Table of Contents
DHL is the most impersonated brand in phishing campaigns worldwide, according to multiple years of research from Check Point and other cybersecurity firms. With operations in over 220 countries and territories and hundreds of millions of packages delivered annually, DHL represents a near-universal pretext for phishing – nearly everyone has received or is expecting a package at any given time. Attackers do not even need to know whether you are a DHL customer; the probability that someone in a random email list is expecting a delivery is high enough to make untargeted DHL phishing campaigns consistently profitable. This article is part of our comprehensive Phishing & Social Engineering guide and examines the specific phishing patterns impersonating DHL in 2026.
The effectiveness of shipping phishing is rooted in urgency and expectation. When you are waiting for a package, an email about a delivery issue triggers immediate action. The fear of a missed delivery, a returned package, or an unexpected customs fee overrides the skepticism you might apply to other unsolicited emails. During peak shopping seasons – Black Friday, holiday season, post-holiday returns – DHL phishing volumes surge because millions of people are actively tracking shipments.
Below are the five most common DHL phishing patterns currently in circulation, along with verification steps, password manager protections, and reporting procedures.
Pattern 1: The Package Delivery Notification
This is the most prevalent DHL phishing email. It exploits the anticipation of receiving a package by claiming one is on its way or ready for delivery.
Typical subject lines:
- “DHL: Your Package Is Ready for Delivery”
- “DHL Shipment Notification: Tracking Number [Fake Number]”
- “Your DHL Express Package Will Be Delivered Today”
- “DHL: Delivery Attempt for Your Parcel – Action Required”
What it looks like: The email uses DHL’s signature yellow and red color scheme, the DHL logo, and a layout that closely mimics genuine DHL delivery notifications. It includes a fabricated tracking number and claims that a package is scheduled for delivery. The email provides a “Track Your Shipment” or “Schedule Delivery” button. Some versions include a fake tracking summary with origin, destination, and estimated delivery time to add credibility.
The tell: The sender address is not @dhl.com. Common fakes include delivery@dhl-express.net, tracking@dhl-notification.com, noreply@dhl-delivery.org, or shipment@dhlpackage.net. The tracking number does not verify at dhl.com/tracking. The “Track Shipment” button leads to a fake login page or a malware download disguised as a tracking application. Some variants include an attachment (PDF, ZIP, or executable) labeled as a “shipping label” or “delivery receipt” that contains malware.
The reality: Genuine DHL delivery notifications come from @dhl.com and include valid tracking numbers that can be verified at dhl.com/tracking or through the DHL mobile app. If you are expecting a DHL delivery, track it directly at dhl.com by entering the tracking number provided by the actual sender or retailer – not by clicking links in unsolicited emails.
Pattern 2: The Customs Fee Required
This pattern is particularly effective for international shipments, where customs duties and import fees are a genuine part of the process that many recipients do not fully understand.
Typical subject lines:
- “DHL: Customs Payment Required for Your Shipment”
- “Your DHL Package Is Held at Customs – Pay Fee to Release”
- “DHL Import Duty Notice: $34.50 Payment Required”
- “Action Required: DHL Customs Clearance Fee Pending”
What it looks like: The email claims that your package is being held at customs and cannot be delivered until you pay an import duty, customs clearance fee, or processing charge. The amount is typically modest (between $1.50 and $50) to seem believable and low-risk enough that people pay without much scrutiny. A “Pay Customs Fee” or “Complete Clearance” button links to a payment page that requests your credit card information.
The tell: DHL does handle customs clearance and may notify you about duties, but payment is processed through official DHL channels – the DHL app, dhl.com, at delivery, or through an invoice sent to the recipient’s verified address. DHL never sends emails with links to third-party payment pages. The phishing payment page is at a domain like dhl-customs.com, dhl-payment.net, or dhl.com-clearance.xyz – none of which are DHL properties. The modest fee amount is deliberately chosen because people are less likely to investigate a $4.99 charge than a $500 one.
The reality: If customs duties are owed on a DHL shipment, the amount is calculated based on the declared value and the destination country’s import regulations. DHL will either collect the duty at delivery, bill it to your DHL account, or contact you through verified channels. You can check the status of any shipment and any outstanding fees at dhl.com using your tracking number.
Pattern 3: The Shipment Tracking Update
This pattern impersonates DHL’s tracking update emails, which are sent at various stages of a shipment’s journey.
