Fake package-delivery texts topped every other category of text-message scam reported to federal regulators in 2024, and the financial damage is staggering. Reported losses from text-message scams overall reached $470 million, according to the Federal Trade Commission. The scam works because it lands in a phone’s inbox at the exact moment millions of people are already waiting for a real shipment, and the messages often mimic carrier language closely enough to fool even cautious recipients.
Why delivery-smishing losses keep climbing despite clear warnings
The core problem is timing. Scammers send texts that claim a package cannot be delivered, that an address needs confirmation, or that a small fee is required before redelivery. These messages arrive during peak shopping periods when consumers have multiple orders in transit and are primed to tap any link that looks like a tracking update. The FTC data confirmed that fake package-delivery texts were the single most commonly reported type of text scam last year, beating out bogus toll notices, banking alerts, and job offers.
One hypothesis circulating among security researchers is that messages embedding a recipient’s actual tracking number produce higher click-through rates than generic “your package is delayed” texts, even when the embedded link points to an obviously fraudulent domain. No primary FTC or Postal Inspection Service dataset published so far breaks down click rates by message specificity, so the claim remains untested at scale. What the evidence does show is that the broad category of delivery-impersonation texts continues to outperform every other smishing lure in sheer volume of complaints, which suggests the carrier disguise itself is the strongest hook.
Psychology also works against recipients. Package notifications feel routine and low risk, especially compared with messages that clearly involve money or banking. Many people check them while distracted-standing in line, commuting, or scrolling in bed-when they are least likely to scrutinize a URL or question a tiny fee. That combination of urgency, routine, and distraction keeps the scam profitable despite years of public warnings.
Three carrier-verified checks that expose the fake
Federal agencies and carriers have published specific tests anyone can run before tapping a link. The first is the contact test. The FTC explains that legitimate postal messages do not arrive out of the blue about a delivery when the recipient has not initiated contact. Any unsolicited text claiming to be from the Postal Service about a package, especially one that demands action, fails this check immediately.
The second is the fee test. USPS guidance on scam alerts makes clear that the agency does not charge a fee for redelivery of ordinary packages. A message asking for $1.50, $3, or any other amount to “reschedule” a package is fraudulent by definition, regardless of how professional the branding looks. Real carriers may charge for premium services, but those charges are disclosed when the shipment is created, not sprung on the recipient via text.
The third is the domain test. Major carriers publish the exact web addresses they use for tracking and billing. UPS, for instance, states that its legitimate links begin with ups.com or billing.ups.com, not with hyphenated variations or unrelated domains. Any URL such as “ups-delivery-notice.com” or a shortened link that obscures its destination should be treated as untrusted until verified through the carrier’s official website or app. Taking a moment to expand a shortened link or manually navigate to a known site eliminates most fakes on sight.
These three checks-who contacted whom, whether a surprise fee is involved, and what domain the link uses-work across carriers. FedEx, Amazon, and other shippers follow similar patterns: they do not demand unexpected payments via generic texts, and their tracking links live on domains they control. If a message fails any one of these tests, it is a scam, even if it includes a real tracking number or personal details scraped from a past purchase.
What a tapped link actually does to a phone
The consequences go beyond a lost payment. The Postal Inspection Service warns that package-delivery smishing can install malware on a device or steal login credentials and payment information. A single tap can lead to a fake carrier page that prompts the victim to enter a card number, bank login, or one-time passcode. In some cases, the site pushes the user to install a malicious app that quietly captures keystrokes or screens.
Once attackers have those details, they can access banking apps, email accounts, and stored passwords. The financial loss from credential theft often dwarfs the small “redelivery fee” the original text requested. A victim might notice the $3 charge and dispute it, but overlook a series of transfers or purchases that occur days later because they do not immediately connect those transactions to the earlier tap.
Stolen credentials also feed secondary fraud. Attackers who harvest an email-and-password combination can attempt logins on multiple services, reset security questions, or change contact information so that alerts never reach the real account holder. They can also bundle and sell the data on dark-web marketplaces, where other criminals specialize in opening new credit lines or filing fraudulent tax returns. That chain of events is one reason regulators believe the $470 million in reported losses understates the true cost: many victims never trace a compromised account months later back to the delivery text they dismissed as a minor annoyance.
Gaps in the data that regulators have not closed
Several questions remain unanswered in the public record. Neither the FTC nor the Postal Inspection Service has published verbatim examples of the exact package-text scripts reported in 2024, which makes it harder for consumers to compare a suspicious message against known templates. Without representative samples, people must rely on general descriptions like “claims a package is held” rather than seeing the precise wording scammers favor.
The official reporting portals, including [email protected] and reportfraud.ftc.gov, also do not release aggregate demographic or loss-amount data tied specifically to delivery-smishing complaints. The $470 million figure covers all text-message scams, from fake bank alerts to bogus job offers. How much of that total stems from package-related texts alone is not publicly broken out, leaving policymakers and carriers to estimate the true scope of the delivery problem.
Carrier-side transparency is equally limited. USPS and UPS scam-alert pages describe common tactics and offer prevention tips, but they do not include timestamps or campaign logs showing when particular smishing waves were first detected, how long they lasted, or how many messages were blocked. Without that timeline, independent researchers cannot map surges in fake texts to specific shopping events, marketing campaigns, or potential data breaches in the logistics ecosystem.
The practical gap for readers is straightforward: no single public dashboard lets a consumer paste a suspicious link, phone number, or message body and get an instant, authoritative verdict. Instead, people must piece together guidance from multiple agency pages, carrier FAQs, and news reports. Until regulators and carriers surface more granular, real-time information, the most reliable defenses will remain simple behavioral checks: distrust unsolicited texts, refuse surprise fees, verify domains, and when in doubt, go directly to the carrier’s official app or website rather than tapping whatever lands in your inbox.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
