This is actually not a very difficult hack, but what is really critical is to NEVER click on links that arrive by e-mail or SMS. Rather, note any reference/tracking number and go independently to the website via your browser and check it out if you think it may be genuine.
The SA Post Office parcel attack is an old one, and as far I know the post office does not do payments online as the payment is made at the desk when receiving the parcel.
The phishing attack may appear to be something genuine, especially if you are waiting for a parcel, but that is exactly how people are being caught out (even those who are pretty tech-savvy—it catches people in those few seconds before their guard is up).
I got a phishing attack attempt just today from a courier company and when I checked the tracking number on their website, it says the shipment has not yet been created. On their website is also a warning notice about phishing attempt scams.
If you do use virtual bank cards, you should set the daily and monthly limits to just what is needed, and often you can deactivate/activate them just when needed.