Week 18: Parcel phishing with a devious twist – The "double phishing" scam

05.05.2026 - Over the past week, the National Cyber Security Centre (NCSC) has received a spike in reports about fraudulent messages purporting to be from well-known parcel delivery companies such as Swiss Post, DHL and DPD. A particularly devious development is now emerging: "double phishing", where scammers follow up the initial data theft with a phone call.

The scam usually starts with a text message or email. The message claims that a parcel is being held due to outstanding fees (e.g. customs or postage charges) or because the delivery address needs to be verified. Delivery can only go ahead, the message says, once a small amount – usually just a few francs – has been paid or the details have been updated.

Clicking the link in the message redirects you to a fake website that closely resembles the official site of a legitimate provider. There, you are asked to enter your credit card details to pay the supposed fee. At this point, the scammers have already achieved the first part of their goal – they now have your card details.

Most credit card payments today are protected by additional security measures, such as 3-D Secure, text message codes or in-app confirmations. This means that simply having the card details is usually not enough for scammers to make large transactions. This is where double phishing comes in.

Shortly after entering their details, the victim receives a phone call. The caller claims to be from the bank's or credit card provider's security or fraud department and is a convincing speaker. Using spoofing techniques, the call may even appear to come from the bank's real phone number.

The supposed bank employee then informs the victim that a suspicious transaction has just been detected on their card. In order to stop or cancel it, the victim is asked to urgently read out a security code that will arrive by text message, or to approve the transaction in their banking app.

In reality, the scammers are triggering a payment using the stolen card details in the background at that exact moment. If the victim shares the code or approves the payment, the transaction is authorised, not stopped.

• Never click on links in messages.
• If you provided your credit card details, contact your credit card company immediately to have the card blocked.
• If you provided your password, change it immediately wherever you use the same password. Use a different, strong password for each online service.
• In the case of an email password, you should also reset all passwords for online services where you registered using that email account.
• If you have suffered a financial loss, we recommend that you report it to the police. You can find your nearest police station on the Suisse ePolice website (available in German, French and Italian).
• Ignore parcel notifications that pressure you into paying a fee.
• If you are not sure and you are expecting a parcel, call the support line of the parcel delivery company and ask them directly (do not click on the link).
• You should always enable two-factor authentication (2FA) for services that offer it. This will increase the security of your data considerably.
• No bank or credit card company will ever send you an email asking you to change your password or verify your credit card details.
• Never divulge personal data such as passwords or credit card details on a website that you accessed by clicking on a link in an email or text message.
• Remember that it is easy to fake email and text message senders.
• Be sceptical of emails or text messages that threaten you with consequences (e.g. loss of money, criminal charges, account/card blocking).

Current statistics

Last week's reports by category:

Current figures