A Canada Post phishing campaign uses SMS and email, claiming an “incomplete address” to lure victims into paying a small fee on a fraudulent website. This scheme steals full name, address, and credit card details, including 3D-Secure codes, to facilitate larger fraudulent transactions.
This Canada Post phishing campaign targets residents with fraudulent SMS/email alerts regarding package delivery failures, directing them to a fake portal to steal personal information and credit card data. The scam utilizes a “micro-payment” tactic to harvest card details and 3D-secure codes for high-value transactions, disguised as a small re-delivery fee. To protect against this threat, users should inspect the URL for legitimacy, ignore requests for payment via text, and verify tracking numbers on the official Canada Post site.
Canada Post “Address Verification” Phishing
Target: Residents of Canada and International Shippers
Threat Level: High (Credit Card Skimming & Identity Theft)
Phishing Method Description
This attack leverages Logistics Impersonation, specifically targeting users expecting or sending packages through Canada Post. Victims receive a “Smishing” (SMS) or Phishing Email stating that a package is held at a warehouse due to an “incomplete address” or a “small unpaid shipping fee” (usually under $3 CAD).
The link leads to a high-fidelity clone of the Canada Post tracking page. To “re-route” the package, the victim is prompted to enter:
Full Name and Delivery Address (to build a profile for identity theft).
Phone Number.
Full Credit/Debit Card Details (Number, Expiration Date, and CVV).
3D-Secure SMS Codes: The fake site captures the verification code in real-time, allowing the attacker to authorize a much larger fraudulent purchase disguised as a small shipping fee.
⚠️ Red Flags to Watch For
Deceptive Domain: The official Canada Post domain is canadapost-postescanada.ca. Phishing sites use lookalikes such as canadapost-redirection.com, postes-canada-verify.net, or free subdomains like canadapost-package.web.app.
Insecure Links in SMS: Canada Post has stated they will never send unsolicited text messages with clickable links asking for personal or financial information.
Unusual Payment Requests: A legitimate postal service will not hold a package for a $1.95 or $2.50 fee via a text message link. These “micro-payments” are a psychological trick to make the victim feel the risk is low.
💡 Expert Security Tip: The “Micro-Payment” Trap
The Method:
This case highlights a common Financial Skimming tactic known as the “Micro-Payment” hook. Scammers ask for a negligible amount (e.g., $1.50 – $3.00) to lower your critical thinking.
The Trap:
When you enter your card details for a $2.00 fee, you aren’t just losing two dollars. You are handing over your full credit card credentials to a criminal database. Furthermore, the SMS code you receive from your bank is often not for the $2.00 fee, but for a much larger “invisible” transaction the attacker is processing in the background (such as a $1,000 gift card purchase or a high-end electronics order).
How to Protect Yourself:
Verify via Official App: If you have a tracking number, enter it manually into the official Canada Post app or website. Do not use the link in the message.
The CVV Rule: No shipping company needs your CVV code (the 3 digits on the back) to “confirm an address.” Requests for card security codes are a definitive sign of fraud.
Check the Currency: Phishing sites sometimes forget to localize. If a “Canada Post” page asks for payment in Euros (€) or US Dollars ($), it is 100% a scam.