How does the RCS group messaging delivery scam work?

Scammers send fake delivery notifications through Android RCS group messages, impersonating postal services like Macedonia Post. The messages claim there's a package waiting for delivery but incomplete address information is preventing delivery, urging recipients to click a link to update their information.

What are the warning signs of this delivery notification scam?

Warning signs include grammar errors indicating auto-translation, illogical delivery of individual package notifications to group chats, international phone numbers that don't match the claimed postal service location, and URLs that lead to suspicious domains through URL shorteners.

What information are the scammers trying to steal?

The attackers are attempting to steal personal information, card payment information, and possibly identity documentation such as passport or ID card details through fraudulent forms on fake postal service websites.

What was suspicious about the phone numbers in the reported scam?

The primary sender of the message used a Brazilian number (+55 21 92041-0984) and the group creator used an Ivory Coast number (+225 05 46 22 1252), which makes no sense for a message supposedly from Macedonia Post about a domestic delivery.

What should I do if I receive a suspicious delivery notification in a group chat?

Don't rush to click any links, never trust unexpected messages, verify independently by checking for packages via the official website of your postal service, and consider the context - international phone numbers and group chat messages make no sense for domestic postal services.

How can I verify if a delivery notification is legitimate?

Check for parcels via the official website and contact services of your postal service directly. Legitimate postal services typically send notifications through their official apps or to registered email addresses, not through random group chats with international phone numbers.

What makes Android RCS messaging attractive to scammers?

RCS messaging encryption makes detection more difficult for security systems, group messages appear more legitimate and trustworthy, and it's harder for users to report spam from group chats compared to traditional SMS or individual messages.

What was suspicious about the website in this delivery scam?

The link led via a URL shortener to kinohg.com/mkk/content, with a path suggesting Macedonia (mkk), indicating there may be other paths impersonating different postal services. The page layout, font colors, and rushed editing made no sense compared to legitimate postal service websites.

Are there likely other versions of this RCS delivery scam?

Yes, because there is a path in the URL related to Macedonia (mkk), it's very possible that there are other paths on the same server that impersonate different postal or parcel services targeting different countries or regions.

What should I never do when receiving unexpected delivery notifications?

Never click on links, open files, or call numbers in unexpected messages. Don't provide personal information, payment details, or identity documents through links received in unsolicited messages, especially those sent to group chats.

How can I protect myself from RCS group messaging scams?

Don't rush to respond to urgent-sounding messages, never trust unexpected notifications, verify all delivery claims independently through official channels, and always consider the context - legitimate postal services don't send individual package notifications to random group chats using international phone numbers.

What language was used in the reported Macedonia Post scam?

The message was in Macedonian, claiming to be a reminder from Macedonia Post about an undelivered package due to incomplete address information. However, the message contained grammar errors indicating it was auto-translated, with mistakes like using 'нашој' incorrectly.

Scam/Phishing

Parcel delivery scam using Android group messages

Q: Why are group messages used for this delivery scam?

Group messages appear more trustworthy than individual spam because members may think others in the group received legitimate notifications. It's also much harder to report spam from a group chat than traditional one-to-one messages, and encryption of these messages makes detection more difficult for security systems.

published: July 1, 2025

Take action: Don't rush! Never trust unexpected delivery messages in group chats, especially from foreign phone numbers - legitimate postal services don't operate this way. Go directly to your postal service's official website or call their official number to check if you actually have a package.

Learn More

An active delivery notification scam is impersonating postal services distributed through Android RCS group messaging. The attackers are attempting to steal personal information and potentially payment details by creating urgency around a fake package delivery.

The variant that was reported is a message in Macedonian, translating to:

"Reminder for Macedonia Post: Your package has been delivered to our warehouse, but we are unable to deliver it due to incomplete address information. Please carefully fill in the information and resubmit it. We guarantee that your package will be delivered within 24 hours of receiving the correct information. Click here to access your address."

There are some grammar errors in the code, indicating that the site is auto-translated ("нашој"). It's also illogical for a message about an individual package to be sent to a group chat, but the criminals don't care beause they hope someone will click on the link.

On top of that, the primary sender of the message is+55 21 92041-0984 (Brazilian number) and the group creator is +225 05 46 22 1252 (Ivory Coast number). None of this makes sense.

The link leads via a URL shortener to a site kinohg.com/mkk/content. Because there is a path in the url related to Macedonia (mkk), it is very possible that there are other paths that impersonate different posts or parcel services on the same server.

The page layout and font color make no sense compared to the original page. The page looks very rushed in editing, and probably nobody tested it.

The attackers are attempting to steal:

Personal Information
Card payment Information
Possibly Identity Documentation:

This vector of scam via a group message is effective because group messages appear more trustworthy than individual spam. Members may think others in group received legitimate notifications. It's also much harder to report spam from a group chat than traditional one-to-one messages. Encryption of these messages makes detection more difficult for security systems

How to stay safe:

Don't rush - nothing is too urgent
Never trust unexpected messages - don't click on any links, open files or call numbers in unexpected messages.
Verify independently - check for a parcel via the official website and contact services of your parcel services.
Consider the context - International phone numbers and messages in a group chat make no sense for domestic postal services

Parcel delivery scam using Android group messages

Read More
Disabled facebook account campaign tries to get users …
State-sponsored attackers conduct complex Social Engineering campaign targeting …
Threat group Educated Manticore targets academia and cybersecurity …
Online marketplace fake overpayment (payment hold) scam
Scammers use search forms to display fraudulent contact …