Who This Guide Is For
This guide is for you – anyone in Denmark who has ever ordered a package online and received a text message from a courier company. Whether you shop at Zalando, buy second‑hand goods on DBA, or wait for a parcel from a friend, you are a potential target. The criminals behind the DAO phishing scam are not guessing. They are exploiting the fact that DAO delivers roughly 100,000 packages every day, which means an enormous number of Danes are genuinely expecting a delivery at any given moment.
You are not a cybersecurity expert. You do not spend your days analysing SMS headers or inspecting domain names. When your phone buzzes with a message that appears to come from DAO – a company you know and trust – your natural instinct is not suspicion. It is curiosity. You want your package. You do not want delivery problems. And that is exactly what the criminals behind the DAO phishing campaign are counting on.
Since March 2026, an unprecedented wave of fake SMS messages has flooded Danish phones. The attackers have used a technique called SMS spoofing to make their fraudulent texts appear inside the same message thread as legitimate DAO updates you have received in the past. The websites they direct you to copy DAO’s official design so perfectly that even experienced internet users have been fooled. According to the fact‑checking magazine TjekDet, the operation is massive: at the time of their investigation, they identified at least 48 active phishing domains, all connected to servers in China.
This guide will walk you through exactly how the scam works, share real stories of Danish residents who lost money and those who narrowly escaped, and give you the simple, expert‑backed habits that will keep your bank account safe.
The Anatomy of the Attack: How a Fake “Delivery Failure” Text Steals Your Identity and Your Money
The attack documented by the Antiphishing.biz security team follows a carefully choreographed sequence. Every step is designed to lower your guard, create urgency, and extract as much information as possible before you realise what is happening.
Step One: The Message That Lands in a Place You Trust
The first contact arrives as an SMS. The sender name displayed on your phone is “DAO”. That is all. No suspicious +45 prefix. No long foreign number. Just the company name you recognise from every package you have ever received.
Here is the terrifying trick. If you have ever received a real SMS from DAO – perhaps when a package was delivered to a parcel shop or when a driver was on the way – the fake message will appear in the same text message thread as those legitimate updates. Your phone groups messages from the same sender ID together, and the criminals have learned how to hijack that ID. Hans Peter Nissen, DAO’s CEO, explained to public broadcaster DR that the attackers “send the messages out with an ID that means if it reaches an iPhone, the phone thinks it’s the same thread as our messages”.
The message itself is short and urgent. It claims that your package could not be delivered because the address is incorrect, the house number is missing, or the delivery attempt failed. It instructs you to click a link to “update your address” or “pay a small redelivery fee”.
Step Two: The Website That Looks Exactly Like DAO
If you click the link – and many people do – you are taken to a webpage that has been painstakingly copied from DAO’s real website. The official DAO website uses the domain dao.asdaoas[.]icudaoaso[.]sbsdao-pakke[.]shop
Incident Report: This scam layout was intercepted, verified, and locked down firsthand by the
Antiphishing.bizsecurity team during our automated link scanning workflows. To protect the public, the dangerous destination URL has been safely deactivated within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.
The page displays DAO’s logo, navigation menu, help section, and the same professional design as the genuine site. The only giveaway is the web address itself, and most people do not look there before typing their information.
Step Three: The Two‑Stage Harvest That Takes Everything
The fake website first asks for your personal information: your first name, last name, street address, city, postal code, email address, and phone number (with the Danish country code +45 already filled in). This information alone is valuable. The criminals can sell it to other fraudsters or use it to target you with even more convincing follow‑up scams.
Then, in many versions of the scam, the victim is redirected to a payment page. The message claims that a small redelivery fee – typically around 45 Danish kroner – is required to release the package. The amount is deliberately small. It does not feel like a threat. You think, “It is only forty‑five kroner. If it is a scam, I have not lost much. If it is real, I need my package.”
When you enter your card details to pay this tiny fee, the criminals capture your full card number, expiration date, and CVV code. With this information, they can drain your bank account, make fraudulent online purchases, or sell your complete financial profile on underground markets.
