Credit: Shutterstock
Published Apr 29, 2026, 4:44 PM EDT
Sara Heritage is a tech and gaming journalist, who's currently making her way up to Master Ball rank in Pokemon Champions. Bylines in IGN, GAMINGbible, The Gamer and more. You can usually find her tinkering with tech, or restoring old consoles, always with one of her 3 cats nearby. Come and talk with her over on Twitter @SHeritageJourno.
Sign in to your MakeUseOf account
Summary
- DHL phishing uses display-name spoofing and fake OTP flow to steal passwords, IP, geolocation, and device data.
- The scam uses fake "confirm your waybill" steps and artificial delays to lower your guard.
- Protect yourself: check the URL, use a password manager, never enter on-screen codes, and verify on DHL's site.
A startling new report from Forcepoint X-Labs has shed light on a sophisticated DHL phishing campaign targeting users worldwide. By using familiar-brand impersonation and a fake OTP verification step, scammers are harvesting passwords, IP addresses, geolocation data, and device details from everyday users.
This scam works by avoiding the high-stakes “account compromised” messages that set our alarm bells ringing in 2026. Instead, it exploits the mundanity of confirming a shipping waybill to trick you.
While writing this article, I was expecting a package from DHL; I clicked on “confirm your waybill” without even thinking, only to realize what I’d done seconds later. The irony is palpable, but it proves how even tech-savvy users can get caught out now and then. Here’s everything you need to know about this latest DHL scam, including what to do if you get scammed.
Related
How does the DHL scam work?
Credit: Forcepoint
This highly polished campaign uses security theater to make you feel safe, all while picking your pocket. The email looks identical to a real DHL Express notification. However, as noted by TechRadar, the first red flag is the sender's domain. In this case, the emails originate from cupelva[.]com—a domain with zero connection to DHL. On a mobile device, this is easy to miss because the "Display Name" simply reads "DHL Express." This is a classic example of how hackers use display name spoofing to bypass our initial skepticism.
The most devious part of this scam happens after you click the link. Instead of taking you straight to a login page—which might make you suspicious—the hackers walk you through a series of "validation" steps:
- Typing in a fake, on-screen parcel code to “verify” your identity
- An artificial delay to make it seem like the website’s database is actually working.
These steps lower your guard. By the time you are asked for your email and password, you have already "verified" the transaction in your mind.
Use a reputable Password Manager. Because these tools are tied to specific domains, they will refuse to "Autofill" your password on a fake site, even if the page looks exactly like DHL.
If you fall for this scam, the theft is instant. The hackers use a legitimate service called EmailJD to funnel your data directly to their inbox.
How to spot the fake DHL workflow
To stay safe online, you’ll need to know these key safety tips.
- Always check the address bar, and use a web link tool to make sure the website is legitimate.
- Never enter an on-screen code anywhere. A real one-time password (OTP) is sent to you via text or email.
- Use a password manager — if your browser doesn’t recognize the site, it’s not real.
- Always double-check your order via the official DHL website, and type in your tracking number manually.
If you think you've already been targeted, check out our guide on what to do after falling victim to an online scam to secure your accounts before it's too late.