Infra Magician Logo
harshit.cloud Sénior SRE
Skip to content
Back to notes
social-engineering

Delivery impersonation: the social engineering vector that just works

Someone called pretending to deliver a Diwali bakery hamper. They got my full address in 20 seconds. Why this pretext works and what to ask back.

3 min read
#cybersecurity#opsec#privacy-risk#pretexting#security-awareness

A few weeks ago, my mum got a WhatsApp call from someone claiming to deliver a Diwali hamper from a bakery she'd never ordered from. They asked for her live location to "route the driver". She sent it. Twenty seconds, full home address handed to a stranger.

why this attack works

The attack rides three psychological triggers at once. Mentioning a well-known local business creates instant credibility. Gift deliveries during festivals are common and expected, so the pretext doesn't trip anyone's filter. And "I'm outside and need directions now" prompts immediate action before the victim has time to verify anything.

the attack pattern

bash
Attacker: "Hi, I'm from [Popular Local Bakery]. I have a Diwali gift
          hamper for you but I'm having trouble finding your location.
          Could you share your address or live location?"

Victim: Shares full address or WhatsApp live location without verification

No order confirmation requested. No delivery tracking number asked for. No verification of any kind.

why people fall for it

  • Gift context: during festivals, people expect surprise gifts from friends and family
  • Helpful nature: most people want to help someone who seems to be doing their job
  • Time pressure: the implied urgency ("I'm waiting outside") prevents critical thinking
  • Low perceived risk: sharing an address seems harmless compared to financial data
  • Trust in local brands: using a known local business name lowers suspicion

defense strategies

The defense is one habit: don't share an address until you've verified the order exists. Ask for a tracking number, call the business on its public number, ask who sent the gift and check with them. If the driver "needs directions right now", give a landmark, not a pin. Most delivery apps already have in-app chat — there's no good reason a real driver needs your live location over WhatsApp.

real-world impact

This attack can be used for:

  • Physical surveillance and stalking
  • Burglary planning (knowing when someone is home)
  • Identity theft (address is often used for verification)
  • Targeted phishing (now knowing exact location)
  • Physical security breaches

the asks that work

The pretexts that actually get through share a shape. A familiar local business name doing the credibility work. A plausible occasion — Diwali hampers, birthday flowers, Amazon redelivery — that fits the calendar. A small action framed as urgent: "I'm outside, just send the location". Zero technical skill, one phone call, full address.

← All notes
TIL: Delivery impersonation: the social engineering vector that just works