Dubbed “Darcula”, the phishing scam lures victims with fake delivery failure alerts, claiming their parcel couldn’t be delivered due to an invalid postcode.

The message then urges customers to click a link to reschedule or verify their address — but instead, they’re handing sensitive information straight to cybercriminals.

What makes Darcula particularly dangerous is its use of advanced techniques to dodge telco and network filters, allowing it to spread via iMessage and Rich Communication Services (RCS) largely undetected.

Global cyber researchers have linked the Darcula scam to the theft of nearly 1 million credit card details worldwide over a seven-month period between 2023 and 2024, involving more than 600 individual scammers.

In Australia alone, the impact has been significant — with more than 600,000 people clicking on the fraudulent message and almost 10,000 valid credit card details harvested during the same time frame.

Experts believe the technology behind the scam may originate from China, and it’s already targeting users in over 100 countries.

Australia Post’s Chief Security Information Officer Adam Cartwright said unlike typical phishing attempts, Darcula leverages convincing branding, spoofed domains and constantly evolving message formats to stay ahead of detection tools.

“Scammers prey on busy lifestyles and the excitement and urgency in waiting for a package...we’re concerned about the volume increase in these scan messages going out,” he said.

“Australia Post will never, never call or text you or email you requesting sensitive information like a password or a credit card or even money.

“So all those things should raise a red flag with our customers... also avoid clicking links in text messages or emails”

New research commissioned by Australia Post highlights the widespread impact of scam activity across the country.

In a national survey of 1000 Australians, more than 90 per cent reported receiving a scam text or call, while nearly three-quarters said they had encountered scams impersonating delivery services.

The findings also show growing concern, with 85 per cent of respondents saying they are more worried about scams than they were 12 months ago. However, 58 per cent feel that businesses are not doing enough to protect them.

A clear generational divide in scam awareness also emerged.

While 36 per cent of Gen Z respondents said they are “very confident” in spotting scams, only 10% of Australians aged 80 and over said the same.

Older generations, including Baby Boomers and the Silent Generation, were far more likely to express only “somewhat confident” levels of scam recognition.

Australia Post is urging customers to use the official AusPost app for tracking deliveries and avoiding scams.

“We have over seven million customers using our app but there’s 14 million people that receive parcels. What we want to do is make sure that the rest of our customers are using that app. It will keep them safe,” Mr Cartwright said.

“We really are urging our customers to use the Australia Post application because that gives notifications outside of the SMS and iMessage, so it’s a safe way to know if your parcels being delivered and being tracked.”

AUSTRALIA POST WILL NEVER:

• Call, text or email you asking for personal or financial information including password, credit card details or account information
• Call, text or email you to request payment
• Ask you to click on a social media message to organise a courier for your online marketplace listings
• If you think you’ve fallen victim to a scam, contact iDCare on 1800 595 160.

TIPS NOT TO FALL FOR SCAMS

Spot the Scam

• Know the signs: Common scams include phishing texts, fake invoices and investment fraud.
• Go straight to the source: Don’t click on links in messages. Instead, visit the official website or call using a verified number.
• Think before you trust: Legit companies often say what they won’t ask for (like passwords). If they ask anyway — it’s likely a scam.

Take Action

• Don’t click, reply, or download anything suspicious.
• Think your information is at risk? Contact your bank immediately.
• Report scams to ReportCyber and Scamwatch to help protect others.

More Coverage

Ex-MP Wyatt Roy’s lucrative role in $730bn megacity

Charlotte Karp

Banned NDIS firm’s advice to disabled clients slammed

John Rolfe and Julie Cross