Buffalo Logistics SMS Scam: A Forensic Deep Dive into the R18.99 "Delivery Fee" Phishing Funnel
- May 11
- 3 min read
It starts with a simple buzz on your phone. At 08:40 on a Tuesday morning, a message arrives: “BUFFALO: Dear Customer, Your shipment Ref:AK6UTB has arrived at our local facility. To proceed kindly pay R18.99 fee to complete delivery…”
For millions of South Africans who regularly shop online via platforms like Temu, Shein, or Takealot, the timing feels remarkably accurate. However, behind this routine notification lies a sophisticated phishing funnel designed not just to steal small "delivery fees," but to hijack your banking credentials and personal identity.
THE ANATOMY OF THE "LOW-RESISTANCE" SCAM
The core effectiveness of this attack lies in its familiarity and "low resistance". R18.99 feels harmless and routine, which is exactly why it works. By using a small amount, scammers lower your psychological guard enough to proceed to the next stage of the funnel.
FORENSIC BREAKDOWN: HOW THE FUNNEL OPERATES
Social Engineering via Smishing: The campaign utilizes "smishing" (SMS phishing) to mimic legitimate courier brands. Forensic analysis by SA Digital Forensics & Investigations (SA-DFI) suggests that these messages often arrive shortly after real orders are placed, indicating potential data exposure or leaked logistics data within the e-commerce supply chain.
The Cloned Payment Portal: Clicking the link (often a URL shortener like did.li, used to hide the fraudulent destination) takes the victim to a counterfeit/fake site. These portals feature professional visual deceptions, including progress trackers, fake shipment data, and dynamic timestamps, all designed to create a false sense of security.
Credential and Identity Harvesting: Victims are prompted to enter highly sensitive data, including their full name, ID number, card details, and critically their One-Time PIN (OTP).
THE DANGER: IMMEDIATE FINANCIAL THEFT
Once the data is captured, scammers perform rapid account draining and fraudulent transactions. Beyond the immediate financial loss, captured ID numbers and phone numbers are often sold or used for secondary identity theft schemes. The infrastructure used to include cloud hosting and lookalike domains suggests these are coordinated operations by organized criminal syndicates rather than isolated individuals.
SA-DFI RED FLAG CHECKLIST
Before interacting with any delivery notification, use this checklist to protect your assets:
URL Verification: Does the link lead to an official courier domain (e.g., buffalologistics.co.za), or is it a shortened or random link (bit.ly, did.li)?
Payment Policy: No legitimate South African courier will ever ask for payment via an SMS link.
Sensitive Info: Are you being asked for your ID number or OTP on a payment page? These are major red flags.
Generic Greetings: Scams often use generic greetings like "Dear Customer" instead of your specific name.
WHAT TO DO IF YOU ARE TARGETED
If you receive the message, do not click the link. Delete the message, block the sender, and report the number.
If you have already entered your details, act immediately:
1. Call your bank's fraud department to block your card and monitor transactions.
2. Change your banking credentials and passwords.
3. Enable transaction alerts and consider using virtual cards for future online shopping.
PROFESSIONAL FORENSIC SUPPORT
If you or your organization has been a victim of a cyber scam, SA-DFI provides professional forensic services, including fraud pattern analysis and the recovery of digital evidence for court proceedings.
Follow the official SA-DFI WhatsApp Channel for expert insights, case updates, and security awareness:
Click Follow and tap the bell icon 🔔 to stay updated.
Contact SA Digital Forensics and Investigations:
Phone: +27 77 480 3161
Email: info@sa-dfi.co.za
Website: www.sa-dfi.co.za
Follow us on social media:
Copyright © 2026 | SA Digital Forensics and Investigations | All rights reserved.
Comments