Fake Parcel Delivery SMS Scams in Malaysia
Malaysian mobile users receive fraudulent delivery notifications impersonating Pos Malaysia, DHL Malaysia, and J&T Express, directing them to phishing sites that harvest banking credentials or install malicious APKs under the guise of parcel tracking.
Part of: Fake Delivery Texts
Last reviewed: 1 June 2026
Malaysia's rapidly growing e-commerce sector generates high volumes of genuine parcel delivery SMS that scammers mimic closely. Fraudulent SMS messages impersonating Pos Malaysia, J&T, and DHL Malaysia direct recipients to phishing pages or prompt the installation of malicious Android APK files that intercept SMS banking OTPs.
The Royal Malaysia Police (PDRM) and the Malaysian Communications and Multimedia Commission (MCMC) regularly issue warnings about smishing campaigns that coincide with major e-commerce events like 11.11 and 12.12 sales.
How this scam works on Malaysia
A recipient receives an SMS claiming their parcel cannot be delivered due to an incorrect address component or outstanding import duty. A link leads to a site mimicking Pos Malaysia's portal, asking for a small fee — typically RM5 to RM10 — to release the parcel. Entering card details hands them to the fraudster.
A more dangerous variant prompts installation of a delivery tracking APK — an Android app distributed outside the official Play Store. Once installed, the APK harvests SMS messages (including OTPs), contacts, and can remotely access banking apps.
Banking trojan variants specifically target Maybank, CIMB, and Public Bank customers, using the delivery SMS as the entry point before redirecting the victim to a clone banking login portal.
Common red flags
- SMS containing a delivery link from Pos Malaysia, DHL, or J&T that leads to a non-official domain
- Prompt to download an APK from a link in an SMS rather than from the official Google Play Store
- Request to pay a small customs or redelivery fee via a link in a delivery SMS
- Delivery notification for a parcel you do not recall ordering
- Login portal that asks for TAC (Transaction Authorisation Code) in addition to normal credentials
How to protect yourself
- Track parcels only through the carrier's official app or by entering the tracking number at the official website
- Never install APK files from links in SMS messages — install apps only from Google Play
- Never enter card or banking details on a site reached via an SMS link
- Enable Google Play Protect on your Android device to scan for malicious apps
- Contact your bank immediately if you entered credentials on a site reached via SMS
How to report it
- Report suspicious SMS to MCMC at aduan.mcmc.gov.my
- File a cybercrime report with PDRM at mycert.org.my or pdrm.gov.my
- Report to your bank's fraud team and the relevant carrier if their brand was impersonated
Frequently asked questions
How can I tell a real Pos Malaysia/DHL/J&T text from a phishing message?
Genuine courier notifications generally don't ask you to download an app (APK file) to 'reschedule' delivery, and legitimate redelivery fees, if any, are handled through the courier's official app or website. Check the link's URL carefully for subtle misspellings of the real courier's domain. If you're unsure, go directly to the courier's official tracking page and enter your tracking number manually instead of clicking the message link.
I downloaded an APK from a fake delivery text — what should I do?
Disconnect your phone from the internet and uninstall the app immediately, since malicious APKs can grant scammers remote access to your device and steal banking app credentials. Contact your bank right away to monitor or freeze your accounts, as these APKs are often designed specifically to intercept banking OTPs. Consider having your device professionally checked or factory reset if you're unsure the malware has been fully removed.
Where do I report SMS delivery scams in Malaysia?
Report the message to the National Scam Response Centre (NSRC) or the Malaysian Communications and Multimedia Commission, both of which track SMS phishing campaigns. If a payment or banking detail was compromised, also contact your bank's fraud line immediately. Reporting quickly helps limit the spread even if it doesn't guarantee recovery of any losses.
How can I identify a genuine Pos Malaysia SMS from a fake one?
Genuine Pos Malaysia delivery notifications come from official short codes and never contain links requiring payment. Verify your tracking number directly at pos.com.my by typing the URL manually. If an SMS asks for payment or app installation, report it to MCMC — do not click the link.