Phishing Example: DHL Express Document

January 15, 2016

What makes this a Phishing message?

  • The sender's email address, "office@korloycompany.ro", is suspicious:
    • The top-level domain (.ro) is Romanian -- would you expect a legitimate company to email you about a U.S. shipment from an email address originating in Romania?
    • The domain name itself (korloycompany.ro) has no connection to who the sender purports to be. DHL Express is a well known shipping company and would not send email notifications from office@korloycompany.ro.
  • Why would a DHL parcel arrive at the post office?  That doesn't make sense. 
  • And why would you need to check the shipping documentation before the package is dispatched?  That is very unusual.

This message is a ploy to trick the recipient into clicking on the links below, which then takes them to a webpage where malware is surrepticiously installed on their computer.

Original Message:

Subject: DHL EXPRESS DOCUMENT
From: "DHL EXPRESS" <office@korloycompany.ro>
Date: 1/15/2016 6:47 AM
To: xxx@berkeley.edu

Dear xxx@berkeley.edu

Your parcel (shipping document) arrived at the post office. Here is your Shipping Document/Invoice and copy of DHL receipt for your tracking which includes the bill of lading and DHL tracking number, the new Import/Export policy supplied by DHL Express. Please kindly check the attached to confirm accordingly if your address is correct, before we submit to our outlet office for dispatch to your destination.

Label Number: E727D5151D
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent

Find attached the full statement information and a full list of outstanding Invoices.
Your item will arrive in two (2) days time, and within the agreed credit term as stated on your Invoice.
We would like to thank you for using the services of DHL Express.

Read the enclosed file for details.


 DHL_EXPRESS.pdf (34Kb) View | Download

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

Report suspected phishing emails to consult@berkeley.edu (link sends e-mail) (link sends e-mail).  Be sure to include the entire text of the message, including the email header.