Debunking hoaxes and exposing scams since 2003!

Jump To: Example    Detailed Analysis   References

Royal Mail Lost or Missing Package Malware Email

Jump To: Example    Detailed Analysis   References


Email purporting to be from UK Customs and Border Protection claims that a Royal Mail package sent to the recipient has been "detained" and that the recipient must submit documents contained in an attached file to have the package released.

Royal Mail lost packages
© robeo123

Brief Analysis

The message is not from UK Customs and Border Protection or the Royal Mail. And the attachment does not contain information about a missing package. Instead, the attachment contains malware that can infect the user's computer.



Bookmark and Share

related Links

Related Links

Identity theft is one of the fastest growing crimes in the world. Learn how to stay safe online with Hoax-Slayer's comprehensive eBook:


Subject: Attention: Lost or Missing Package

Mail – Lost / Missing package – UK Customs and Border Protection
Royal Mail has detained your package for some reason (for example, lack of a proper invoice, bill of sale, or other documentation, a possible trademark violation, or if the package requires a formal entry) the RM International Mail Branch holding it will notify you of the reason for detention (in writing) and how you can get it released.

Please fulfil the documents attached.

Royal Mail lost package

Detailed Analysis

This email, which purports to be from UK Customs and Border Protection, informs recipients that a package sent by the Royal Mail has been "detained" for one of several possible reasons. Recipients are urged to open an attached file and "fulfil" the documents it contains to have the lost package released.

However, the email is not from UK Customs and Border Protection or the Royal Mail and the claim that a package has been detained is untrue.  And the attached file contains something significantly more sinister than information about a missing package.

The attached ZIP contains a .exe file that has a name designed to make people think it is an innocuous .pdf.  Clicking the .exe file will install the malware on the user's computer.

Once installed, the malware can modify the Windows registry, change firewall policies, configure itself to run when the computer boots, and harvest information from the infected computer.

Some versions of the malware email may have slightly different wording and carry different variants of the trojan. A similar malware campaign in 2012 also used bogus emails claiming to be from the Royal Mail. And, in similar malware attacks over several years, online criminals have used the names of several other high-profile delivery services, including UPS, FedEx, DHL, and Australia Post.

If you receive one of these bogus lost package emails, do not open any attachments that it contains. And, do not click any links in the email either, because some versions may try to trick people into downloading the malware from a compromised website.

Last updated: December 6, 2013
First published: December 6, 2013
By Brett M. Christensen
About Hoax-Slayer

Newer version of fake email from Royal Mail regarding detained package
Fake email from Royal Mail regarding detained package contains trojan
Royal Mail "Group Shipment Advisory" Malware Emails
Not Able to Deliver UPS Package Malware Email
FedEx Incorrect Delivery Address Malware Email
DHL Notification Malware Email
Australia Post Undelivered Package Malware Emails

More stories!

'Internet Capacity Warning' Phishing Scam
According to this email, which claims to be from the 'Support Department' at 'Information Technology Services', your internet capacity is 70% full and you therefore need to contact support to avoid problems.
Published: July 6, 2015

Kroger 'Free Coupons' Survey Scam
Message being distributed across Facebook claims that users can receive free coupons from American retailer Kroger just by sharing a message and visiting a third party website to claim their prize.
Published: June 16, 2015

Pointless Facebook Warning - Hackers Posting Insulting Messages or Sexual Content In Your Name
'Hacker' alert messages circulating on Facebook claim that, without your knowledge, hackers are posting insulting or sexual messages that appear to come from you onto your Facebook Timeline.
Published: June 3, 2015