Skip to content
Breachroad
Back to the blog
Smishing

The 'pay a small fee' parcel smishing, explained

Fake SMS about a delivery surcharge is one of Poland's most common phishing scenarios. We break it down and explain why the tiny fee is deliberate.

KR
Karol Rapacz
20 May 2026 · 5 min read
The 'pay a small fee' parcel smishing, explained

“Your parcel is waiting for delivery. A surcharge of 0.70 is required.” Almost everyone in Poland knows this SMS by now. It’s one of the most mass-produced smishing scenarios out there — and although it looks trivial, every detail of its design is deliberate.

Why the amount is so small

A fee of well under a euro is no accident. The point is to switch off your caution. Nobody scrutinises a 70-cent charge the way they would a 500 PLN one. The victim thinks “not worth the hassle, I’ll just pay it”, clicks, and enters their card details on a fake payment gateway. And the real goal was never that tiny amount — it’s capturing the card details or, in newer variants, adding the card to the criminal’s digital wallet.

The small amount serves another purpose too: it lowers the chance that the bank will flag the transaction as suspicious.

The elements that keep repeating

Courier campaigns vary by brand (InPost, DHL, the national post, “courier”), but the mechanics are shared:

  • A logistics pretext — something many people are genuinely expecting (a parcel on its way).
  • Pressure — “the parcel will be returned to sender”, “final delivery attempt”.
  • A link to a domain impersonating the carrier, often with a small typo or an extra element (inpost-surcharge.info instead of the official domain).
  • A fake payment gateway mimicking a real processor.

How to tell a genuine notification apart

Courier companies communicate surcharges and customs fees in their app or by email from your account, not through a random SMS with a link to pay by card. You can always check a tracking number yourself — by going to the carrier’s official site typed in manually, not from the link.

A practical test: before you click, read the full domain in the address. Everything before the first single / after https:// must end with the company’s real name. inpost.pl.track-id.co is the domain track-id.co, not InPost.

Defence in practice

The rule is simple and effective: don’t pay from a link in an SMS. If you’re expecting a parcel, open the carrier’s app. Turn on push notifications and limits in your bank, use virtual cards for online payments (they’re easy to cancel), and forward suspicious messages to CERT Polska — that gets the domains onto the warning list faster.

Parcel smishing is a textbook example that social engineering beats technology. There’s no flaw in your phone here — just a well-chosen pretext and our own hurry.

Similar campaigns regularly reach work phones too. If you want to check how your team responds to smishing, see our social engineering tests and training or drop us a line.

Sources and further reading: CERT Polska warning list, Niebezpiecznik, CERT Orange Polska. Report a fake SMS to 8080.

Share this article

Services Book a consultation