According to TjekDet’s investigation, the fake websites “gradually steal personal information, money, and card details”. The information can be used for immediate fraud or sold to other criminals for future attacks.
Real Stories of Loss and Narrow Escape
The Pensioner Who Lost Over 50,000 Kroner After a “Missing Address” Text
In March 2026, a retired woman in her late sixties received an SMS that appeared to be from DAO. She was expecting a package – a birthday gift for her grandson – so the timing seemed perfect. The message claimed that her package could not be delivered because the house number was missing. It provided a link to “update address”.
She clicked. She entered her name, address, email, and phone number. Then she was asked to pay a redelivery fee of 45 kroner. She entered her Dankort details, including the CVV code.
Two hours later, her bank called. Multiple suspicious transactions had been detected: first a small test charge of 1 krone, then a series of online purchases totalling over 50,000 kroner. The criminals had used her card details to buy electronics from foreign websites. By the time the bank blocked the card, the money was gone.
The woman later told her daughter, “I thought I was doing everything right. I trusted the message because it was in the same thread as my real DAO updates. I never imagined they could fake that.”
The Mother of Two Who Saved Her Family by Refusing to Click
A mother of two from Aarhus received a similar SMS while waiting for baby supplies. She had recently ordered nappies and formula online. The message looked real. But something felt wrong. The link address seemed slightly off – it contained the word “dao-pakke” followed by a random string of numbers.
Instead of clicking, she did something simple. She opened her web browser, typed dao.as
She then called her husband, who worked in IT. He confirmed that the SMS was a phishing attempt and helped her report it to DAO’s customer service. Her refusal to click the link – and her decision to check through the official website – saved her family from what could have been a devastating financial loss.
The University Student Who Realised at the Last Second
A student in Copenhagen received a “delivery failure” SMS while waiting for textbooks. She was about to click the link when she noticed a tiny detail: the SMS had arrived at 10:37 PM. She thought, “Would a courier company send urgent delivery notifications in the middle of the night?” Her suspicion grew. She did not click.
Instead, she forwarded the suspicious message to 7726 (the number used in Denmark to report SMS spam). She then checked her bank account – no unusual activity. Later that week, she saw a news report about the DAO phishing wave and realised how close she had come to disaster. Her habit of questioning unusual timing saved her.
The Middle‑Aged Couple Who Were Saved by a Bank Teller
A couple in Odense received a DAO scam SMS. They clicked the link, entered their address, and then hesitated at the payment page. The redelivery fee was 45 kroner, but something felt off. Instead of completing the transaction, they went to their local bank branch to ask if such fees were normal.
The bank teller recognised the scam immediately. She explained that no legitimate courier charges redelivery fees via links in SMS messages. She helped them block their card as a precaution and advised them to monitor their account for suspicious activity. Because they asked for help before submitting their card details, they escaped without financial loss.
These stories share a common thread. In every case where the victim avoided disaster, they paused. They asked a question. They verified through a separate channel before taking action. That extra minute of caution was the difference between safety and ruin.
The Four Red Flags That Give Away the Fake DAO Message – Every Single Time
You do not need to be a cybersecurity expert to spot these attacks. You just need to know what to look for.
Red Flag One: The SMS Asks You to Click a Link to “Update” or “Confirm” Anything
This is the most important rule. DAO will never send you a link to update your address, pay a fee, or confirm delivery details. The company’s own director, Hans Peter Nissen, has stated this clearly: “We will never ask customers for money through a link”. If a message claims otherwise, it is a scam.
Legitimate delivery issues are handled through DAO’s official tracking system or by contacting customer service directly. They are never resolved by clicking a link in an unsolicited text message.
Red Flag Two: The Message Appears in Your Existing SMS Thread – and You Are Not Expecting a Package
The criminals’ SMS‑spoofing technique is highly effective, but it has a weakness. If you are not currently waiting for a package, any message from “DAO” is almost certainly a scam. The attackers send out hundreds of thousands of messages indiscriminately, hoping to reach people who happen to be expecting a delivery. If you have no parcel on the way, the message cannot be legitimate.
