Skip to content
logo The magazine for digital lifestyle and entertainment
A brand of Bild
Fraud All topics
Attention!

Strange Package Notifications via SMS? It’s a Scam

Woman Looks Unhappily at Smartphone
Fraudsters are increasingly attempting to obtain personal user data. Photo: Getty Images
Share article

April 14, 2026, 2:05 pm | Read time: 6 minutes

Package notifications are helpful and usually spread joyful anticipation. However, scammers repeatedly try to exploit this. TECHBOOK explains the schemes that even the state criminal police office warns against!

Scammers repeatedly use devious tricks to obtain sensitive data. One of them has been annoying people for months–the supposed announcement of a package, which recipients are informed about via SMS. As early as February 2021, the state criminal police office in Mainz warned about these SMS messages. Yet, the notifications are still circulating and are increasing in frequency. With package notifications via SMS, criminals attempt to install malware on their victims’ smartphones.

Fraud via Package SMS

If SMS recipients click on a supposed confirmation link ending in “duckdns.org,” malware is downloaded and installed on the phone in the background. “This malware discreetly forwards sensitive data, spies on the victim’s contact list, and then independently sends SMS messages with the malware to various phone numbers, which can incur additional costs,” according to the state criminal police office. In one case, a woman from Mainz suffered a loss in the three-digit range due to the fake SMS package notification, the officers said.

Another SMS suggests that a package cannot be delivered due to incomplete information. To pressure recipients, the message often includes something like “Please confirm your address within 12 hours.” Especially if you’re actually expecting a package, the scheme is dangerous. You should never comply with the requests, whether it’s clicking on a link or confirming via message. It’s best to report the messages directly as spam.

Not Just the Police Warns

The New Zealand Computer Emergency Response Team CERT NZ also warns of a scheme where hackers aim to install spyware on smartphones. The spying malware is again hidden in package SMS messages. If recipients follow the link in the SMS, they are prompted to download a package tracking app. In some cases, opening the link also triggers a warning that the smartphone is infected with “FluBot” malware–and a prompt to install a security update against it. The warning includes instructions to allow installation from unknown sources in the settings to apply the security update. However, users should never do this, as it precisely installs the spyware on their device.

FluBot is spyware specialized for Android smartphones. The malware can steal login data and passwords from banking apps, for example. The spyware uses an Android feature called “Screen Overlay,” which allows an app to open its own window over another app. FluBot can thus create a realistic-looking replica of an actual banking app and deceive users into entering their data. FluBot only becomes dangerous if you actually install something or grant access permissions. iPhone users are not affected by the spyware, as iOS does not allow the installation of apps from unknown sources.

Such schemes are not new. Cases repeatedly come to light where criminals use the supposed package announcement via SMS and email to obtain sensitive data. Often, the messages claim that a package is on its way to the recipient or has not yet been picked up. These messages misuse the names of package service providers like DHL, UPS, and others. Sometimes, they involve service providers from other countries or entirely fictitious companies.

Also interesting: These are the sneaky tricks of phishing scammers

Recognizing Fake Package SMS and Emails

The fake package notifications come via SMS and email. They can be recognized by subject lines like “Your package was not delivered correctly.” Or they are simply fictitious shipping confirmations. The police are also aware of variants where recipients of shipments are supposedly required to pay additional postage for the package to be delivered. Those who then curiously click on the link in the SMS are taken to a fake package tracking page. On this page, recipients are asked to first enter a fictitious tracking number, which was also included in the text message. They are also asked to fill out an online form with personal data–the actual phishing attack.

In general, users should never click on links in emails or SMS messages from senders they do not know well. For one, because doing so can trigger the download of malware. For another, because the links may lead to sites where scammers harvest personal and payment data, or that are heavily laden with ads.

The police also warn against clicking “Unsubscribe” links in such fake package notifications. Doing so merely confirms receipt of the message–and can lead to even more phishing spam in the future.

More on the topic

Victims of Fake Package SMS Should Not Pay High Bills

In some cases, the warning not to click on links in package SMS messages may come too late. In the worst case, you may have already caught harmful software on your smartphone. With it, scammers can spy on data or send mass SMS messages. Without an SMS flat rate, this can quickly become expensive. In disputes with your phone provider, the consumer center of North Rhine-Westphalia advises staying calm–and fighting back.

If not already done, victims who fell for the package SMS should file a criminal complaint with the police. This is important later to exclude personal fault. Additionally, do not immediately pay the demanded bill from the mobile provider. If the provider insists on payment for the unnoticed sent SMS messages, ask specifically what protective mechanisms are in place to prevent such atypical behavior from a single phone line. Consumer advocates also recommend sending a copy of the criminal complaint and explaining that a malware program was responsible.

Victims of the package SMS scheme can also check whether their homeowners insurance might cover such cases. Consumer advocates point out that some contracts cover these and other cases of abusive online activities.

Finally, you should avoid things like settlements. Some companies offer a cost cap, meaning victims pay 100 euros and the case is closed. However, the consumer center of North Rhine-Westphalia warns against this. From their perspective, mobile customers are essentially being forced to take full responsibility for future cases through a commitment declaration. The center’s lawyers advise striking such clauses. In case of doubt, legal advice is worthwhile.

Source

With material from dpa

This article is a machine translation of the original German version of TECHBOOK and has been reviewed for accuracy and quality by a native speaker. For feedback, please contact us at info@techbook.de.

You have successfully withdrawn your consent to the processing of personal data through tracking and advertising when using this website. You can now consent to data processing again or object to legitimate interests.