Fact Check

Package Delivery Failure Virus

Warning about computer viruses sent out disguised as package delivery failure notifications.

Published Jul 13, 2008

Scammers trick e-mail users into opening virus-launching attachments by sending phony package delivery failure notifications.


[Collected via e-mail, April 2012]

Delivery information,

Courier service couldn’t make the delivery of your parcel.
Reason deny:
It’s not right specified size and the weight of parcel.

SERVICE: Express Shipping
Parcel number:U712149356NU

Postal label is enclosed to the letter.
Print your label and show it in the nearest post office of USPS

Important information!
If the parcel isn’t received within 30 working days our company will have
the right to claim compensation from you for it's keeping in the amount of
$7.46 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels
keeping in the nearest office.

Thank you for your attention.
USPS Express Services.

[Collected via e-mail, March 2011]

Dear client
Your package has been shipped.
The tracking# is : RT094860142HK and can be used at :
The shipping invoice can be downloaded from :

[Collected via e-mail, July 2008]

From: UPS Packet Service
Subject: UPS Paket N0328795951

Dear Sir/Madam,

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient's address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your UPS

[Collected via e-mail, August 2008]

Unfortunately we were not able to deliver postal package you sent on July the 25 in time because the recipient's address is not correct.

Please print out the invoice copy attached and collect the package at our office.


[Collected via e-mail, September 2010]


Unfortunately we failed to deliver the postal package you have sent on the 19th of September in time because the recipient's address is erroneous.

Please print out the shipment label attached and collect the package at our office.

United States Postal Service

[Collected via e-mail, December 2011]

Subject: Canada Post shipment status No635

Dear customer.

Your package has been returned to the Canada Post office. Reason: Your address does not exist. Please find the attached document containing detailed information about delivery failure. Read all information carefully and come to the "Canada Post" office to receive your package.

Thank you.
Canada Post Service.

Origins:   A common (and unfortunately, effective) technique for luring e-mail users into opening virus-launching attachments is to send messages that would appear to be relevant or important to many of their potential recipients. One way of accomplishing this feat is to make the virus-carrying messages appear to come from some type of business entity that many people commonly deal with, such as one of the large Internet auction or retailing sites, or a national bank (or other financial institution), or a major provider of a common service.

That last area usually comes into play around the winter holiday season, when e-mail users experience the onset of a viruses spread through messages purporting to come from parcel delivery companies such as the United Parcel Service (UPS) or Federal Express (FedEx). The bogus messages typically inform users about packages they have supposedly sent that could not be delivered due to incorrect recipient addresses and invite them to open and print out attached invoices in order to claim the undelivered packages. The messages include file attachments with names like 'ups_invoice.zip' that actually harbor malicious executable files ('ups_invoice.exe' or the like) and display as a Microsoft Word icon to make it appear like a harmless Word document and thereby lure recipients into clicking on it.

A mass mailing of this type is bound to hit quite a few people who have shipped parcels in the recent past (especially around the holidays) and therefore might easily be lured into opening the virus-launching attachment, so UPS was quick to put up (and e-mail) a warning about the malicious messages:

Attention Virus Warning
Service Update

We have become aware there is a fraudulent email being sent that says it is coming from UPS and leads the reader to believe that a UPS shipment could not be delivered. The reader is advised to open an attachment reportedly containing a waybill for the shipment to be picked up.

This email attachment contains a virus. We recommend that you do not open the attachment, but delete the email immediately.

UPS may send official notification messages on occasion, but they rarely include attachments. If you receive a notification message that includes an attachment and are in doubt about its authenticity, please contact customerservice@ups.com.

Please note that UPS takes its customer relationships very seriously, but cannot take responsibility for the unauthorized actions of third parties.

Thank you for your attention.

UPS currently has the following warning on their web site about the phony e-mails:

Fraudulent Email Circulating
Service Update

Fraudulent emails adopt many different forms and are the unauthorized actions of third parties not associated with UPS. These email messages referred to as "phishing" or "spoofing" are becoming more common and may appear legitimate by incorporating company brands, colors, or other legal disclaimers.

