Delivery Services Phishing
Dave Piscitello and Colin Strutt
Postal and delivery services are among the most exploited verticals in phishing scams. Phishers send delivery failure notifications in fake emails or text messages claiming that an attempt to deliver a package failed. The message includes a link to a fake web page where the email or text recipient attempts to print a new delivery label but instead submits their personal and credit card information.
The United States Postal Service (USPS) was the most exploited delivery service in our 2024 Phishing Landscape Study and second only to Meta in brands used in phishing attacks. In the data for our forthcoming 2025 study , USPS moved to the top spot.
Phishing Attacks (May 2024 – April 2025)
#1 USPS (67.7K)
#2 DHL (10.7K)
#3 Canada Post (7.3K)
#4 UPS (1K)
Canada is happy to not be the 51st US State but no doubt concerned to find its postal service #3 in the Hearts of Phishers. Canada Post (Poste Canada) was exploited during a wave of phishing attacks amid a postal worker strike before the 2024 holiday season and our data show that phishing attacks persisted through the first two quarters of 2025.
The official domain name for Canada Post is canadapost-postescanada.ca. In the twelve months ending April 2025, we identified over 7,000 phishing attacks that include strings designed to fool users into believing that notifications were sent by the real Canada Post. Among the domain names that phishers are registering, many contain one or more of these strings:
CanadaPost
CanadaPoste
PostCanada
PostesCanada
PosteCanada
Examples of deceptive domain names includepostcanada-ca.top, canadapostescanada.top, canadapostpackage.top, canadapostparcel.ca,and canadapostpayment.online.1
Of these visually deceptive names, 56% were in registered in .TOP, whose restrictive registration data directory service interferes with our ability to identify the domain registrar that phishers exploited to register names for these phishing attacks. However, of the 2,836 domains for which we could determine a registrar, 40% were registered via NameSilo.
.TOP has been a top threat for some time. In July 2024, in a Krebs On Security article, Brian Krebs reported that ICANN had issued a notice of breach registry agreement to .TOP’s operator, Jiangsu Bangning Science & Technology Co. Ltd. He noted that “high volumes of phishing sites are being registered through Jiangsu Bangning Science & Technology Co Ltd. is hardly a new trend.”
Fast forward to June 2025. ICANN reported that .TOP registry cured the notice of breach. We looked at our data from May 2024 to June 2025 and did see a reduction in phishing domains reported in .TOP from February to April 2025. But when we looked at phishing, malware and spam domains reported in April and May 2025, we observed increases. We shared these observations in a June 9, 2025 Insights post, where we also reported that “.TOP is responsible for a large proportion of cybercriminal activity reported across all gTLDs over the past year”.
We’re certain that postal and delivery services are just as eager to see .TOP fulfill its promise to play nice on DNS abuse.
While we wait, we recommend that you treat any toll system or delivery notification you receive as suspicious and be particularly wary of domain names registered in .TOP.
This count only includes visually deceptive names. We know from conversations with our feed providers that this is a fraction of the domains used in these attacks. We’ll the challenge of associating a domain name to a single phishing attack in a future Insight.