Fake delivery alerts impersonating USPS, FedEx, UPS, and DHL are some of the most clicked phishing links in the country. A single tap on the wrong link can hand scammers your payment details, name, and home address in under two minutes.
💬 SMS📧 Email
Written by Brandon King
· Last updated: February 2026
Typical Loss
$200–$5,000
Peak Season
Oct – Jan
Targets
All Shoppers
What Is Package Delivery Smishing?
Smishing — a combination of SMS and phishing — refers to fraud delivered through text messages. Package delivery smishing is one of its most prevalent forms, exploiting the fact that most people are regularly expecting at least one shipment and are conditioned to respond quickly to delivery notifications.
The scam works by impersonating the visual identity and tone of major carriers — USPS, FedEx, UPS, DHL, and Amazon Logistics — and creating a plausible reason to click a link or call a number. The FBI’s Internet Crime Complaint Center consistently ranks smishing among the top cyber-enabled fraud categories by number of victims. During peak shopping periods, some campaigns send hundreds of millions of fraudulent texts per day.
The FBI and USPS Postal Inspection Service issued joint warnings in 2024 about a dramatic surge in USPS-branded smishing, noting that some campaigns were sophisticated enough to spoof legitimate USPS short code numbers — making the texts appear in the same thread as real USPS messages on some devices.
How the Scam Works — Step by Step
The Text Arrives
A text message arrives appearing to be from USPS, FedEx, UPS, or DHL. It references a package that could not be delivered, a customs hold, an address confirmation needed, or a small redelivery fee due. The message creates mild urgency — your package will be returned, delayed, or held unless you act.
The Link
The message contains a link that appears superficially legitimate — often using a domain that closely resembles the real carrier’s URL, such as usps-delivery-update.com or fedex-tracking-alert.net. Some campaigns use link shorteners to obscure the destination entirely. Tapping opens a website cloned from the real carrier’s design.
The Fake Portal
The fraudulent site asks the victim to confirm their name, delivery address, and in most cases, a credit or debit card number to pay a small redelivery fee — typically $1.99 to $4.99. The fee amount is kept small deliberately to reduce hesitation. Once card details are entered, they are captured instantly and used for larger unauthorized purchases or sold.
What Happens Next
Some victims only experience card fraud — unauthorized charges appearing within hours. Others find their personal details used to create fraudulent accounts, redirect future deliveries for package theft, or open credit lines in their name. In more sophisticated variants, entering the site on a mobile device may trigger a malicious profile download or subscription enrollment.
5 Red Flags in a Delivery Text
You are not currently expecting a package from the carrier named in the text — or you cannot match the message to any specific order in your records.
The link uses a domain that is not exactly usps.com, fedex.com, ups.com, or dhl.com — even one extra word or character in the domain is a definitive red flag.
A fee is required via the link to redeliver your package. Real carriers do not charge redelivery fees through SMS text messages.
The message contains urgency language — “your package will be returned in 24 hours” or “action required within 48 hours” — designed to prevent careful thinking.
The text came from a long phone number rather than a short code, or the number does not match the carrier’s known sender IDs.
💡 💡 The Safe Way to Check a Real Delivery
Never click links in delivery texts. Instead, open the carrier’s official app or type their URL directly into your browser (usps.com, fedex.com, ups.com, dhl.com) and enter your tracking number manually. This takes the same amount of time and eliminates all phishing risk.
What To Do If You Clicked and Entered Your Details
Call your bank or card issuer immediately and report that your card details may have been compromised. Request a new card number and dispute any unauthorized charges.
Change passwords on any accounts that share the same email or password as anything entered on the fake site.
Place a fraud alert with one of the three major credit bureaus — Equifax, Experian, or TransUnion — which automatically notifies the other two.
Forward the original scam text to 7726 (SPAM) to report it to your mobile carrier. Report to the FTC at reportfraud.ftc.gov and to USPS Postal Inspection at postalinspectors.uspis.gov if USPS was impersonated.
Monitor your credit report at annualcreditreport.com for any new accounts opened in your name.
A Smishing Click Can Start an Identity Theft Problem
When your card details and home address land in the hands of a smishing operation, they rarely stop at one unauthorized charge. That data gets sold, combined with details from other breaches, and used to open accounts in your name. An identity theft protection service monitors your credit, financial accounts, and personal information for exactly this kind of downstream misuse — and alerts you before it compounds. We’ve independently tested and compared the leading services.
Independent reviews. Tested with our own information. No fluff.
Frequently Asked Questions
USPS does send text notifications, but only if you specifically signed up for USPS Informed Delivery or requested tracking updates for a specific package. USPS never sends unsolicited texts asking for payment to release or redeliver a package. Any text asking for a fee from someone claiming to be USPS is a scam.
Check the sender’s number — real carrier texts come from verified short codes, not random long numbers. Preview any link before tapping to verify it leads to the exact official domain. Real carriers never charge a fee via text to redeliver a package. When in doubt, visit the carrier’s official app or website directly and enter your tracking number manually.
If you only clicked but did not enter information, your risk is lower but not zero. If you entered payment details or personal information, contact your bank immediately, request a new card, and monitor your credit report for new accounts opened in your name.
Smishing campaigns are sent in bulk to millions of numbers simultaneously — scammers do not know whether you are expecting a package. Messages are timed around peak shopping periods when statistically most people have at least one order in transit. Your number may have been obtained from a data breach, a data broker, or generated randomly by automated dialing software.
Forward the text to 7726 (SPAM) to report it to your carrier. Report to the FTC at reportfraud.ftc.gov and to the carrier being impersonated. USPS fraud can be reported at postalinspectors.uspis.gov.
