SIM-Hijacking Scam Using FedEx Phishing as a Data Entry Point
A FedEx-branded phishing campaign collects mobile phone numbers and personal data that fraudsters then use to perform a SIM hijack, taking over the victim's number to bypass two-factor authentication on banking accounts.
Part of: SIM Hijacking and Mobile Account Takeover Scam
Last reviewed: 8 June 2026
SIM hijacking — forcing a mobile carrier to transfer a victim's phone number to a new SIM — is among the most damaging forms of account takeover because it silently bypasses SMS-based two-factor authentication. The attack requires personal data about the victim, and FedEx-branded phishing pages provide an effective data-harvesting front end.
A convincing fake FedEx delivery notice asks the recipient to confirm their mobile number, full name, date of birth, and address to schedule a redelivery. These are exactly the fields a mobile carrier agent asks for when processing a SIM replacement. With this information, an attacker can call a carrier's support line, impersonate the account holder, and have the number transferred to a SIM they control.
FedEx does not require date of birth or NI number equivalent data to rebook a delivery. Any page that asks for identity-level information under a courier pretext is harvesting data for a secondary attack.
How this scam works on the FedEx brand
The attack begins with a convincing FedEx SMS or email. A redelivery booking page asks for a name, address, phone number, and date of birth, explaining that identity confirmation is required for a high-value package. A nominal delivery fee is also requested, capturing card details alongside the identity data.
Within days, the attacker contacts the victim's mobile carrier. Using the harvested details, they pass the carrier's verification questions and request a new SIM, claiming the original was damaged. Once the swap is complete, the victim's phone loses signal and the attacker receives all SMS messages, including two-factor codes for banking, email, and investment apps.
The fraudster typically acts quickly after the SIM is live — logging into accounts, resetting passwords, and moving funds before the victim realises what has happened.
Common red flags
- FedEx redelivery page asks for date of birth or identity documents — FedEx never needs these to rebook a delivery
- Your phone loses mobile signal unexpectedly after interacting with a FedEx link
- Banking or email apps send login-attempt or password-reset notifications you did not initiate
- Phishing page requests your mobile carrier name alongside personal details
- SMS messages stop arriving on your phone while the device is otherwise connected to Wi-Fi
- Your mobile carrier sends an account-change confirmation you did not request
How to protect yourself
- Book FedEx redeliveries only through fedex.com — the real process never asks for a date of birth
- Set a SIM-lock PIN or port-freeze with your mobile carrier that must be verified before any number transfer
- Replace SMS two-factor authentication with an authenticator app on all banking and email accounts
- If you lose phone signal suddenly, call your carrier from another device immediately to check for SIM activity
- Place a credit freeze if you believe your full identity details were harvested
- Report both the phishing incident and any confirmed SIM-swap separately to the relevant authorities
How to report it
- Forward the phishing email to [email protected]
- Contact your mobile carrier fraud team immediately if a SIM-swap is suspected
- Report to the FTC at reportfraud.ftc.gov
- In the UK, report to Action Fraud at actionfraud.police.uk
- File at ic3.gov (FBI) if banking funds were taken
Frequently asked questions
Why does a FedEx redelivery page need my date of birth?
It does not. FedEx's real redelivery booking form requires only the tracking number, contact email, and new delivery details. Any page asking for a date of birth, NI number, or SIN under a courier pretext is harvesting identity data for a secondary attack.
Can I prevent a SIM hijack even if an attacker has my personal data?
Yes. Adding a SIM-lock or port-out PIN with your carrier means the attacker cannot transfer your number even with your personal details. This is the single most effective preventive step. Also migrating from SMS to app-based two-factor authentication removes the value of a SIM-swap for most account takeovers.
My SIM was hijacked and money was taken from my bank. What can I do?
Contact your bank's fraud line immediately and ask them to reverse any transactions made during the period of the SIM hijack. File reports with the FTC, your carrier, and local law enforcement. Banks often treat SIM-swap-enabled fraud as reimbursable under their security guarantees.