Parcel Locker Phishing Scams
Fraudsters send fake notifications claiming a parcel is waiting in a locker, directing victims to fake websites that harvest credentials or payment card details.
Last reviewed: 1 June 2026
What this scam is
Parcel locker phishing scams exploit the growing use of automated parcel locker networks — the self-service kiosks found in supermarkets, petrol stations, and residential buildings where deliveries can be collected at any time. Fraudsters send text messages or emails appearing to come from a legitimate locker service or delivery company, claiming that a parcel is held in a locker and that the recipient must log in or pay a fee to retrieve it.
The notification mimics genuine locker alerts in its formatting, branding, and language. Victims who tap the link are taken to a convincing replica of the real service's website, where they are prompted to log in with their account credentials or to enter payment card details to release the parcel. Neither the parcel nor the fee is real: the only goal is to capture login credentials or card numbers.
Because parcel locker services are heavily used and generate high volumes of legitimate notifications, recipients are conditioned to act on these messages quickly. Many people will have genuine outstanding deliveries at any given time, which makes them more likely to believe a message about a waiting parcel is real.
Phishing kits designed to spoof specific parcel locker brands can be purchased cheaply on criminal forums, lowering the barrier for fraudsters to launch targeted campaigns. The scam scales easily — a single mass message can reach thousands of potential victims simultaneously.
How it works
The attack begins with a text message or email that closely resembles a genuine locker notification. It includes the locker service's branding, a reference number, a nearby location, and a deadline to collect before the parcel is returned. The message creates urgency by stating the parcel will only be held for a limited number of days.
The embedded link leads to a website that mirrors the real locker platform. The fraudulent site may use a domain that is visually similar to the legitimate one — an extra letter, a different top-level domain, or a hyphenated variant. On this site, the victim is asked to verify their identity by logging in, or to pay a small 'redelivery fee' or 'locker release fee'. Both requests are pretexts to harvest the victim's data.
If credentials are entered, the fraudster takes over the victim's genuine locker account and any linked accounts using the same password. If payment details are entered, they are used for fraudulent card transactions or sold on criminal marketplaces.
The victim may not realise they have been phished until they visit the real locker location and find no parcel, or until they notice unfamiliar transactions on their bank statement or receive an alert that their account has been accessed from an unrecognised device.
Why this scam works
Parcel locker phishing works because the premise is entirely plausible. Most people are regularly waiting for deliveries and the idea that a parcel has been placed in a nearby locker is not surprising. The fake notification is timely in a way that cold phishing about bank accounts may not be.
Small fees framed as 'storage' or 'release' charges are low enough that victims do not scrutinise the payment as carefully as they might a larger transaction. The credential harvesting variants are similarly low-friction — logging into a familiar service feels routine rather than risky.
Common red flags
- Notification arrives from an unexpected number or email address, not the official locker service sender
- Message asks you to pay a fee to release or store a parcel
- Link in the message leads to a domain that is slightly different from the official service website
- Parcel reference number is generic or does not match any order you placed
- Locker location in the message is not one you have used or is outside your area
- Website asks for full card details for a small fee rather than a saved payment method
- Urgency is emphasised heavily — 'collect within 24 hours or parcel will be returned'
- You check the real app and there is no parcel waiting
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Your parcel is waiting at [Locker Service] near [Location]. Collect by [date] or it will be returned. Tap here to get your code: [fake link]
[Locker Service]: A delivery for [Name] is ready to collect. A small locker release fee of [amount] is required. Pay securely: [fake link]
Reminder: your parcel at [Location] locker has not been collected. Please log in to retrieve your access code before [date]: [fake link]
[Locker Service] ALERT: Your locker session has expired. Reauthorise within 24 hours to avoid return to sender: [fake link]
We tried to deliver your package today. It has been placed in a locker at [Address]. Your PIN is [code]. Confirm your details here: [fake link]
Common variations
- Version targeting specific named locker brands with high-quality replica websites
- Credential-only harvest: no fee requested, only a login prompt
- Two-stage attack: initial message asks only for name confirmation, then follow-up asks for card details
- In-app push notification spoofing for mobile users who have granted notification permissions to cloned apps
How to verify before you act
Do not tap links in locker notification messages. Instead, open the locker service's official app or website by typing the address directly or using a saved bookmark. Log in from there to check whether you actually have a parcel waiting.
The official app for the service will show all genuine pending collections. If there is nothing there, the message was fraudulent. Check the sender's details carefully — official parcel services use consistent, verifiable sender addresses, not random mobile numbers or generic email domains.
Payment methods used
- Cryptocurrency
- Bank/wire transfer
- Gift cards
- Money transfer services
- Payment apps to 'friends & family'
Who is usually targeted
- Regular online shoppers
- People who use parcel locker services frequently
- Anyone expecting a delivery at a given time
What to do immediately
- Do not click the link or enter any details — close the message immediately
- Open the real locker service app or website directly to check for genuine pending collections
- Report the phishing message to your national cybercrime reporting body
- Forward the message to your mobile carrier's spam reporting number if available (7726 in the UK and US)
- Change your locker service account password if you entered any credentials on the fake site
- Contact your bank immediately if you entered any payment card details
- Enable two-factor authentication on your locker service account
How to prevent it
- Never tap links in parcel or locker notification messages — always check through the official app directly
- Use strong, unique passwords for locker service accounts and enable two-factor authentication
- Register with your locker service to understand what their genuine notification format looks like
- Report suspicious messages to your mobile carrier and to the locker service brand being impersonated
- Be sceptical of any fee request connected to a parcel delivery or collection
- Keep your locker service app updated so you can see genuine alerts within the app
Evidence to preserve
- Screenshot of the fraudulent message, including the sender details
- Screenshot or copy of the fake website URL
- Any confirmation emails received after interacting with the fake site
- Bank transaction records if card details were entered
- Time and date the message was received
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Do legitimate parcel locker services ever charge a release fee?
Most major parcel locker services do not charge customers a fee to collect a parcel. Some charge a late-collection fee after an extended period — typically several days — but this is communicated through the official app, not via a payment link in an unsolicited message. Any message asking for payment before you can collect a parcel is a strong indicator of a scam. Check the official service app to confirm.
I entered my details on what turned out to be a fake site. What do I do now?
If you entered login credentials, change your password on the real service immediately and enable two-factor authentication. Check whether you use the same password elsewhere and change it on all those accounts too. If you entered payment card details, call your bank's fraud line immediately to cancel the card and report the unauthorised data capture. Report the incident to your national cybercrime body.