Typical subject lines:
- “DHL: Your Shipment Status Has Been Updated”
- “Tracking Update: Your DHL Package Is Delayed”
- “DHL: New Information About Your Delivery”
- “Your DHL Shipment Has Been Rerouted – Review Details”
What it looks like: The email mimics a standard DHL tracking update, reporting a change in shipment status – a delay, a reroute, a customs hold, or a delivery schedule change. The email includes a fabricated tracking number and a “View Updated Tracking” button. The presentation is subdued and professional, designed to blend in with the routine tracking updates that anyone expecting a package would expect to receive.
The tell: The sender address is not @dhl.com. The links in the email point to a domain other than dhl.com. The tracking number, when checked at the real dhl.com/tracking, either does not exist or corresponds to a different shipment. Some versions of this phishing email include a “tracking document” attachment – a ZIP file or PDF that contains malware. Genuine DHL tracking updates come from @dhl.com and direct you to dhl.com to view the latest status.
The reality: If you want to check the status of a DHL shipment, navigate directly to dhl.com/tracking and enter your tracking number. The tracking number is provided by the sender or the retailer you purchased from, not by an unsolicited email. Every legitimate status update is available on the DHL website and app in real time.
Pattern 4: The Delivery Address Confirmation
This pattern creates a plausible reason for you to click by claiming your delivery address needs to be confirmed or updated before a package can be delivered.
Typical subject lines:
- “DHL: Confirm Your Delivery Address”
- “Unable to Deliver: Address Verification Required”
- “DHL: Update Your Address to Receive Your Package”
- “Your DHL Delivery Is On Hold – Confirm Address Details”
What it looks like: The email states that DHL was unable to deliver your package because the address on file is incomplete, incorrect, or cannot be verified. It asks you to click a link to “confirm” or “update” your delivery address. The phishing page mimics DHL’s interface and requests your full name, home address, phone number, and email address. More aggressive versions also request a credit card number for a “redelivery fee.”
The tell: The sender address is not @dhl.com, and the link does not go to dhl.com. DHL drivers do leave genuine “sorry we missed you” notices, but these are physical cards left at your door – not emails asking you to enter personal information on a third-party website. If DHL genuinely cannot deliver a package due to an address issue, they will attempt redelivery, hold the package at a service point, or contact the sender. They do not email recipients with links to address confirmation forms.
The reality: If you need to redirect a DHL package or update delivery instructions, do so through the DHL app or at dhl.com using your tracking number. DHL’s On Demand Delivery service lets you choose alternative delivery locations and times, but it is always managed through official DHL channels.
Pattern 5: The Missed Delivery Notice
This pattern mimics the notification you receive when a delivery attempt was made and the driver could not hand over the package.
Typical subject lines:
- “DHL: We Attempted to Deliver Your Package Today”
- “Missed Delivery: Schedule a Redelivery for Your DHL Parcel”
- “DHL: Your Package Could Not Be Delivered – Action Required”
- “Delivery Failed: Your DHL Package Is Being Held at the Depot”
What it looks like: The email states that a DHL driver attempted delivery but you were not available. It claims the package is being held at a local depot or service point and will be returned to the sender if you do not arrange redelivery within a specified period (typically 3 to 7 days). A “Schedule Redelivery” or “Find Nearest Pickup Point” button links to the phishing page.
The tell: The sender address is not @dhl.com, and links point to domains like dhl-redelivery.com, dhl-pickup.net, or dhl.com-schedule.xyz. The phishing page asks for your login credentials, personal information, or a “redelivery fee” via credit card. DHL does leave physical delivery attempt notices with instructions, but any legitimate redelivery scheduling is done through dhl.com or the DHL app using your tracking number. Some versions of this scam include an attached “delivery receipt” or “pickup form” that is actually malware.
The reality: If a DHL delivery was genuinely attempted, you will find a physical notice at your door with instructions. You can schedule redelivery or find your nearest pickup point at dhl.com/redelivery using your tracking number. The DHL app also allows you to manage deliveries and select alternative delivery options.
How to Verify a DHL Email Is Legitimate
Before acting on any communication claiming to be from DHL, follow these steps:
Check the sender address: Legitimate DHL emails come from @dhl.com only. Not @dhl-express.net, not @dhl-delivery.com, not @dhl-tracking.org – only @dhl.com.
Verify the tracking number: Copy the tracking number from the email and paste it into the search field at dhl.com/tracking. If the number does not exist or shows a completely different shipment, the email is fake.
