Delivery Scam Calls - How They Work and How to Protect Yourself

The Surge in Delivery Scams

With the expansion of the e-commerce market, parcel delivery volumes have reached approximately 5 billion packages per year. Exploiting the fact that many people regularly receive deliveries, scam calls and SMS messages impersonating delivery services have surged. According to the National Consumer Affairs Center, consultations related to delivery impersonation scams increased by approximately 50% year-over-year in 2023. Many people have likely received an SMS reading "We attempted delivery but you were not home."

What makes this tactic so effective is that many people are actually expecting packages, so they click links or call back without suspicion. The source numbers often include 080 and 090 mobile numbers, 050 IP phone numbers, and spoofed numbers made to look like legitimate delivery companies. This type of fraud tends to spike during year-end holidays and sale periods when online shopping increases.

SMS-Based Scam Tactics

Redirecting to Phishing Sites

The most common tactic is directing victims from a fake missed-delivery SMS to a phishing site. The SMS reads something like "We attempted delivery but you were not home. To reschedule, click here" with a URL. The linked site closely mimics a major delivery company's official website and requests personal information and credit card details under the guise of rescheduling.

The fake site URLs differ subtly from the real ones - for example, changing "yamato-takkyubin.com" to "yamat0-takkyubin.com" (replacing the letter o with zero). URL shortening services are also increasingly used to hide the actual destination. See the SMS phishing (smishing) countermeasure guide for detailed identification tips.

Malicious App Installation

On Android smartphones, victims may be prompted to install a "delivery tracking app" from the fake site. Installing this app not only steals personal data including contacts, SMS messages, and photos, but also causes the victim's phone to automatically send thousands of scam SMS messages - creating secondary damage. Cases have been reported where thousands of SMS messages were sent in a single day, resulting in communication charges of hundreds of thousands of yen. Smartphone security software Strengthen your malicious app detection.

iPhones restrict app installation from outside the App Store, so malicious app damage is less common. Instead, iPhone users are redirected to phishing pages requesting Apple ID and password entry. If an Apple ID is stolen, the attacker gains access to photos and contacts stored in iCloud, and can even misuse credit cards registered with Apple Pay.

Phone-Based Delivery Scam Tactics

Calls Impersonating Delivery Drivers

In this tactic, someone calls claiming to be a delivery driver: "We have a package for you, but the delivery address is unclear. Could you confirm your name and address?" When asked about the sender or contents, they give vague answers and persistently request only personal information. A legitimate driver can identify the delivery address from the shipping label and would not need to confirm it by phone.

Cash-on-Delivery Fraud

This involves sending unordered items via cash-on-delivery (COD) and collecting payment upon receipt. A prior phone call states "You have a delivery. It is COD for 3,980 yen," making it seem like a legitimate order. In households with multiple members, someone may assume another family member placed the order and pay. The delivered items are typically cheap trinkets worth around 100 yen or empty boxes.

Customs and Fee Scams

In this tactic, the caller claims "Your international package has customs duties. We cannot deliver unless you pay." They then request payment via convenience store electronic money or bank transfer. Actual customs duties are paid to the delivery driver upon receipt or billed formally by a customs broker - never requested by phone via electronic money. This exploits the growing number of people using international online shopping.

Real Cases

Case 1: Personal Information Stolen via SMS

Ms. H, a woman in her 30s, received an SMS saying "Your package was undeliverable" the day after ordering something online. Since she was expecting a delivery, she accessed the URL without suspicion and entered her credit card information on a "rescheduling form." The following month, approximately 150,000 yen in unauthorized charges appeared on her card statement. "The timing was perfect, so I never doubted it was real," she reflected.

Case 2: Secondary Damage from a Malicious App

Mr. I, a man in his 50s, installed a "delivery tracking app" from a link in a fake delivery SMS. His smartphone then automatically sent approximately 5,000 scam SMS messages per day, running up communication charges of about 300,000 yen. His contact information was also leaked, causing similar scam messages to be sent to his acquaintances. He was able to negotiate a partial reduction in charges with his carrier, but the leaked personal data could not be recovered.

Case 3: Cash-on-Delivery Fraud

Mr. J, a man in his 40s, received a phone call about a delivery and accepted a COD package, paying 5,000 yen. Inside was a cheap trinket worth about 100 yen. No one in his family had placed the order. "The delivery driver was wearing a legitimate uniform, so I did not suspect anything," he said. In fact, the fraud group had used a legitimate delivery service to send the package, so the driver was indeed real.

How to Spot Delivery Scams

• Do not casually click URLs in SMS messages - Major delivery companies (Yamato Transport, Sagawa Express, Japan Post) do not send URLs via SMS. Reschedule through their official websites or apps
• Check the tracking number - Legitimate missed-delivery notices include a tracking number. Notices without one are likely scams
• Be wary of phone requests for personal information - Legitimate delivery drivers do not normally call to confirm your address or name
• Refuse unrecognized COD packages - Verify the sender and contents before accepting. If suspicious, refuse delivery
• Use official apps - Install the official apps from Yamato Transport, Sagawa Express, and Japan Post, and always check delivery status through them
• Do not install suspicious apps - Delivery companies never request app installation via SMS. Always download apps from official stores

Shredder Disposing of shipping labels with a shredder helps prevent personal information leaks. From the perspective of phone number privacy protection, careful handling of shipping labels is important. Enabling automatic SMS filtering in your smartphone privacy settings is also an effective countermeasure.

What to Do If You Are a Victim

If You Entered Information on a Phishing Site

• If you entered credit card information, immediately contact your card company to request a freeze and reissue
• If you entered IDs and passwords, promptly change the passwords for those services
• Also change passwords for any other services where you reuse the same credentials
• If unauthorized charges are confirmed, file a chargeback request with your card company

If You Installed a Malicious App

• Switch to airplane mode to cut off communication
• Uninstall the malicious app
• Factory reset your smartphone and restore from a backup made before the app was installed
• Contact your carrier to discuss charges from unauthorized SMS transmissions
• Notify contacts in your address book that they may receive scam SMS messages

In any case, please file a report with the police following the phone scam reporting guide. Reporting to the Anti-Phishing Council also helps prevent similar damage from spreading.

Summary

Delivery impersonation scams exploit the everyday act of receiving packages, meaning anyone can become a victim. By following three principles - never click URLs in SMS messages and use official apps instead, never share personal information over the phone, and refuse packages you did not order - you can prevent damage before it occurs. Make it a habit to always check delivery status through official apps and websites.