Red Flag Three: The Web Address Is Not Exactly dao.as
The official DAO website uses the domain dao.asdaoas.icudaoaso.sbsdao-pakke.shopdao.as.icu.sbs.shop
Red Flag Four: The Message Demands Immediate Action
Scammers manufacture urgency because it works. “Your package will be returned to sender if you do not act within 24 hours.” “Immediate payment required to release your parcel.” These phrases are designed to make you panic. When you panic, you do not check the web address. You do not question the request for your card details.
Legitimate couriers do not communicate this way. If there is a genuine issue with your delivery, you will see a notification when you log into the official tracking system using your real tracking number – not through a panicked text message.
Expert Advice: How to Keep Your Money Safe Starting Today
The following rules come from cybersecurity professionals, Danish banks, law enforcement agencies, and DAO’s own security team. Following them will protect you from the fake DAO scam and every future variation.
Rule One: Never, Ever Click Links in Unsolicited Delivery Messages
This is the single most important rule. If you receive an SMS or email claiming to be from DAO or any courier – especially one that asks you to “update your address”, “pay a redelivery fee”, or “confirm your details” – do not click any links. Do not call any phone numbers in the message. Do not reply.
Instead, open a new browser tab. Type dao.as
That one habit – typing the official address yourself instead of clicking a link – would have prevented every victim story in this article.
Rule Two: Understand What DAO Will Never Ask You
DAO’s CEO has made the company’s policy clear: they will never ask customers for money through a link, and they will never ask you to confirm your address or payment details via an SMS link. If a message asks for any of the following, you are looking at a scam:
- Your full name and address (DAO already has your delivery address)
- Your email address or phone number (they already have these)
- Your credit or debit card number, expiration date, or CVV
- Any payment, no matter how small
- Your NemID, MitID, or online banking credentials
Red Flag Two: The Message Appears in Your Existing SMS Thread – and You Are Not Expecting a Package (already shown)
Rule Three: Be Suspicious of Any Message That Arrives Out of the Blue
The criminals rely on the fact that DAO delivers 100,000 packages daily, so many people are genuinely expecting something. But if you have not ordered anything recently, any message from DAO is automatically suspicious. TjekDet’s research notes that the fake messages are sent like “shotgun pellets” – in massive quantities, hoping that some will hit people who are actually waiting for a package.
If you are expecting a package, use the tracking number provided by the sender to check your delivery status on the official DAO website. Do not rely on unsolicited text messages.
Rule Four: Use the Official DAO App
DAO has its own official mobile application, daoAPP, available on the Google Play Store and Apple App Store. This app provides real‑time tracking updates and delivery notifications without ever asking you to click external links or enter payment details in response to a message. Using the official app instead of relying on SMS notifications eliminates the risk of falling for a spoofed text.
Rule Five: Forward Suspicious SMS Messages to 7726
In Denmark, you can report suspicious SMS messages by forwarding them to 7726 (which spells “SPAM” on most keypads). This service helps telecommunications providers identify and block fraudulent campaigns. When you forward a suspicious message, you are not just protecting yourself – you are helping to protect every other Danish resident who might receive the same scam.
Rule Six: If You Are in Doubt, Ask Someone
The mother of two who saved her family asked her husband. The couple who visited their bank asked a teller. The university student who hesitated asked herself whether a courier would send urgent messages in the middle of the night. When you are uncertain, do not click. Ask a family member, a friend, or a colleague. Call DAO’s customer service using the number on their official website. Take the extra two minutes to verify.
Middelfart Sparekasse, which issued a public warning about the DAO scam, advised exactly this: “Klik ikke på linket. Slet beskeden. Del aldrig kortoplysninger eller MitID via links i SMS. Kontakt banken eller DAO gennem deres officielle kanaler, hvis der er tvivl.” (Do not click the link. Delete the message. Never share card details or MitID via links in SMS. Contact the bank or DAO through their official channels if in doubt.)
