Fake courier and delivery scam sites — the 2026 playbook. Inside the ₹25 redelivery scam impersonating India Post, DHL, FedEx and Blue Dart.

The campaign is industrial — each component is independently cheap and runs at volume. Together they convert at scary efficiency:

• SMS gateway Bulk SMS providers, often based outside India, blast millions of messages per day. Targeting is loose — number ranges from leaked data breaches.
• Lookalike domain Registered through a discount registrar, valid for one year, hosted on shared infrastructure. Throwaway — the domain dies as soon as it gets reported.
• Cloned tracking page Pixel-perfect copy of India Post, DHL or FedEx. HTML is often just a save-page-as of the real site with the payment form swapped.
• Payment endpoint A fake gateway page that collects card details, OTP and CVV. The card is then used immediately — usually within an hour — for a large unrelated transaction.

Scammers test SMS copy the way real marketers do. Every high-performing variant shares the same four ingredients:

• A brand you recognize Square-bracketed brand name at the start ([India Post], [DHL]) — your eye treats it as the sender.
• A reason that fits your life Incomplete address, KYC update, redelivery — plausible for any active e-commerce shopper.
• A small fee ₹25, ₹40, ₹49. Small enough not to feel risky; large enough to require a card.
• A short URL Domain that almost — but doesn't quite — match the courier. Lookalike spelling, dash insertion, alternate TLD.

Click the link and the page is convincing — courier logo, brand colors, fake tracking number, animated "package is here" status. Three signals catch it every time:

• The URL Real courier domains are well-known — indiapost.gov.in, dhl.com, fedex.com, bluedart.com. Scam URLs are lookalikes: indi4post.com, dhl-india.shop, fedex-redelivery.online.
• The certificate Real couriers have OV/EV SSL certificates issued years ago. Scam pages use Let's Encrypt certs issued in the last few days. One SSL inspection ends the deception.
• The infrastructure neighborhood A reverse-IP lookup shows the page sharing an IP with dozens of other lookalike domains targeting different brands — same scammer running ten campaigns in parallel.

The payment form looks like a stripped-down Razorpay or PayU. The pretense is the small redelivery fee. The reality is a four-step swap:

• Step 1 — Card capture You enter card details. The page captures them in plain text on the scammer's server.
• Step 2 — Real transaction initiated The page initiates a real transaction, but not for ₹25. Usually for ₹50,000–₹2,00,000, to a merchant the scammer controls or has compromised.
• Step 3 — OTP from the bank Your bank sends an OTP for the real transaction amount. The scam page shows a fake OTP entry field labelled "Confirm ₹25 redelivery".
• Step 4 — Card charged in full You enter the OTP. The card is charged the real amount. By the time you see your bank's SMS, the money is gone.
• OTP rule Banks never reuse an OTP across amounts. If the bank SMS says ₹50,000 and the page says ₹25 — the page is lying. Close it.

India Post sees more impersonation traffic than any other Indian courier. Three reasons:

• Vast user base Almost every Indian household has received an India Post parcel. Near-universal brand recognition.
• Less digital savvy on average India Post's user base skews older and more rural than private couriers. Scammers correctly assume lower URL literacy.
• Plausible fee story India Post does charge for some services. A fee request doesn't immediately feel wrong.
• The .gov.in rule The real India Post domain is indiapost.gov.in. .gov.in is restricted to verified Indian government entities — no scammer can register one. If the URL doesn't end in .gov.in, it isn't India Post.

• DHL Real: dhl.com or country-specific subdomains like mydhl.express.dhl. Scam: dhl-india.shop, dhI-tracking.top (capital I), dhl-redelivery.online.
• FedEx Real: fedex.com. Scam: fedex-redelivery.shop, fed-ex.online, fedex-india.top.
• Blue Dart Real: bluedart.com. Scam: bluedart-track.shop, bluedart-india.online, blue-dart.top.
• Delhivery Real: delhivery.com. Scam: delhivery-track.online, delhivery-fee.shop.

Whenever a courier SMS arrives, before tapping the link:

• Open the courier's app or official site directly Don't click the SMS link. Type the URL or use the app. Real packages always show up in the real tracker.
• Run a domain lookup on the link Real courier domains are years old. Scam URLs were registered in the last few weeks. WHOIS reveals this in seconds.
• Check the SSL certificate Real couriers carry OV/EV certificates from a paid CA. Scam pages carry a free Let's Encrypt cert issued days ago.
• Reverse-lookup the IP If the page shares an IP with dozens of unrelated brand-clone domains, the scammer is running the same play across multiple targets.

• Does India Post charge a redelivery fee? In most cases, no — and never via an SMS link to a website. Genuine redeliveries are arranged through the local post office, not a payment portal. Treat any SMS asking for a fee as a scam.
• I clicked the link but didn't pay. Am I safe? Mostly yes. Modern mobile browsers sandbox sites well — a click alone usually doesn't compromise your phone. The risk arrives only if you entered card details, OTP or other personal information.
• I entered my card details. What do I do? Immediately call your bank's fraud line and block the card. Then file a complaint on cybercrime.gov.in with the SMS, the URL and the timestamp. Speed matters — recovery is possible within the first 24 hours and gets much harder after.
• How do scammers get my phone number? Almost always from data breaches. Indian phone numbers leak constantly — from e-commerce databases, food delivery apps, telecom subscriber lists. Scammers buy these in bulk.