Fake Parcel Delivery SMS Scams in Malaysia
Malaysian mobile users receive fraudulent delivery notifications impersonating Pos Malaysia, DHL Malaysia, and J&T Express, directing them to phishing sites that harvest banking credentials or install malicious APKs under the guise of parcel tracking.
Part of: Fake Delivery Texts
Last reviewed: 1 June 2026
Malaysia's rapidly growing e-commerce sector generates high volumes of genuine parcel delivery SMS that scammers mimic closely. Fraudulent SMS messages impersonating Pos Malaysia, J&T, and DHL Malaysia direct recipients to phishing pages or prompt the installation of malicious Android APK files that intercept SMS banking OTPs.
The Royal Malaysia Police (PDRM) and the Malaysian Communications and Multimedia Commission (MCMC) regularly issue warnings about smishing campaigns that coincide with major e-commerce events like 11.11 and 12.12 sales.
How this scam works on Malaysia
A recipient receives an SMS claiming their parcel cannot be delivered due to an incorrect address component or outstanding import duty. A link leads to a site mimicking Pos Malaysia's portal, asking for a small fee — typically RM5 to RM10 — to release the parcel. Entering card details hands them to the fraudster.
A more dangerous variant prompts installation of a delivery tracking APK — an Android app distributed outside the official Play Store. Once installed, the APK harvests SMS messages (including OTPs), contacts, and can remotely access banking apps.
Banking trojan variants specifically target Maybank, CIMB, and Public Bank customers, using the delivery SMS as the entry point before redirecting the victim to a clone banking login portal.
Common red flags
- SMS containing a delivery link from Pos Malaysia, DHL, or J&T that leads to a non-official domain
- Prompt to download an APK from a link in an SMS rather than from the official Google Play Store
- Request to pay a small customs or redelivery fee via a link in a delivery SMS
- Delivery notification for a parcel you do not recall ordering
- Login portal that asks for TAC (Transaction Authorisation Code) in addition to normal credentials
How to protect yourself
- Track parcels only through the carrier's official app or by entering the tracking number at the official website
- Never install APK files from links in SMS messages — install apps only from Google Play
- Never enter card or banking details on a site reached via an SMS link
- Enable Google Play Protect on your Android device to scan for malicious apps
- Contact your bank immediately if you entered credentials on a site reached via SMS
How to report it
- Report suspicious SMS to MCMC at aduan.mcmc.gov.my
- File a cybercrime report with PDRM at mycert.org.my or pdrm.gov.my
- Report to your bank's fraud team and the relevant carrier if their brand was impersonated
Frequently asked questions
How can I identify a genuine Pos Malaysia SMS from a fake one?
Genuine Pos Malaysia delivery notifications come from official short codes and never contain links requiring payment. Verify your tracking number directly at pos.com.my by typing the URL manually. If an SMS asks for payment or app installation, report it to MCMC — do not click the link.