With more people shopping online, many opportunistic scammers are targeting internet users by sending emails and text messages that impersonate delivery companies.

They are designed to obtain the personal or financial details of the person receiving them.

Variations on this type of scam can see people receiving a text message or email claiming to be from well known businesses or organisations informing them that they:

  • have won a prize
  • have won a new phone
  • have been selected to take part in a survey
  • have to pay customs duty on a package they’ve ordered.

Follow the advice below if you think you have received a scam email or text message like this.

How do these scams work?

Scammers often send emails or text messages to multiple people to trick them into believing they are relevant to them.

If you receive one of these messages, it will try to direct you to a scam website and then ask for your payment details. If it is a text, it may even download a malicious app to your phone that can steal your information.

Some messages claim that an organisation like NZ Post, DHL or other courier companies, have tried to deliver a parcel while you were out and ask you to click on a link to rearrange delivery.

Another type of scam starts with a text message asking you to click on a link to approve a pick-up time for a package. The link then takes you through a multi-step process to pay a small customs fee to release the package. Some people who have paid this have then noticed large un-authorised withdrawals being made from their bank accounts.

(Note that New Zealand Customs do not contact individuals or businesses about paying customs duty. Imported goods are not physically received by New Zealand Customs, but at warehouses run by licensed freight forwarders, known as Customs’ Controlled Areas. So any text or email saying it is from New Zealand Customs and asking for payment should immediately ring alarm bells.)

How do the scammers get your details?

These scams may include information such as names or even physical addresses. This information often comes from publicly available records (such as the phone book or electoral roll), or it could have come from a data breach (a leak of personal information from a website). 

You may want to check www.haveibeenpwned.com. This is a database of email addresses that have been shared in some of the larger data breaches. Please note that Netsafe is not affiliated with this website and cannot verify the information on it. 

How common are delivery scams?

There is often a spike in this type of delivery scam around the Black Friday/Cyber Monday sales and Christmas, when more people shop online and are expecting a package. This makes it potentially more likely someone will fall for it.

Lockdowns due to the COVID-19 pandemic have led to an increase in online shopping in Aotearoa New Zealand, and a huge increase in reports to Netsafe about this type of scam.

What to do if you’ve received a scam message by text

  • Don’t respond to the message, and don’t open any links that might be included.
  • If the message names an organisation in New Zealand, and if you believe it could be genuine, contact them on their publicly listed phone number to ask if the message was from them.
  • If the message isn’t genuine, check if your mobile phone has features that allow you to block specific phone numbers from sending you text messages. You can check with your phone provider to see if your model of mobile phone supports this blocking feature.
  • Report a text to the Department of Internal Affairs (DIA) by forwarding it to 7726.
  • If the message asked you to download an app, report it to Government cyber-security organisation, CERT NZ.
  • Delete the scam text message.

What to do if you’ve followed the link and downloaded the malicious app to your phone

CERT NZ has advice for what you can do if you’ve received this type of message. It advises you to complete a factory reset of your device as soon as possible. This will delete any data on your phone, including any photos, videos or documents you have saved there.

We recommend you do not back up your phone first if you’ve installed a suspect app before completing a factory reset.

You will also need to change the passwords to all of your online accounts and contact your bank if you use internet banking. If you’ve received a scam message like this, please also report it to CERT NZ.

This Identity Theft Checklist from the DIA is a helpful guide on what could happen with your information. If you believe you were exposed to identity theft, contact iDCare for free help and support.

What to do if you’ve received a scam message by email

  • Don’t respond to the email, and don’t click on any links that are included.
  • If the email names an organisation in New Zealand, and if you believe it could be genuine, contact them on their publicly listed phone number to ask if the message was from them.
  • Block the scammer’s email address. The simplest way to do this is to mark the email as junk mail. When an email is marked as junk mail, your email filter will learn to redirect emails from that scammer’s email address away from your inbox.

What to do if you’ve clicked on the link in an email

  • Close the page the scam message led you to.
  • Check for malware on the device you were using at the time. Malware is malicious software such as a computer virus. You can use a free online scanner to look for threats on your computer.
  • As an independent not-for-profit, Netsafe can’t recommend a particular product but we have listed some options here from well-known, reputable companies that are suitable for home computers.
    For PC: ESET online scanner or Kaspersky Virus Removal Tool (please note that this link will automatically download the removal tool.) After this scan has been completed, you can run Malwarebytes Anti-Malware free edition.
    For Mac: Bitdefender Antivirus for MAC or ESET Cyber Security for Mac or AVG Antivirus for Mac are good alternatives.
  • If you’ve opened the link on your mobile phone, contact your phone company for advice on how to check for and remove malware. Please be aware that this can include performing a factory reset on the device, which will delete everything you have saved on it.

What to do if you’ve shared private info or bank details

  • If you have shared any bank account information, you should report the incident to your bank immediately. This includes if you have shared your credit card details.
  • If you have sent money using your credit card, speak to your bank about applying for a charge back.
  • If you have sent money via an online money transfer platform (such as Bitcoin) the transaction is likely untraceable. You may not be able to get your money back.
  • If you have replied to the email with any sensitive personal information, this Identity Theft Checklist is a helpful guide on what could happen with your information. If you believe you may have been exposed to identity theft, we suggest you contact iDCare, who can provide free help and support.

Report a text or email scam

If you have lost money or personal information or think you are about to, contact us by emailing [email protected] or by completing an online report form. You can also call us toll-free on 0508 NETSAFE (0508 638 723).


Follow us on social media and sign up to our enewsletter for alerts, news and tips. 
Facebook   Twitter