Fake DHL "package on hold — pay customs duty / redelivery fee" notice sent from a non-DHL domain demanding card payment via embedded link — credential-harvest and card-skim cross-domain phish; real DHL customs duties are collected through authenticated DHL customer portals. Real DHL mail originates from dhl.com / dhl.de / mydhl.com only.

Fake DHL "package on hold — pay customs fee, duty surcharge, or redelivery fee to release shipment" notification sent from a non-DHL sending domain (From / Reply-To / link domains do not align with dhl.com / dhl.de / mydhl.com / dhlecommerce.com) demanding an off-domain payment link to release a shipment — credential-harvest and card-skim cross-domain phish targeting recipients of international parcels. Real DHL redelivery and customs-fee communications come from dhl.com / dhl.de / mydhl.com / dhlecommerce.com with DMARC-aligned signing; customs duties are collected through authenticated DHL customer portals, never via cold-email links demanding small one-off payments. DHL impersonation is a top-3 carrier phishing lure globally per APWG 2024 Q4 and Vade 2024 Phishers Favorites because international-shipment customs anxiety drives high click-through. Distinct from usps-redelivery-fee-cross-domain (USPS / domestic US) and fedex-tracking-cross-domain (FedEx) — this targets the DHL / customs-fee / duty / international-shipment-on-hold pretext with off-domain href. Detection: DHL brand vocabulary + customs / duty / redelivery / shipment-on-hold urgency + sender or link domain ≠ dhl.com / dhl.de / mydhl.com + no DMARC alignment. Trash score: +5. Source: GC1-R32; APWG 2024 Q4 Phishing Activity Trends; Vade 2024 Phishers Favorites (DHL top-3); DHL Group anti-phishing guidance; ENISA shipping-carrier impersonation report 2024.