This phishing campaign impersonates dao, a Danish parcel delivery service. The scam uses a fake “delivery failed” notification to trick victims into providing personal information, which can later be used for identity theft or to redirect victims to a payment page where credit card details are stolen.
How it works:
Fake Tracking Page – The victim receives an SMS or email with a link to a fake tracking page. The page displays a fake tracking number and a false status (e.g., “Delivery attempt failed”).
Delivery Failure Notice – The victim is informed that the package could not be delivered because the address was unclear. A button or link (e.g., “Update Address”) is presented.
Address Update Form – The victim is taken to a page that asks for personal details: first name, last name, street address, city, postal code, email, and phone number (with Danish country code +45 pre‑filled).
Potential Next Step (not fully shown) – After submitting the address, the victim may be redirected to a payment page requesting card details (e.g., a small “redelivery fee”). This is a common pattern.
The goal:
The attacker collects:
Full name, address, postal code, city
Email address and phone number
With this information, the attacker can:
Sell the data to other criminals
Use it for identity theft
Target the victim with follow‑up scams (e.g., fake bank calls)
If a payment page follows, also steal credit card details
Red flags to watch for:
Suspicious URL: The pages are hosted on domains that are not dao.dk or the official dao website. The visible fragments (e.g., 135.2.tv, 135.1.tv) suggest a subdomain or odd URL structure.
Unsolicited delivery failure notification: dao does not send links to update addresses via SMS or email. Legitimate delivery issues are handled through the official tracking system or by contacting customer service directly.
Fake tracking number: The tracking number (CP318587863DK) is fabricated and cannot be verified on the real dao website.
Request for personal information before delivery: A legitimate courier already has your address. They will not ask you to re‑enter it via a link in a message.
Generic design / copied content: The pages use dao’s branding, navigation menus, and help section links, but these are copied from the real site. The domain is the giveaway.
What to do if you encounter this:
Do not enter any personal information (name, address, email, phone).
If you have already entered such information, be aware that it may be used for identity theft or follow‑up scams.
If you were redirected to a card payment page and entered card details, contact your bank immediately to block your card.
Always track packages by typing the official courier URL directly (e.g., dao.dk) and entering your real tracking number.
Report the phishing page to dao’s customer service.
Protective measures:
Never click links in unsolicited delivery messages. Always go directly to the official courier website.
Never provide your address, email, or phone number in response to a delivery notification link.
Check the URL carefully: Official dao domains end with dao.dk. Look for misspellings, extra words, or unusual top‑level domains (e.g., .tv, .th).
Enable two‑factor authentication on your email and banking accounts.