The FedEx Shipping Labels/Documents In PDF Format email scam is a phishing lure, not a real shipment notice. It usually claims that shipping labels, invoices, or delivery documents are attached as a PDF, but the attachment or link leads to an HTML login page that can steal email, FedEx, DHL, or payment credentials. A similar DHL Express Commerce version uses the same shipping-document pressure: open the document now, sign in, and review the delivery.
If you were not expecting the shipment, do not open the attachment and do not sign in through the message. Verify the shipment from a known FedEx or DHL website, not from the email link. If you already opened the file or entered a password, change that password from a clean device, revoke active sessions, enable multi-factor authentication, and scan the computer for downloaded files or browser changes.
What The Fake Shipping Email Is Trying To Do
This lure works because shipping emails feel routine. The FedEx version commonly frames the message as Shipping Labels/Documents In PDF Format and may use an HTML attachment with a name such as FedEx~Shipping invoice.html. The DHL copycat may mention shared documents, invoice payment, or a status update and push the reader toward a document page that asks for login details.
The key trick is the mismatch between the promise and the file. A message says PDF or document, but the user receives an HTML file, a browser login form, or a page hosted away from the real courier. FedEx and DHL both publish fraud guidance telling users to inspect suspicious links, attachments, sender addresses, and unexpected payment or account requests instead of trusting the brand name alone [1] [2].
Example Of The Fake Email Wording
The exact sender, tracking number, and attachment name can change, but these fake shipping-document emails usually use short wording that pushes you to open a document or sign in quickly. The screenshots below are illustrative mockups so you can recognize the pattern without opening a real suspicious attachment.
A FedEx-themed version may look like this:
Subject: FedEx - Import Invoice AWB# 869696171534
From: FedEx Shipping Team <[email protected]>
Hello,
Please find attached your Shipping Labels/Documents in PDF Format.
Open the attached invoice to review your delivery documents.
Thank you.
Attachment: FedEx~Shipping invoice.html
Button: View Shipping Documents
A DHL-themed version may use wording like this:
Subject: DHL Express Commerce Status Update
From: DHL Express Commerce <[email protected]>
Dear Customer,
You have received shared documents for DHL Express Invoice Payment.docx.
Click View Documents to sign in and review the shipment status.
Regards,
DHL Express Commerce
Button: View DocumentsDo not treat the exact words as the only warning sign. Scammers often rotate airway bill numbers, filenames, sender domains, and button text. The stronger clue is the behavior: an unexpected shipping document asks you to open an HTML file, sign in through a link, or review a document from a domain you did not choose yourself.
Red Flags In The FedEx And DHL Document Lures
| What you see | Why it is risky |
|---|---|
A shipping document is promised as a PDF, but the attachment ends in .html, .htm, .js, or a macro document type. |
Courier documents do not need a local HTML login trap. Opening it can launch a phishing page in your browser. |
| The message asks you to sign in before viewing a label, invoice, or delivery document. | The fake page is usually built to capture email, courier-account, or business-login credentials. |
| The sender display name says FedEx or DHL, but the actual address uses a free mailbox, unrelated domain, or misspelled company name. | Display names are easy to spoof. The real sending domain matters more than the visible name. |
| The link points to a file-sharing page, Firebase-style hosted app, URL shortener, or a domain that is not FedEx, DHL, or a known merchant you ordered from. | Scammers use neutral hosting to hide fake login pages and rotate them quickly. |
| The email threatens return-to-sender, customs delay, or account suspension unless you act immediately. | Urgency is used to stop you from checking the shipment through a trusted website. |
How To Verify A Real Shipment Safely
- Do not use the button or attachment in the email. Open a browser and type the official courier website yourself.
- Check the tracking number or airway bill from your order page, seller account, receipt, or the courier app. DHL says payment-related messages should contain a real airway bill number that can be checked through Track & Trace [2].
- If the email claims a missed delivery, compare it with the order status at the store where you bought the item. The FTC warns that fake shipping notifications often send users to look-alike pages that collect personal or financial data [3].
- For a business shipment, ask the sender through a separate known channel whether they sent documents. Do not reply to the suspicious email.
- Report the message to the courier using its official fraud-reporting instructions, then delete it after preserving a copy if your workplace needs it for security review.
What To Do If You Opened The Attachment Or Entered Credentials
If you only previewed the email and did not open the attachment, deleting and reporting it is usually enough. Take stronger steps if you opened an HTML file, downloaded a document, typed a password, or submitted payment details.
