BEC stands for Business Email Compromise — a type of cybercrime where attackers gain access to or spoof a legitimate business email account in order to defraud a company or its clients. Surveys show that 22% of South African firms reported cyber incidents and intercepted emails in the past five years. (*Source AON Cyber Risk Survey 2024)
As e-commerce and logistics grow, so does the sophistication of criminals. Courier fraud is becoming alarmingly common, costing companies and customers millions in losses annually.
Courier fraud isn’t just about stolen parcels—it undermines trust across the entire logistics and e-commerce ecosystem. Whether you’re a courier business, an online seller, or a customer, you play a role in stopping these scams.
In this post, we explore how these fraud schemes work, share real-world examples, and offer practical steps to protect your business or personal shipments.
Criminals are exploiting weaknesses in courier processes, communication, and payment verification. The three most common types of fraud include:
1. Email Hacking and Address Manipulation
The scam: Fraudsters hack into the email communications between a seller and a buyer either by phishing, malware, or exploiting weak email security—to monitor communications between the seller and buyer or courier .
Once they gain access, they monitor conversations and wait until a shipment is arranged. Then, they contact the courier company pretending to be the buyer and request a change of delivery address.
They can subtly alter documents or links, and then redirect both communication and funds—or delivery—without detection.
Real-world example:
A Johannesburg-based electronics reseller sent R45,000 worth of mobile phones via a well-known courier. The buyer’s email had been compromised, and the fraudster redirected the parcel to a different suburb. By the time the real buyer followed up, the package had been delivered and disappeared.
2. Fake Identity and Waybill Collection
The scam: Criminals get hold of a legitimate waybill or tracking number, usually through phishing or insider access. They arrive at a courier branch with forged ID and collect the parcel by impersonating the real recipient.
Real-world example:
In Durban, a courier company released a high-value camera to someone who presented a matching ID and waybill. The consignee arrived at the courier early in the morning and had all the waybill details and a fake ID. The real recipient arrived hours later, only to find the package had already been collected by an imposter.
3. Fake Proof of Payment (POP) Trick
The scam: A fraudster contacts a business to purchase goods and sends a fake bank proof of payment, typically late on a Friday or over a weekend. The business, eager to ship, releases the goods. When the banks reopen, the payment is found to be fraudulent.
Real-world example:
A Cape Town furniture store received a proof of payment for a R28,000 couch. The courier released the item Saturday morning. On Monday, the bank confirmed no payment had been made. The goods—and the buyer—were untraceable.
Other forms of BEC Scams :
Smishing (SMS phishing):
You received a fake SMS claiming to be from XYZ Couriers about “outstanding fees.”
“You have a package with unpaid customs/delivery fees: Click here to pay R16”).
These messages often spoof a real sender ID (e.g., “RAM”, “SAPO”, or “DHL”) or appear alongside real ones in your SMS thread.
Example:
“Your package is pending. Pay R16 for customs at [XYZ-courier-tracking.co.za]. Failure to pay will return item.”
Phishing site mimicking Courier’s portal:
You clicked a link to a cloned site, possibly with a domain like TCG-courier.xyz or similar.
- The link leads to a fake website that mimics the branding of existing couriers like TCG,RAM, DHL, or Aramex.
- The user sees:
- A tracking number.
- “Urgent” customs/delivery fee.
- Payment form that looks like PayU, Ozow, or PayFast.
- Example:
- Site might be ram-couriersa.org or dhl-payments.co — slight variations on real URLS.
Fake PayU gateway:
The payment portal imitated PayU or another trusted payment service but was controlled by fraudsters.
- The payment portal requests full card number, expiry, CVV, and sometimes OTP.
- Victim pays the fake R16, receives a success confirmation.
- Meanwhile, details are sent to fraudsters who:
- Immediately drain the account (often within minutes).
- Use bots or mule accounts to make rapid transactions.
Once you entered your full card details (incl. CVV), they made a large unauthorized debit—typically via online merchants or crypto platforms.
Further Social Engineering
- Some scammers escalate by calling victims, pretending to be:
- Courier customer service.
- Bank fraud department.
- SAPS or SARS, claiming illegal packages.
- Victims are pressured to “verify” their ID, location, or OTPs — giving more access.
🔎 Example:
“This is Sergeant Dlamini of the SAPS. A parcel in your name from Dubai contains narcotics. We need you to verify your identity and pay a clearance fee now or face arrest.”
How to combat BEC Scams
Courier companies and businesses can take the following steps to reduce fraud:
1. Never trust emails alone
- Always confirm changes to delivery addresses or recipient names using a secondary method (e.g., phone call to a known number).
- Use email authentication tools like SPF, DKIM, and DMARC to reduce spoofing.
SPF (Sender Policy Framework)
- What it does:
SPF specifies which mail servers are allowed to send email on behalf of your domain. - How it works:
When an email is received, the recipient’s mail server checks the SPF record (published in your domain’s DNS (Domain Name System)) to see if the sending server is authorized. If not, the email can be flagged or rejected.
DKIM (DomainKeys Identified Mail)
- What it does:
DKIM adds a digital signature to every outgoing email. This signature is tied to your domain and ensures the email was not tampered with during transit. - How it works:
The receiving server uses your public DKIM key (stored in DNS) to verify the email’s signature. If the contents or headers were altered, the signature will not match, and the email will fail DKIM.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
- What it does:
DMARC tells receiving mail servers what to do if an email fails SPF or DKIM (e.g., reject it, quarantine it, or allow it), and it allows domain owners to receive reports on fraudulent activity. - How it works:
You create a DMARC policy (published in DNS) that says, for example:
“If an email fails SPF and/or DKIM, reject it. And send me a report about it.”
2. Enforce strict ID and collection policies
- Only release parcels to the verified person on the waybill.
- Record ID, take a photo, and require a one-time PIN (OTP) for collections.
3. Do not release goods on Proof of Payment alone
- Always wait for cleared funds in your bank account—especially over weekends or holidays.
- Use bank APIs or real-time payment systems where possible.
4. Train staff on red flags
- Last-minute address changes, rushed collections, or unusual customer behaviour should always raise suspicion.
- Staff should have authority to delay shipments pending verification.
5. Use secure tracking systems
- Offer a secure portal for tracking and update requests—do not rely solely on email or phone instructions.
As courier fraud becomes more sophisticated, businesses must move faster to stay ahead. That means smarter verification, tighter controls, and better staff training. If you’ve been a victim or have tips of your own, share them in the comments—awareness is the first step toward prevention.