'This campaign works because it feels ordinary': Experts reveal how hackers use fake DHL messages to lure in victims

Forcepoint uncovers new phishing campaign using DHL assets

News By Sead Fadilpašić published 29 April 2026

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter

• A phishing campaign is spoofing DHL emails to steal login credentials
• Victims are tricked with a fake waybill confirmation and staged validation steps
• Captured data, including passwords and device details, is sent directly to attacker mailboxes

Forcepoint has published a report about an ongoing phishing campaign designed to steal people’s DHL login credentials.

It starts by sending an email to the victim, asking for confirmation of a waybill. While the email itself looks authentic, and is designed in the same fashion legitimate DHL emails are, this one is easy to spot as fake - the domain being used to send the message is cupelva[.]com - completely unrelated to DHL.

But many people don’t double-check the sender’s address, so it’s safe to assume some might fall for the trick and click on the “Confirm Waybill Information” button included with the message.

Article continues below

Manipulating the perception

When that happens, the victims are redirected to a malicious landing page where they are first asked to type in the parcel code provided on the screen. Obviously, the entire thing is fake, and built only to get the victim to lower their guard and trust the process.

“This page is designed to look like a shipment validation step. It is not a real OTP mechanism,” Forcepoint said. “This step serves no authentication function. It exists to manipulate the victim's perception of the workflow.”

After typing in the numbers shown on the screen, the page waits for a few seconds, to get the victim to think that something is really being analyzed in the backend. After that, the victim is redirected to a second page, where they’re asked to provide their login credentials.

This is where the theft happens, and if the victims do end up providing the password, it will be relayed, via email:

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors