26.08.2025 - Over the past week, the NCSC has seen a significant rise in reports of phishing text messages with fake parcel notifications. In this scam, attackers pose as Swiss Post or DPD in an attempt to steal sensitive information from people. Apple users are targeted particularly often. This week's review explains how to recognise these messages and protect yourself.
The NCSC is currently receiving numerous reports of phishing texts claiming to be from Swiss Post or DPD. This latest wave of attacks exploits modern messaging protocols such as Apple's iMessage and Android's Rich Communication Services (RCS) in order to carry out targeted attacks. Unlike conventional text messages, these services offer end-to-end encryption as a security feature designed to protect users' privacy. However, scammers are exploiting this since the encryption prevents mobile providers from scanning messages for malicious links and blocking them. As a result, attackers can bypass an important line of defence, greatly increasing the chances that their messages will reach potential victims' devices.
Official-looking iMessage and group messages
One particularly devious aspect of this type of scam is the way the messages are made to look. Scammers make use of an RCS feature that lets you give group chats a name. This makes it look as if the recipient has been added to an official group, for example 'Post delivery info'. Compared with a simple text from an unknown foreign number, this looks far more legitimate and lowers recipients' guard.
Additionally, attackers use a trick to bypass the security features built into smartphones. Operating systems now deactivate links in messages from unknown senders in order to prevent users from inadvertently ending up on phishing sites. To get around this security feature, the scammers tell their victims to reply to the message with 'Y'. The operating system interprets this as a sign of trust. It then activates the previously deactivated malicious link, making it clickable. By following the scammers' instructions, the victim has unwittingly weakened the security of his or her own device.
The entire scam is designed around psychological manipulation. By imitating well-known brands such as Swiss Post, the attackers exploit the authority bias (you can read more about this in Weekly Review 31/2025). At the same time, phrases such as 'delivery could not be completed' and short deadlines for redelivery create intense time pressure. This urgency is intended to impede rational thinking and make victims react impulsively. Anyone who clicks on the link is taken to a professional-looking fake copy of the official parcel service website, where they are asked to provide credit card details and other personal information under the pretext of a small redelivery fee.
Recommendations
- Exercise extreme caution when you receive unexpected notifications about parcels via text message, iMessage or Rich Communication Services (RCS), even if you actually are expecting a delivery.
- Do not open links or attachments in suspicious messages.
- Do not reply to the message, not even to say 'STOP'. This lets the scammers know that your number is active.
- Delete the message and block the sender's number.
- Always visit the official website of the parcel service by entering the address manually into your browser to check your tracking number. Never use the links or contact details provided in the text message.
- Install updates for your smartphone's operating system and apps as quickly as possible and as regularly as necessary.
- Have your mobile provider activate a third-party block to protect yourself from subscription traps.
- If you have disclosed any data, report the incident to the police. You can find your nearest police station on the Suisse ePolice website (available in German, French and Italian).
Current statistics
Last week's reports by category:
Last modification 26.08.2025