Rule Seven: Enable Transaction Alerts on Your Bank Account
Most Danish banks offer the ability to receive push notifications or SMS alerts for every transaction above a small threshold – often as low as 1 krone. Enable this feature. That way, if a criminal does manage to obtain your card details, you will know about the first fraudulent charge within seconds, not days, and you can block your card immediately.
DAO’s director advises that if you have already been scammed, you should not call DAO – you should contact your bank immediately.
What to Do If You Have Already Fallen for This Scam
If you realise that you have clicked a link, entered your personal information, or provided card details on a suspicious website, do not panic. But do not wait, either. Time is the enemy. Act immediately using this step‑by‑step checklist.
First, contact your bank immediately using the phone number on the back of your Dankort or the number listed on your bank’s official website. Do not use any phone number from the suspicious message. Tell them that your card details may have been compromised in a phishing attack. Ask them to block the card and issue a new one. If any fraudulent charges have already appeared, report them immediately and request a chargeback. The faster you act, the more likely you are to get your money back.
Second, review your recent transactions carefully. Look for small test charges – often 1 krone or less – as well as larger amounts. Criminals sometimes test a stolen card with a tiny transaction before making a big purchase. If you see anything you do not recognise, report it to your bank.
Third, change your passwords. If you used the same email address and password combination on any other websites – your email provider, your social media accounts, your online shopping accounts – change those passwords immediately. Scammers will try the stolen credentials on other popular services to see where else they work.
Fourth, file a police report. Report the incident to your local police station. Many victims delay reporting because they feel embarrassed or ashamed. Do not let that stop you. These criminal networks defraud thousands of people every year. There is nothing shameful about being targeted by a sophisticated attack. The shame belongs to the criminals.
Fifth, report the phishing attempt. Forward the suspicious SMS to 7726. Report the fake website to DAO through their official customer service channels. Your report could help protect other Danish residents from falling into the same trap.
The Bigger Picture: Why This Scam Is So Difficult to Stop
DAO’s CEO estimates that the criminals may have sent hundreds of thousands – if not tens of thousands – of fake messages. The company has dedicated two full‑time employees just to handle customers who call in believing they have been scammed or who cannot understand why DAO has started withdrawing money from their accounts.
Niels Søby Vesterager, DAO’s IT Security Chief, told TjekDet: “Fraud with fake websites is unfortunately something that many companies are exposed to, and it is a type of fraud that is really difficult to do anything about. We inform our customers via our own website dao.as/undgaa-svindel/, where we clearly describe the pitfalls that may exist and how to avoid them.”
The attackers are based in China. TjekDet’s investigation traced the fake domains to two foreign servers that are used exclusively for DAO phishing. All the domains were registered within a short period starting in March 2026, and they all point to China. When one domain is taken down, the criminals simply register a new one. This is a professional, organised operation, not a lone threat actor.
A Final Word
The fake DAO delivery scam is a masterpiece of psychological manipulation. It uses SMS spoofing to place fraudulent messages inside the same conversation thread as your legitimate package updates. It uses a fake website that mirrors DAO’s official design. It uses a tiny redelivery fee – a seemingly insignificant amount – to bypass your financial caution. And it relies entirely on you clicking before you look.
But the scam has a fatal weakness. It falls apart the moment you pause, take a breath, and ask one simple question: “Did I ask for this message? Is this really how DAO communicates?”
If the answer is no – and it almost always is – do not click. Do not type. Do not call the number in the message. Open your browser. Type dao.as
The criminals are counting on your speed, your trust, and your hope that your package is on its way. Do not give them any of those things. Stay slow. Stay skeptical. And always, always type the address yourself.
This attack was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during automated link scanning workflows. The phishing source domains have been fully defanged within their infrastructure to protect the public. If you found this guide helpful, share it with every Danish resident who has ever ordered a package online. The more people understand this scam, the harder it becomes for criminals to profit.