Inspect the links without clicking: Hover over any buttons or links to see the actual URL. It should point to dhl.com. Any other domain is a phishing attempt.
Cross-reference with the sender or retailer: If you ordered something online, check the tracking information provided by the retailer’s order confirmation. That is the legitimate tracking number, and it should match what appears at dhl.com.
Be skeptical of fees: If an email asks you to pay a customs fee or redelivery charge through a link, verify by checking dhl.com or contacting DHL customer service directly. DHL’s legitimate customs fee notifications include your shipment details and direct you to official payment channels.
For a broader approach to evaluating suspicious messages, see our guide on how to verify suspicious messages.
Why a Password Manager Is Your Strongest Defense
DHL phishing is uniquely dangerous because it does not require the attacker to know anything about you. Unlike bank or social media phishing, which works best when the attacker targets customers of that specific service, shipping phishing works on almost anyone – most people are expecting a delivery at any given time. A password manager provides an automated defense layer that protects you even when a phishing email arrives at exactly the moment you are waiting for a package.
Domain Matching Stops Credential Theft
When you use a password manager to log into your DHL account, it stores your credentials tied to the exact domain dhl.com. If a phishing email sends you to dhl-delivery.net, dhl-tracking.com, or dhl.com-shipment.xyz, the password manager will not offer to autofill. That silence is your signal that the site is not genuine.
PanicVault performs this domain matching through Apple’s system-wide AutoFill on iPhone, iPad, and Mac. When you tap a login field on a page claiming to be DHL and PanicVault does not offer your credentials, you know immediately that the site is fake. Learn more about this mechanism in our article on how a password manager prevents phishing.
Unique Passwords Prevent Cross-Platform Attacks
DHL phishing pages often harvest credentials that victims reuse across multiple services. If your DHL account password is the same as your email, shopping, or banking password, a single successful phishing attack compromises all of those accounts. A password manager generates unique passwords for every account, ensuring a DHL phishing page cannot unlock anything beyond DHL itself.
Navigate From Your Vault, Not From Email Links
When you receive an email about a DHL delivery, do not click the tracking link. Open PanicVault and tap your DHL entry to navigate to the real dhl.com. Enter your tracking number there. This habit eliminates the risk of landing on a phishing page entirely – and it takes just as long as clicking the link in the email would.
How to Report DHL Phishing
If you receive a phishing email or message impersonating DHL:
- Do not click any links, open any attachments, or reply to the email.
- Forward the email to phishing-dpdhl@dhl.com, then delete it from your inbox.
- Report fake DHL websites: Visit dhl.com/fraud-awareness to learn about current scams and report phishing sites.
- If you entered your credentials on a fake site: Change your DHL account password immediately at dhl.com. If you used the same password elsewhere, change those passwords too.
- If you entered credit card information: Contact your bank or card issuer immediately to report the compromise and request a new card.
- If you downloaded an attachment: Run a full antivirus scan on your device. If the attachment was an executable or you noticed unusual behavior, consider having a professional examine the device.
- Report to additional agencies: File a report with the FTC at ReportFraud.ftc.gov (for US recipients) and with the Anti-Phishing Working Group at reportphishing@apwg.org. See our full guide on how to report a phishing attempt.
Staying Ahead of DHL Phishing in 2026
DHL’s position as the most impersonated brand globally means that phishing campaigns impersonating the company will continue at massive scale. AI-powered phishing makes these emails more convincing, with perfect grammar, localized language, and branding indistinguishable from the real thing. The rise of smishing – SMS-based phishing – has added a new channel, with fake DHL delivery texts becoming nearly as common as email-based scams.
Build a layered defense:
- Always verify tracking numbers at dhl.com directly rather than clicking links in emails.
- Use a password manager that checks domains automatically and refuses to autofill on fake sites.
- Be skeptical of customs fee requests that arrive by email – verify through official DHL channels.
- Never download attachments from unexpected DHL emails – legitimate tracking information is available online.
- Keep your tracking numbers organized – when you know what you are expecting and from whom, unexpected delivery notifications are easier to identify as fake.
- Report every phishing attempt to phishing-dpdhl@dhl.com to help DHL take down fraudulent sites.
DHL phishing succeeds because it exploits a universal experience: waiting for a package. When you verify every delivery notification through dhl.com directly and let your password manager handle domain checking, the attackers lose their advantage.
