NZ Post Scams: A little bit of Activism
Mark Honeychurch - 14 April 2025
Last week I received a text supposedly from NZ Post (sent from linsystefanoq@resquar.help as an iMessage, rather than an SMS message):
New Zealand Post / NZ Post
Your package has arrived at the delivery point but cannot be delivered due to inaccurate address information. Please provide the correct address details.
(Reply with “Y,” then exit this message. Reopen it, click the link, or copy it into your browser to proceed.)
Yep, these attempts are getting pretty commonplace these days - scammers pretending to be a courier or postal company, telling you there’s a problem with a parcel being sent to you, and then convincing you to hand over some money to get your parcel unstuck. One thing that was a little interesting about this one is the instruction to reply to the message and close the message before clicking the link. I’m assuming that on some Android phones, doing this will signal to the phone that you trust the sender, and the phone won’t attempt to stop you clicking on the link.
However, these scammers are still not very good at emulating NZ Post’s text messages - which always seem to start with “NZ Post here”, and are short and informal. For example, here are three real NZ Post text messages I’ve received over the last couple of years:
NZ Post here. We expect to deliver your parcel from Heathcote Appliances between 07:30am-02:30pm today. Won’t be there? If you’d like us to leave it, reply LEAVE & tell us where. T&Cs apply nzp.st/xxxxx Txt&data rates may apply.
NZ Post here. We expect to deliver your parcel from Noel Leeming between 9:00am and 4:00pm today. Track parcel nzp.st/xxxx Data rates may apply.
NZ Post here. Your parcel XXX83000XXX95201WLG00XXX from Noel Leeming has been delivered.
Anyway, I decided that I was going to do something about these scammers, and see if I could get the domain name the scammers are using, tracks5.icu, taken away from them. So, after a quick google search (for “icu tld owner”), I found myself on the ICANN Wiki reading this:
.icu is a Generic TLD delegated in ICANN’s New gTLD Program. ShortDot SA manages the TLD and is its registry. The proposed application succeeded and was delegated to the Root Zone on 02 May 2015.
Awesome - off I went to the ShortDot website. Thankfully the site has a link in its footer to Report Abuse, so I filled in the form it sent me to and submitted it:
You can see that I tried to supply as much information as possible, just to be sure to help them out the best I could. Although I haven’t received any kind of response from ShortDot, when I tried to load the website recently it failed to load.
Looking into this, There’s no longer any DNS entry for the main domain, so the website’s definitely down - but sadly ShortDot’s whois service (which you can use to find out who currently owns a domain) doesn’t work, so I can’t find out if the domain’s still registered to the scammers or if ShortDot has taken it away from them. Maybe my reporting of this domain played a part in getting it taken down, but it seems unlikely.
If you receive a message and you’re not sure if it’s from NZ Post, the safest thing to do is to ring them up on the number on their website and ask. NZ post also has a frequently updated list of scams and the domain names they use on their website, along with some useful advice on how to spot a scam:
Scams, made to look like they are coming from NZ Post, may come in a text message, email, phone call or letter. The aim is to gain access to your personal or financial information or exploit you for financial gain.
NZ Post will never:
Ask for any of your personal information by email or text (including usernames, financial information including password, credit card details or account information).
Send you an email from a domain other than nzpost.co.nz.
Send you a text message from a phone number outside of New Zealand.
Use a messaging app like WhatsApp to communicate with our customers.
Hints that it’s a scam:
The email address is wrong - our emails always end in ‘@nzpost.co.nz’.
The website link is wrong - it will always link to ‘nzpost.co.nz’ or ‘http://nzp.st/’ which is the short link we often use to link to our website.
The text message is sent from an overseas phone number.
Sure enough, the latest scam listed on that NZ Post page is the one I received:
3 April 2025: Scam email (update on 28/03)
We expect a high volume of similar scam emails, affecting IOS users, to come from the following sources:
link2parce.icu/n1z
tracks1.icu/n1z
tracks3.icu/n1z
tracks9.icu/2nz
track2s.icu/2nz
tracks5.icu/2nz
tracks11.icu/2nz
tracks7.icu/2nz
track1s.icu/2nz
tracks6.icu/2nz
tracks8.icu/2nz
tracks4.icu/2nz
Around the same time as this scam I received another text message (this time, from ramonreyesc29456@outlook.com.gr), with the exact same modus operandi, just a different domain and altered wording:
NZ Post Notification
Dear Customer,
We attempted to deliver your package but could not complete the delivery due to incomplete address details (missing house number).
To update your address and schedule redelivery, please use the secure link below:
Once your address has been updated, we will reattempt delivery at the earliest opportunity.
If you have any questions or require assistance, please contact our customer service team.
(Please reply to Y, then exit the SMS, open the SMS activation link again, or copy the link to Safari browser and open it)
Best regards,
NZ Post Customer Support Team
This domain is unfortunately still operating, so I may have to go through the same thing all over again. At least Google’s scam-protection mechanism is in place and working for this domain, and they intercepted my attempt to open the link:
