Your Order Is On The Way Email Scam

Unexpected emails involving purchases, deliveries, or account activity should always be approached with caution. Cybercriminals frequently disguise malicious messages as legitimate business communications in an attempt to pressure recipients into acting without verification. The 'Your Order Is On The Way' email campaign is one such example. Detailed analysis has confirmed that these emails are malicious spam messages and are not connected to any legitimate companies, shipping providers, retailers, or organizations.

Fake Shipping Notifications Designed to Create Urgency

The 'Your Order Is On The Way' emails are crafted to resemble authentic shipment notifications. They typically arrive with subject lines containing order numbers and reference codes to make the messages appear credible and professional.

Recipients are informed that their package has allegedly been dispatched and are encouraged to click a 'View Shipping Details' button to access tracking information and delivery updates. The wording is intentionally designed to trigger curiosity and urgency, increasing the likelihood that recipients will interact with the provided link without carefully inspecting the message.

In reality, the emails do not relate to any genuine purchase or shipment. Their sole purpose is to redirect recipients to a malicious website designed to infect systems with malware.

The Malicious Website Behind the Scam

Clicking the embedded link redirects users to a fraudulent page hosted on increminder.com. The site is styled to resemble an order management or shipping portal, further reinforcing the illusion of legitimacy.

The webpage claims that shipment information has been processed and states that order details are available for download. It also warns that the downloaded file may be required to receive the package, a psychological tactic intended to pressure visitors into proceeding with the download.

Instead of providing tracking information or order documentation, the site delivers a malicious file named 'ScreenConnect.ClientSetup.msi.' This file is presented as a normal Windows installer but actually contains a trojanized version of ScreenConnect.

Trojanized Remote Access Software Poses Serious Risks

ScreenConnect itself is legitimate remote desktop software developed by ConnectWise and commonly used by IT support professionals for remote assistance and system management. However, cybercriminals frequently abuse such tools by modifying them and distributing weaponized versions capable of granting unauthorized remote access to victims' devices.

Once the malicious installer is executed, the remote access tool can silently operate in the background without drawing attention. Attackers may then gain extensive control over the compromised system and perform a wide range of malicious activities, including:

• Stealing confidential files and stored credentials
• Monitoring user activity and collecting sensitive information
• Installing additional malware such as ransomware or spyware
• Conducting fraudulent transactions or abusing online accounts

Because the malware provides persistent remote access, affected systems should be considered fully compromised.

How Malspam Campaigns Deliver Malware

Spam campaigns frequently distribute malware either through malicious attachments or through links leading to harmful websites. In many cases, the files are disguised as invoices, receipts, shipping documents, or account statements to encourage recipients to open them without suspicion.

In this campaign, the attackers rely on a malicious link rather than a direct attachment. Recipients who follow the link are led to the fake order portal, where they are manipulated into downloading the infected installer file. Once launched, the malware establishes remote access capabilities while remaining largely invisible to the victim.

This method allows attackers to bypass some email security filters, since the harmful payload is hosted externally rather than attached directly to the email.

Immediate Steps for Affected Users

Anyone who downloaded or executed the 'ScreenConnect.ClientSetup.msi' installer should assume that unauthorized access to the system may already have occurred. Immediate action is strongly recommended to minimize potential damage.

A full antivirus or anti-malware scan should be performed without delay, and all sensitive passwords associated with the affected device should be changed from a separate, secure system. Financial accounts, email accounts, and business logins should also be monitored for suspicious activity.

The malicious email itself should be deleted immediately, and recipients should avoid clicking any links or downloading any files associated with the message.

Staying Protected Against Delivery-Themed Scams

Delivery-themed phishing and malware campaigns remain highly effective because they exploit common online shopping habits and the expectation of package updates. Attackers rely on recipients reacting quickly before carefully evaluating the legitimacy of the message.

Users can reduce exposure to these threats by verifying shipment notifications directly through official retailer or courier websites, avoiding downloads from unsolicited emails, and treating unexpected delivery alerts with skepticism. Even emails that appear polished and professional may conceal serious security threats beneath convincing branding and urgent language.