The Courier Guy Phishing – Small Fee & Card Data Harvesting

Posted byAnti-phishing Leave a comment on The Courier Guy Phishing – Small Fee & Card Data Harvesting

This screenshot shows a phishing page impersonating The Courier Guy, a South African courier service. The victim is told that a parcel has an outstanding balance of R15.99 and must be paid immediately. The page then requests full credit/debit card details (cardholder name, card number, expiry date, CVV) along with the card issuer bank and the victim’s phone number.

How it works:
The victim receives an SMS, email, or other message claiming that a package (with a fake tracking number “CG15403239”) requires a small payment (R15.99) to be delivered. The link leads to this page, which mimics the official The Courier Guy checkout portal.

The victim is asked to provide:

  • Cardholder name
  • Card number
  • Expiry month and year
  • CVV security code
  • Card issuer (bank name)
  • Mobile phone number

After filling in the details and clicking “Deposit Payment”, the information is sent to the attacker.

The goal:
The attacker collects:

  • Full credit/debit card information (number, expiry, CVV)
  • Cardholder name and issuing bank
  • Phone number

With this data, the attacker can:

  • Make fraudulent online purchases or clone the card
  • Use the phone number for SMS-based two-factor interception (SIM swapping) or to sell to other scammers

Red flags to watch for:

  • Suspicious URL: The page is hosted on pay.thecourierguy.pro, not on the official The Courier Guy domain (which would be thecourierguy.co.za or similar). The .pro TLD is unusual for a legitimate courier service.
  • Request for CVV and full card details for a small fee: A legitimate courier never asks for your card security code to collect a delivery fee. Such fees would be paid through a secure payment gateway without exposing the CVV.
  • Small fee trick: R15.99 is a trivial amount designed to make the payment seem harmless.
  • Fake tracking number: The tracking number “CG15403239” cannot be verified on the official courier website.
  • Excessive data collection: Asking for the card issuer (bank name) and phone number in addition to full card details is unusual for a simple payment and suggests the attacker wants to gather as much personal data as possible.
  • Unsolicited request: The Courier Guy does not send links requiring customers to pay for undelivered parcels via an external payment form.

What to do if you encounter this:

  • Do not enter any card or personal information.
  • If you are expecting a delivery from The Courier Guy, track it directly by typing the official URL (thecourierguy.co.za) into your browser and using your real tracking number.
  • If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to The Courier Guy’s fraud team.

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the courier’s official website.
  • Never pay a “redelivery fee” via a link. Legitimate fees are handled in person, through the official app, or after logging into your account.
  • Check the URL carefully: Look for misspellings, extra words, or unusual top-level domains (.pro, .xyz, .top, etc.).
  • Enable transaction alerts on your bank account to catch unauthorized charges early.
  • Use a password manager – it will not autofill on fake domains.

Leave a comment

Your email address will not be published. Required fields are marked *