There have been numerous phishing attempts over the years regarding shipments from FedEx, DHL, Amazon, UPS, etc.  You should always be skeptical when receiving emails about shipments, especially when the email states there are issues with the shipment or missed deliveries.

Phishing tip, you should always be suspicious of emails with a "call to action", such as clicking on a link to setup a second delivery attempt, click the link before your account is deleted or locked out, etc.  

It can be difficult to detect a real email from a phishing email, because attackers use logos and/or verbiage relating to companies you regularly do business with.  One example is phishing emails relating to Amazon.  Phishers know a lot of people shop at Amazon frequently, so they take a chance you may be waiting on a shipment and send out a phishing email using Amazon logos stating there was an issue with your shipment.  Let's say you are waiting on a shipment from Amazon and one of these phishing emails arrive.  How do you determine if it is a legitimate email?  Here's what I would do...if you receive an email regarding a shipment from Amazon, even if you are expecting a package from Amazon, log in to your Amazon account and look at the order information that way.  I would never click on a link in the email or call any phone number listed in the email, so perform an internet search for Amazon, FedEx, etc. and navigate to the website through your internet search or call them from a number you found in your search, not from within the email.

One thing to keep an eye out for is when you hover over the link in the email see if it leads to some random, unrelated website.  Be careful not to click on the link, just hover over it.  Be careful though, because phishers will either make a fake website using the name of the company they are imitating, such as the fake website used in the DHL example below, or they could adjust the spelling so it would appear to be legitimate at a quick glance.  Such as Annazon (two n's instead of an m) or Arnazon (an r and n instead of an m), trying to trick people into reading Amazon due to Amazon logos appearing in the email.  In the DHL example below, the website does not belong to DHL.  It would be similar to someone making a website that was amazon.maliciouswebsite[.]com.  I will make another blog post to explain website URL's, but for now pay attention to the last name prior to .com, .org, etc.  Even if a company name is listed, the last name prior to .com is the one to pay attention to.  So amazon.randomwebsite[.]com is actually a page on randomwebsite[.]com and is unaffiliated with Amazon.  Attackers will also put a login prompt on their fake website so it appears as if you need to login first.  This would do two things.  It would lead you to believe it is the actual company's website, but more importantly be used to steal your login and password.  The attackers would then assume you have used that same password on other websites such as your bank, retirement accounts, email, etc., so they would then attempt to login to various websites with your email address and/or the login name you provided on the fake login prompt along with the password you entered.  This is known as "credential stuffing".  It's something I've seen first hand, so I can confirm this happens on a regular basis.

Due to all these types of tricks, it is my advice find the information in other ways.  Like I said previously, search for the company, such as FedEx, DHL, Amazon, etc., in an internet search and navigate to the website through your search results.  You can then log in to your account and search for the tracking number or your last order.  Always avoid clicking on links or calling phone numbers listed in the email.

Here are a couple of examples of real world phishing attempts.

Below are a couple of screen shots from a fake DHL example.  The website in the email, although appearing to be from DHL since the company name is listed, is not actually a valid DHL company website.  It is a fake website totally unrelated to DHL.  The attackers just put dhl in the URL for the website to make it seem like it was related to DHL.  

Notice when navigating to the link in the email it asks you to download a zip file.  You should never have to download a zip file from a legitimate shipping company to track your package or view the status.  More often than not, you will be directed to a web page that displays your package information or you would have to log in to your account first to view a .pdf file.  There are plenty of warning signs in the email to suggest even if you were directed to log in page and there was a .pdf file you should delete and ignore the email. In this case, I would click "Cancel" if I had gotten this far.

Here is an example from a fake FedEx email.  I removed the actual to and from email addresses, but the email address in the "From" line was not fedex[.]com it was a random website not remotely related to FedEx.  The package information referenced in the email and in the Subject line was a dollar sign ($) followed by some random numbers (I did not include the original numbers in case it did reference a customer in any way).  The "VIEW SHIPPING INVOICE" link in the email was pointing to a website unrelated to FedEx.  The two biggest red flags or warning signs this is a malicious email is the From email address not being FedEx (such as fedex@randomwebsite[.]com) and if you hover over the "VIEW SHIPPING INVOICE" link (hover over it without clicking) you notice it goes to a website totally unrelated to FedEx.  

If you would have clicked on the link, a Word document would have been downloaded.  Of course that's another warning sign as it is highly unlikely FedEx will send you to a link that would download a Word document.  If you had to download an invoice from FedEx, I would assume you would be required to login in to your FedEx account and the file to download would be a .pdf document.  Even if this was a .pdf document and you had to login to your FedEx account, there are plenty of warning signs in the email that suggests you should delete the email and ignore it.  The next warning sign is after downloading and opening the Word document, it asks you to enable macros.  Enabling macros is always a HUGE red flag or warning sign that something isn't right.  This is even more so when you factor in that FedEx would have no reason to have a macro enabled document just to display an invoice.