// Case Studies
Parcel customs phishing: the cloaked fraud page behind the customs fee
An email in the name of DHL Express reports a held parcel and demands a small customs fee of a few euros. The amount is deliberately small so it hurts no one. The link leads via a URL shortener to a page that hides from analysis in several layers: a bot check, a behaviour and device analysis, and finally a request for card details. In this real case we made the actual fraud page visible in isolation behind the cloaking, attributed the origin server behind the reverse proxy, and identified a whole cluster of related domains. We name no one; the focus is the method.
Updated: 2026-07-12
How the case was handled
- 1Check the message instead of clicking: real carriers do not demand a customs fee via an email link, and the sender address rarely belongs to the official domain.
- 2Recognise the amount as bait: an unusually small fee of a few euros lowers your guard — the target is your card data, not the 2.99 €.
- 3Do not open the link in your everyday browser: first look only at the destination — the path led via a shortener to a foreign domain only days old.
- 4Understand the cloaking: to inspection systems the page first shows a bot check and a security verification, and only after several hurdles the actual card form.
- 5Attribute the infrastructure: behind the reverse proxy there is a real origin server — in this case part of a cluster of dozens of similar fraud domains.
- 6Trigger the reporting chains: notify the reverse-proxy provider, the origin host, the registrar and browser protection — with evidence covering the whole cluster.
- 7If you entered data, act at once: block the card, inform your bank and document the incident.
What to avoid
- Do not pay a customs or handling fee via a link from a parcel email or SMS.
- Do not enter card details on a page you reached via a redirector link.
- Do not be fooled by the small amount — it is the bait, not the target.
- Do not treat a security verification or bot check as proof of authenticity — fraud pages use them too.
How SKOPION helps
SKOPION verifies suspicious messages, makes cloaked fraud pages visible in isolation and without risk to your devices, attributes the origin server behind reverse proxies and whole operator clusters, and triggers the right reporting chains for takedown — documented and solely from externally accessible sources.
Confidential enquiryFAQ
- Why is the demanded fee so small?
- Because a small amount lowers your guard. It is not about the 2.99 € but about the card data you are meant to enter on the page.
- Why does the page show a security verification or bot check?
- It is cloaking: it is meant to fend off automated inspection and sandboxes and show the real card form only to genuine victims — not a sign of legitimacy.
- I entered card details — what now?
- Block the card immediately, inform your bank, watch the transactions and document the incident. Keep the original email with headers for the report.