Scammers posing as USPS, FedEx, and other carriers are flooding phones with fake delivery alerts designed to steal personal and financial data. The texts follow a simple script: an urgent claim about a held package, a link to a convincing but fraudulent website, and a prompt to enter payment details or personal information. Federal agencies including the FTC, the FBI, and the U.S. Postal Inspection Service have all issued warnings about this specific tactic, and USPS has confirmed it does not charge fees for redelivery, directly contradicting the most common hook these messages use.
Why delivery-text scams keep working in 2024
The reason these texts land so effectively is tied to routine behavior. Most people expect packages. When a message arrives claiming a delivery failed or requires action, the instinct is to tap the link and fix the problem. That reflex gives scammers an edge that generic phishing emails about bank accounts or password resets do not enjoy. A vague “verify your account” email can be ignored. A text saying “your package could not be delivered” hits differently when someone actually placed an order two days ago.
The FTC explains that these messages typically arrive out of the blue, use a fake tracking issue as a pretext, and push recipients to click a link leading to a look-alike site designed to harvest data. The sites often mimic official USPS branding closely enough to pass a quick glance, and the messages themselves use language engineered to create a sense of time pressure.
That pressure is the key ingredient. The U.S. Postal Inspection Service has warned that scammers rely on urgent language in smishing texts to steal personal data for identity fraud, according to a USPS advisory. The word “smishing,” a blend of SMS and phishing, describes this exact attack vector: a text message that functions like a phishing email but arrives on a channel most people trust more than their inbox. Once a victim clicks, the fake site may ask for a small “redelivery fee,” full card details, login credentials, or even Social Security numbers under the guise of verifying identity.
Red flags federal agencies say to check before tapping
Three signals separate a real carrier notification from a fake one. First, legitimate delivery services rarely ask recipients to click a link in a text message to resolve a problem. USPS, for instance, sends tracking updates but does not request payment through SMS. The agency’s own FAQ page states plainly that USPS does not charge a fee for redelivery. Any text demanding a small payment to release or redeliver a package is, by that standard, fraudulent on its face.
Second, the link itself usually gives the scam away. Real USPS URLs end in usps.com. Fake texts often use domains that look similar but include extra words, hyphens, or unfamiliar extensions. The Postal Inspection Service notes that an unexpected problem notification paired with a link that does not clearly belong to the carrier is a strong indicator of smishing. Shortened URLs can also be a red flag, because they hide the true destination until after the click.
Third, the tone of the message matters. Legitimate carriers communicate in neutral, factual language: “Your package is out for delivery,” or “Delivery attempted; notice left.” Scam texts lean on words like “immediately,” “urgent,” or “action required” to short-circuit the reader’s judgment. The FBI classifies these messages as a form of phishing and stresses that unsolicited messages demanding quick action are a hallmark of fraud.
When a suspicious text arrives, the safest response is to ignore the link entirely and check the shipment status directly through the carrier’s official app or website. Typing usps.com, fedex.com, or ups.com into a browser and entering a tracking number there eliminates the risk of landing on a spoofed page. If no matching shipment appears, the text was almost certainly a scam.
What to do after receiving a suspicious delivery text
Reporting matters because it helps federal agencies track and disrupt smishing campaigns. The Postal Inspection Service recommends forwarding the suspicious message to 7726, the universal short code that U.S. wireless carriers use to collect spam reports. That step takes seconds and feeds data to carriers working to block future messages from the same source.
For a more formal report, the FBI and USPIS both direct consumers to file a complaint through IC3, the FBI’s Internet Crime Complaint Center. Filing there creates a federal record that can support broader investigations into organized smishing rings, especially when many complaints describe similar wording or web domains.
On iPhones, Apple provides built-in tools to block senders and report junk messages directly through the Messages app. Tapping “Report Junk” beneath an unknown sender’s message flags it to Apple and the carrier simultaneously, adding another layer of defense without requiring a separate app or service. Android phones offer similar reporting options through default messaging apps or carrier-branded tools.
Anyone who has already tapped a link and entered information should act fast. Changing passwords for any accounts that share the same credentials is the first step. Monitoring bank and credit card statements for unauthorized charges is the second. If financial information was entered on the fake site, contacting the card issuer to freeze or replace the card can limit the damage. Victims who provided sensitive personal data like Social Security numbers may also want to place fraud alerts or credit freezes with major credit bureaus.
Gaps in tracking and blocking smishing at scale
Federal agencies have published clear guidance, but enforcement remains challenging because smishing campaigns are cheap to launch, easy to relocate, and often routed through overseas infrastructure. Scammers can buy lists of phone numbers, spoof legitimate-looking sender IDs, and rotate domains quickly when one gets reported or blocked. That flexibility allows the same basic script-fake package, urgent link, small fee-to resurface repeatedly under slightly different guises.
Wireless carriers deploy spam filters and network-level blocking tools, and they use reports sent to 7726 to refine those systems. However, many fraudulent texts still slip through because aggressive filtering risks blocking legitimate notifications as well. Carriers must constantly balance user protection against the possibility of interfering with real banking alerts, two-factor authentication codes, or genuine delivery updates.
Another gap lies in public awareness. While email phishing has been a familiar threat for years, many people still treat text messages as inherently more trustworthy. That perception is exactly what smishing schemes exploit. The more convincingly a fake site mimics a postal or shipping brand, the more likely a rushed recipient is to complete the requested steps without pausing to question them.
Experts say closing these gaps will require a mix of technical and educational responses. On the technical side, broader adoption of authentication frameworks that verify sender identity for text messages could make spoofing more difficult. On the educational side, repeated, consistent messaging from agencies, carriers, and major retailers can normalize a few simple rules: never pay a delivery fee via texted link, never enter personal data on a site reached from an unsolicited message, and always verify package issues through official channels.
For now, the most reliable defense remains individual skepticism. If a text claims a package is stuck until you pay a fee or “confirm” sensitive details, assume it is a scam until you can prove otherwise. By slowing down, checking links carefully, and using official websites instead of embedded URLs, consumers can blunt one of the most persistent fraud trends riding on the back of online shopping.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
