The growing popularity of online shopping has given cybercriminals a new method to target consumers. Security experts warn that fraudsters are increasingly collecting personal information from shipping labels attached to discarded parcel boxes and using it to lure victims into fake cashback, loyalty reward and discount schemes. Many consumers throw away delivery boxes without removing or destroying the shipping label, inadvertently exposing sensitive personal information to anyone who picks through the trash.
How a Discarded Box Becomes a Weapon
Shipping labels on e-commerce parcels typically carry a customer’s name, mobile number, complete address, email address and, in some cases, details of the purchased product. Criminals reportedly collect discarded boxes from garbage bins, recycling centres or scrap dealers and extract the printed information, before contacting victims while posing as representatives of well-known e-commerce platforms, courier companies or customer support teams.
Because the caller already possesses accurate details, the customer’s name, address and recent purchase history, the conversation feels genuine from the first sentence. Exploiting that trust, fraudsters offer fake cashback, loyalty rewards, gift vouchers or exclusive discounts on future purchases, and ask victims to complete a feedback survey or claim the offer by clicking a link sent via SMS, WhatsApp or email. Cybersecurity experts warn these links typically redirect to fraudulent websites designed to steal bank account details, card numbers, CVVs, internet banking credentials or OTPs, and in some cases can silently install malware capable of extracting saved passwords and messages directly from the victim’s phone.
Part of a Wider Family of Parcel-Based Scams
This label-harvesting technique is one strand of a much broader parcel fraud ecosystem that has grown alongside India’s e-commerce boom. In one recent case, a Bantwal woman lost ₹2.35 lakh after a caller claiming to represent DHL Express told her a parcel containing gold, an iPhone and ₹49 lakh in cash awaited her, provided she first paid a “clearance fee,” a demand she kept satisfying in instalments over several months even after taking a loan to afford the first payment.
Cash-on-delivery scams follow a related but distinct pattern, where fraudsters use leaked personal data to place unauthorised orders in a victim’s name, then either send junk merchandise or dispatch impostor delivery agents who collect payment for a parcel that was never genuinely ordered, exploiting the fact that COD transactions bypass the chargeback protections and fraud-detection systems built into digital payments. What connects the shipping-label scam to these other variants is the same underlying resource: personal data that feels too mundane to protect. Experts note that the entire fraud chain often begins with something most people consider worthless, a discarded cardboard box, illustrating how cybercriminals increasingly succeed not through technical sophistication but by exploiting everyday habits people rarely think to guard.
Expert Guidance on Prevention and Reporting
Prof. Triveni Singh, the former IPS officer and cybercrime specialist, said personal information has become one of the most valuable assets in the digital ecosystem, with cybercriminals routinely combining seemingly insignificant pieces of data to build detailed profiles of potential victims before launching highly convincing social engineering attacks. He warned that access to a person’s name, phone number, address and recent purchase history alone allows fraudsters to convincingly impersonate legitimate companies and manipulate consumers into revealing sensitive financial information.
He advised consumers to completely tear off, cut or scratch out shipping labels before disposing of parcel boxes, and recommended identity protection roller stamps to obscure sensitive printed details where possible. He also urged people to remain cautious of unsolicited cashback offers and promotional messages received through calls, SMS or messaging apps, never click unknown links or install apps at an unsolicited caller’s request, and always verify any promotional offer through a company’s official website or app rather than through a link received unprompted. Anyone who suspects cyber fraud should immediately report it through the National Cyber Crime Helpline at 1930 and the National Cyber Crime Reporting Portal, since prompt reporting significantly improves the chances of preventing financial loss and recovering stolen funds.
