Common scam: Package scam ("package waiting, pay a small delivery fee")

Common scam: Package scam

You ordered something from an online store. Maybe from us, maybe elsewhere. A couple of days later, a message pings your phone: "Your package is at customs. Pay a €2.50 customs fee and the delivery will continue." A link follows. Your brain switches to autopilot: you were expecting that order, so let's just get that two and a half euros out of the way.

Don't click. It's not Posti, not DHL, and not Valco. It's a scammer.

These are sent in bulk precisely because online ordering is common, and some messages inevitably hit the right person at the right moment. Someone is currently waiting for a package and, in a panic, pays that €2.50 with their credit card. Then €2,500 is withdrawn from the card.

What's this about?

Phishing. Criminals send millions of these and hope that even a fraction of a percent will click. Messages today look convincing. The logo looks real, the Finnish reads fine (thanks to translator bots), and the amount is so small that your brain doesn't trigger an alarm. Their goal is your credit card details or online banking credentials.

Tips for recognizing it

• The sender's number or address is strange. Posti does not send messages from a +44 number or from an address that isn't 100% definitely correct.
• The link leads somewhere other than the official site. Hover over the link without clicking. If the address is anything other than posti.fi, dhl.com or similar, it's a scam.
• Payment is requested before delivery. For domestic Finnish shipments, you don't pay small fees afterward. For shipments from outside the EU, customs will contact you, but not by text message.
• The message demands urgent action. "Pay within 24 hours or the package will be returned." A legitimate logistics company does not behave like this.
• You're not actually expecting any package. The easiest one to spot. If the message arrives out of the blue, it's a scam.

The hardest time is when you really are expecting a package. That's when the scammer hits the sweet spot. Keep a cool head and check your order status directly with the store.

What to do

1. Don't click the link. Not at all. Not out of curiosity.
2. Don't enter any information anywhere.
3. Check your order status directly on the online store you ordered from. Your orders with us are visible at valco.fi or via the tracking link in your order confirmation email.
4. If in doubt, call Posti or ask the online store. You'll find the number on the official site, not in the scam message.
5. Delete the message. If you wish, you can report it to the Cyber Security Centre.

If you clicked and already entered card details

1. Call your bank and block the card. Immediately. At night, on weekends, on holidays. The blocking service is always on call.
2. Change the passwords for any services where you use the same password.
3. Enable two-factor authentication on every service that offers it.
4. Monitor your bank account for the next few weeks.
5. File a police report. You rarely get your money back, but the statistics grow, and that matters.

What if the message claims to be from Valco?

We do not send text messages asking you to pay anything before the package ships. The order confirmation comes by email, and after that you'll receive a tracking message from our logistics partner. If something looks odd, send a message to info@valco.fi and we'll check it together.

Information security isn't exactly our core competence. Our core competence is headphones and funding the Death Star. But we'd rather get one unnecessary email than you end up with an empty bank account.