Fake FedEx Email Downloads Virus from Google Drive

We're blocking a fake FedEx Express Delivery Notification that has a link to a virus on Google Drive. This is a new variation on one that appeared a few weeks ago, so we already had it blocked for our global customers.

What the Email Looks Like

The email is plain text, notifying you that FedEx could not deliver a package. Then it gives you a link to a label that you need to print out. Do not click the link. It goes to a virus stored on a Google Drive account.

Subject: Fedex Express Delivery Notification

Dear Customer

Our delivery service couldn't deliver your package.The package weight exceeds our free-delivery limit. You have to receive your package personally at our nearby outlet (See page 2 for details).

Please print out the label attached or copy and paste the url below on your browser to download.

https://drive.google.com/open?id=xxxxxxxxxxxxxxxxxxxxxxxx

Kindly visit our outlet on page 2 on the form and submit the form to our dispatcher in other to recieve your package.

We apologies for any inconvenience this might cost and we hope to see you at our outlet to pickup your parcel.

Thank you.

How to Tell This is Spam

The email has some clear indicators that it is spam.

  • "Dear Customer": This is one of the most classic indicators of spam. Fedex, or another company you do business with, will know your name and would use it in correspondence like this.
  • Grammar/Spelling Mistakes: This is another good indicator that something is wrong. Examples include "paste the url below ON your browser", "recIEve", and "We apologiES for any inconvenience this might COST"
  • Incorrect Marks: The correct use of the mark is "FedEx", not "Fedex". The spammer was really sloppy here.
  • Third-Party Link: A legitimate email like this would probably have a link to the company's own website, not a third-party document sharing service like Google Drive. Caution: Never click the link in an email, even if it looks OK. Spammers have several ways to make a third-party link look legitimate, including the use of special characters, URLs that are similar, etc. If you need to check your account online, type the address you already know directly into your browser.

We saw a similar campaign several weeks ago. The filters our threat analysts put in place then stopped this new wave when it hit. We're blocking it for our global customers with at least 2 content filters and a long-phrase filter.

About SpamStopsHere

To find out more about SpamStopsHere, check out our simple pricing and start a FREE 30-Day trial, visit our website, or contact us anytime via phone (800-458-3348 | 734-426-7500), chat or email.. We're always here. 24/7/365.