- Close the fake page and disconnect the account path. Do not try to test the login again. If you used a work account, tell your IT or security team immediately.
- Change the password from a clean device. Start with the email account or business login you entered. If that password was reused anywhere else, change those accounts too.
- Sign out active sessions and revoke app access. Check account security pages for unknown sessions, forwarding rules, inbox filters, OAuth apps, and recovery-email changes.
- Turn on multi-factor authentication. Use an authenticator app or hardware key when available. SMS is better than no MFA, but it is not the strongest option.
- Call the bank or card issuer if payment data was entered. Treat even a tiny delivery fee as a card-theft risk.
- Scan the computer if a file was opened. HTML phishing files often only steal credentials, but document lures can also download scripts, extensions, or bundled malware. Download Gridinsoft Anti-Malware from gridinsoft.com/antimalware, run a full scan, remove detections, reboot, and rescan if browser pop-ups, redirects, or security warnings return.
A phishing attachment can leave more than a stolen password if it launched a browser prompt, script, extension, or secondary download. Scan when the fake document opened from Downloads, Temp, a mail client cache, or a browser profile folder, especially if you later see redirects, new extensions, or repeated security-tool alerts.
If the page or email made you download an invoice, coupon, tracking app, browser extension, or support tool, scan the PC before opening it again or logging into sensitive accounts.
Scan after opening a fake shipping documentHow This Differs From The FedEx e-Order XLS Virus
This article covers a fake shipping-document login lure: the main risk is credential theft, session theft, and possible secondary downloads after opening a fake HTML or document page. Gridinsoft already covers the separate FedEx e-Order Notification email virus, which is a malicious Excel attachment lane. If your email mentions fedex_awb, an XLS/XLSM file, or enabling spreadsheet content, read that guide instead.
For a broader checklist of sender, link, attachment, and urgency clues, use the Gridinsoft guide on how to spot a phishing email. If the scam collected identity details, not just a password, follow the identity theft response checklist as well.
How To Reduce Repeat Shipping-Scam Emails
- Use separate aliases for shopping accounts and business shipping workflows so suspicious delivery emails are easier to spot.
- Keep courier apps and merchant accounts bookmarked instead of searching or clicking email buttons under pressure.
- Disable automatic HTML attachment opening in mail clients where possible.
- Train staff to verify unexpected invoice, label, and shared-document messages through a separate channel.
- Use a password manager so fake login pages stand out: the manager should not autofill credentials on unrelated domains.
FAQ
Is the FedEx Shipping Labels/Documents In PDF Format email real?
Treat it as suspicious unless you can verify the shipment through FedEx, the merchant, or a known sender. A promised PDF that arrives as an HTML attachment or opens a login page is a strong phishing sign.
Can opening the HTML attachment infect my computer?
Many HTML attachments are built to steal credentials rather than install malware, but you should not assume it is harmless. If the page triggered a download, browser prompt, extension install, or security alert, scan the device and check browser settings.
What if I entered my work email password?
Change it from a clean device, notify IT or the mailbox owner, sign out other sessions, remove suspicious forwarding rules or OAuth apps, and enable MFA. Business mailboxes are often used for invoice fraud after compromise.
Does DHL really send document or payment emails?
DHL can send legitimate shipment and payment notifications, but suspicious links, unknown attachments, missing or invalid airway bill numbers, and non-DHL sender domains are warning signs. Verify through DHL tracking or official support instead of the email link.
Should I call FedEx or DHL?
If you are expecting a package and the email might relate to it, contact the courier or merchant through a phone number or website you already trust. Do not use phone numbers, links, or reply addresses from the suspicious message.
References
- FedEx. “Report Fraud.” FedEx, accessed June 18, 2026. https://www.fedex.com/en-us/report-fraud.html
- DHL Express Netherlands. “How to recognize fraudulent email or text.” DHL Express, accessed June 18, 2026. https://www.dhlexpress.nl/en/helpdesk/fraude
- Federal Trade Commission. “Fake shipping notification emails and text messages: What you need to know this holiday season.” FTC Consumer Advice, December 13, 2023; accessed June 18, 2026. https://consumer.ftc.gov/consumer-alerts/2023/12/fake-shipping-notification-emails-text-messages-what-you-need-know-holiday-season
