The message, shown on the side, refers specifically to a parcel awaiting delivery. The recipient is notified that it was not possible to deliver the parcel because no one was present to sign for it, so it was returned to the warehouse.
The recipient is therefore informed that in order to request a new delivery, a fee will be charged via the following link:

Click here

We can see that the message is very short and lacks information that would allow us to identify what delivery it refers to.
When we examine the email, we also see that it comes from an email address <hrvatska-hr(at)e-mail(dot)info(dot)com>  clearly not linked to the GLS courier service. This is highly unusual and should make us very suspicious. GLS is clearly not involved in sending these malicious mass emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.
To avoid any misunderstanding, this is in fact a phishing attempt aimed at stealing your personal data.
So keep your eyes open... to avoid unpleasant inconveniences, all you need is a little caution and a quick glance.

16 November 2025 ==> Phishing Email Account

SUBJECT: <The password for ***** expires today!>

Below, we analyse a phishing attempt that aims to steal the email account credentials of the victim.

The message informs the recipient that his/her email account password expires today and invites him/her to update his/her password before the expiry date, in order to avoid service interruptions, via the following link:

CONFIRM NOW

When we analyse the message we see that it comes from an email address <welcome(at)cantinhomercado(dot)com>, which clearly cannot be traced back to the email server. This is definitely unusual and should make us suspicious.

Anyone who unluckily clicks on the link will be redirected to a fraudulent web page that simulates the email account login page, but which has already been reported as a DECEPTIVE PAGE/WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for malicious purposes.

14 November 2025 ==> Phishing Aruba - Renew your domain

SUBJECT: <Notice: your domain ***** has expired – renew now­­>

Phishing attempts, claiming to be communications from the Aruba brand, continue this month.

The message informs the recipient that his/her domain hosted on Aruba has expired. It then invites him/her to renew the domain at a cost of €5.99 via the following link in order to avoid service interruptions, incoming email blocking or loss of the domain:

Proceed to Renewal

Let's always be careful when asked to enter personal credentials via suspicious links sent by e-mail.
Clearly, the well-known web hosting, e-mail and domain registration company, Aruba, is not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

We immediately see that the email address of the message <emaa[at]laurapoggio[dot]eu> does not belong to the official Aruba domain. This is highly unusual and should make us suspicious.
The cybercriminal, to induce the victim to act quickly, allows little time to respond. This technique is clearly intended to intimidate the user, who, fearing that he/she will be unable to access his/her account and use the services linked to it, is prompted to act without paying due attention. 

Anyone who unluckily clicks on the  link, will be redirected to an anomalous WEB page,  which has already been reported as DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for illegal purposes.

9-11 November 2025 ==> Phishing customer survey: ESSELUNGA / DECATHLON

This month, we are once again seeing phishing campaigns themed around customer surveys that exploit the brands of well-known companies.  The brands exploited in these campaigns are clearly unrelated to the mass sending of these malicious emails, which are genuine scams whose aim remains, as always, to steal sensitive data from unsuspecting recipients. 
In the two examples shown, we can see that the emails come from addresses <Decathlon[at]eshopings[dot]click> and <Esselunga[at]promofryou[dot]space> clearly unrelated to the official Decathlon and ESSELUNGA  domains. This is definitely unusual and should  make us suspicious.

When we click on the links in the e-mail, we are directed to a landing page that may look graphically deceptive (with misleading images and the brand's authentic logo), but is hosted on an abnormal address/domain that is not  trustworthy or traceable to the exploited brand.

The cybercriminals behind the scam, in order to achieve their goal, use various tricks, such as reporting false testimonials from customers who have won the prize. They try to persuade the user to complete the survey quickly, by making him/her believe that only a few can win, and that the offer expires today.
Surely if so many users were lucky why not take a chance?!

When the survey is completed, the user is usually sent to a page for the entry of the shipping address and subsequent payment of shipping costs.
The cybercriminals' purpose, is to induce the victim to enter his/her personal information to ship the prize and then, likely, also the credit card information to pay the shipping costs.

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data is stolen by cyber crooks who can use it at will.

09 November 2025 ==> Phishing NETFLIX

SUBJECT: <Payment failed notification – Update your Netfli account details>

We examine another phishing attempt originating from a fake communication from NETFLIX, the well-known streaming platform for films, television series, and other paid content, which aims to steal the credit card details of the victim.

