fee. Once credit card details are submitted, attackers can drain accounts or make high-value purchases before the victim realizes what happened. The combination of personal information (name, phone) and financial data also enables identity theft.