In addition to other fraudulent emails two new email "spoofs" are currently circulating. One contains the subject line "United Parcel Service Notification" and the other states "Your Package Has Arrived!" Neither of these are legitimate UPS communications, and opening or clicking on the included attachment may result in the installation of malware onto your computer. If you receive these emails, do not follow any links provided or click on any attachments. Instead, simply delete the email.

Please be advised that UPS does not request payments, personal information, financial information, account numbers, IDs, passwords, or copies of invoices in an unsolicited manner through email, mail, phone, or fax or specifically in exchange for the transportation of goods or services. UPS accepts no responsibility for any costs or charges incurred as a result of fraudulent activity.

FedEx placed a similar warning on their site:

Be alert for fraudulent e-mails claiming to be from FedEx regarding a package that could not be delivered. These e-mails ask the receiver to open an attachment in order to obtain the airbill or invoice for picking up the package. The attachment contained in this type of e-mail activates a virus. DO NOT OPEN the attachment. Instead, delete the e-mail immediately.These fraudulent e-mails are the unauthorized actions of third parties not associated with FedEx. When FedEx sends e-mails with tracking updates for undeliverable packages, we do not include attachments.

FedEx does not request, via unsolicited mail or e-mail, payment or personal information in return for goods in transit or in FedEx custody. If you have received a fraudulent e-mail that claims to be from FedEx, you can report it by forwarding it to abuse@fedex.com.

If you have any questions or concerns about services provided by FedEx, please review our services at fedex.com/us/services or contact FedEx Customer Service at 1.800.GoFedEx 1.800.463.3339.

A version aimed at DHL surfaced in late March 2009, prompting that company to post an alert on their web site:

Import Information Regarding Fraudulent Use of DHL Tracking eMailA fraudulent email is being distributed with the subject line "DHL tracking number" The email contains an attachment with a virus that should not be opened. Please delete the entire email and be advised that the package referred to does not exist and that DHL delivery services are operating normally.

Yet another version (cited in the 'Examples' section above) featuring messages purportedly originating with the United States Postal Service (USPS) began circulating in September 2010, with those messages asking recipients to print out a mailing label in order to lure them into opening the enclosed attachment (USPSlabel.zip) and activating the malware contained therein. The USPS posted a warning about this version on its web site:

Some postal customers are receiving bogus e-mails about a package delivery. The e-mails contain a link that, when opened, installs a malicious virus that can steal personal information from your PC.The e-mails claim to be from the U.S. Postal Service and contain fraudulent information about an attempted or intercepted package delivery. You are instructed to click on a link to find out when you can expect your delivery. But Postal Inspectors warn: Do not click on the link!

Like most viruses sent by e-mail, clicking on the link will activate a virus that can steal information — such as your user name, password, and financial account information.

What to do? Simply delete the message without taking any further action. The Postal Inspection Service is working hard to resolve the issue and shut down the malicious program.

As of March 2011, Canada Post was also warning of similar virus mailings:

Please be advised that if you received an email suggesting that Canada Post has shipped a package to you with the tracking number RT094860142HK, the email is fraudulent, likely contains a virus, and the package does not exist. Please do not click on the links or open any attachments.The email is not coming from Canada Post — Canada Post does not send an email confirmation that a package has been shipped. The anonymous authors of this unfortunate email virus are only using the Canada Post name to get your attention.

Steps you can take to protect yourself if you receive an email from Canada Post:

  1. If you feel the email is suspicious, delete.
  2. If you are not expecting a package delivery by Canada Post, delete the email immediately.
  3. If you are expecting a package delivery by Canada Post, please do the following:
    • If there is an attachment — delete the email immediately.
    • If there is a tracking number included in the email, you can check it at www.canadapost.ca. If the tracking number is a fake, "Invalid Tracking Number format. Please check your entries and try again." will appear on the screen in red letters. Delete the email.


Harlow, Tim.   "E-Mail Allegedly from UPS Delivers a Computer Virus."     [Minneapolis] Star Tribune.   15 July 2008.

CBC News.   "Canada Post Warns of Email Scam."<     19 March 2011.

David Mikkelson founded the site now known as snopes.com back in 1994.