The message informs the user that a problem has been encountered in processing the payment of €6.99 for his/her subscription. In order to continue using the service without interruption, he/she is asked to log into his/her account and update his/her payment details via the following link:

Update data

When we examine the email, we notice that the message comes from an email address <evaan(at)laurapoggio(dot)com> that cannot be traced back to the official NETFLIX domain. This is definitely unusual and should make us suspicious.

Anyone who unluckily clicks on the Update data link, will be redirected to a web page unrelated to NETFLIX, which aims to obtain your most valuable data for criminal purposes.

06 November 2025 ==> Phishing Aruba - Payment confirmation

SUBJECT: <Order Payment Confirmation No. MO19830945>

This month, we once again encounter phishing attempts pretending to be communications from the Aruba brand.

The message informs the recipient that the payment for the order <<No.: MO19830945 / Hosting + Dominio>> is under verification.
It therefore invites him/her to complete the procedure and confirm the activation of the Aruba service via the following link:

Customer Area

The well-known web hosting, e-mail and domain registration company Aruba is clearly not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

When we examine the email, we immediately notice that the alert message comes from an address <esposto(at)avvocatinetwork(dot)it> that clearly does not belong to the official Aruba domain. Therefore,  we should always use great caution before clicking on suspicious links.

Anyone who unfortunately clicks on the Customer Area link, will be redirected to the web page displayed.
On this page, the user is invited to log in to his/her customer area by entering his/her username and password in order to pay the invoice and thus reactivate the suspended services.

Although the site may be misleading because it features the well-known Aruba logo, we see that the URL address in the browser bar is unusual and does not correspond to the official domain of the company:

https[:]//[FakeDomainName*]

If we enter our data on fake websites, it will be sent to the cybercriminals behind the scam, who will use it for criminal purposes. We therefore urge you not to rush and to pay attention to every detail, even the most trivial ones.

02 November 2025 ==> Phishing PayPal

SUBJECT: <Suspicious transaction detected – confirm activity>

Below, we analyse another phishing attempt that aims to steal login credentials for PayPal accounts, the well-known US digital payments company..

The message informs the recipient that a suspicious transaction of € 893.20 has been detected on his/her account and that his/her account has been temporarily restricted for security reasons. We see that the well-known e-commerce site Amazon is mentioned, as well as an ID relating to the transaction. To authorise or block the transaction, the following link is provided:

Verify transaction

When we examine the message we see that comes from an email address <noreply[at]raws-84373[dot]firebaseapp[dot]com> clearly not linked to the PayPal official domain. This is highly unusual and should make us suspicious.
Anyone who unfortunately clicks on the link, will be taken to the screen shown in the image at the side.
As we can see, users are redirected to a site that graphically simulates the PayPal login page but is hosted on an abnormal address/domain.

Given these considerations, we advise you to NEVER enter your credentials on websites whose origin you do not know, as they will be sent to a remote server and used by cyber fraudsters, with all the associated risks easily imaginable.

01 November 2025 ==> Phishing PayPal

SUBJECT: <Reminder: complete your online identification>

Below, we analyse another phishing attempt that aims to steal login credentials for Paypal accounts, the well-known US digital payments company.

The message informs the recipient that, as confirmation of his/her identity has not yet been received, he/she must identify himself/herself online by accessing his/her Paypal account to avoid the blocking of online banking services by 2 November. A code is provided to be entered for identification purposes, which is valid for 24 hours, after which the account will be blocked. To verify their identity, users are asked to click on the following link:

https://www[dot]paypal[dot]com/id[=]9173100143962

When we examine the message, we see that it has an email address <postmaster[at]49b4168fc7[dot]nxcli[dot]io>  clearly not linked to the official Paypal domain. This is highly unusual and should make us very suspicious.
Anyone who unfortunately clicks on the link, will be taken to the screen shown in the image at the side.
As we can see, users are redirected to a site that graphically simulates the Paypal login page but is hosted on an abnormal address/domain.

Given these considerations, we advise you to NEVER enter your credentials on websites whose origin you do not know, as they will be sent to a remote server and used by cyber fraudsters, with all the associated risks easily imaginable.