📌 The 30-Second Version
Package-delivery smishing was the most-reported text scam category in the FTC's 2024 data, helping drive total text-scam losses to $470 million for the year. The script is identical across USPS, FedEx, UPS, DHL, and Amazon impersonation: a text reports a delivery problem, links to a lookalike website, and harvests either a credit card number (via a fake "redelivery fee") or a Social Security number (via fake "address verification"). Per Proofpoint research, only 23% of users over 55 can correctly define smishing — the script works because awareness is low and package volume is high. The unifying defense across all three variants: never click a link in an unsolicited package text. If you are expecting a package, type the carrier's URL into your browser yourself and look up the tracking number through the official site.
⚡ Quick Safety Rules
- Never click a link in an unsolicited text claiming to be from USPS, FedEx, UPS, DHL, or Amazon. No exceptions, no "just checking." If you are expecting a package, type the carrier's URL into your browser yourself.
- Real USPS texts come from 5-digit short codes (28777, 2USPS) registered with U.S. carriers — never from a 10-digit number, and never from a +63 (Philippines), +234 (Nigeria), or other non-U.S. country code. The sender format is the diagnostic before you even read the message.
- Real carriers do not charge redelivery fees by SMS. USPS, FedEx, UPS, DHL all reattempt delivery automatically or hold packages at a local facility for free pickup. Any payment ask in a delivery text is the scam.
- Forward the text to 7726 (SPAM on a phone keypad) so your carrier feeds it into network-level filters. Then report at uspis.gov/report (USPS-specific) and reportfraud.ftc.gov (federal).
- If you clicked the link and entered information: act based on what you entered. Credit card → call the bank's fraud line. SSN/DOB → credit freeze with all three bureaus. No information entered → close the tab, run a malware scan on Android, ignore further messages.
🪞 Is this text a scam? — 30-second self-check
Run on every package-delivery text before tapping any link. Two or more "yes" answers and the answer is yes.
- Did the text arrive from a 10-digit number rather than a 5-digit short code (28777, 2USPS)?
- Does the sender number include a non-U.S. country code (+63, +234, +44, etc.)?
- Does the message claim a fee, payment, or "verification" is required to receive your package?
- Are you NOT actively expecting a package matching the description in the text?
2+ yes: Smishing. Do not click. Forward to 7726, delete, report at uspis.gov. → Skip to What to Do
Jump to a Variant
The Anatomy of a Tuesday-Afternoon USPS Text
The post is on r/phishing, headlined simply "USPS text." The author was at work mid-afternoon when a text arrived: "USPS: Your package has been delayed due to incomplete address information. Please update your delivery information at uspsreshipment.com/track within 12 hours to avoid return." She was, in fact, expecting a package — a birthday gift she had ordered three days earlier and had been tracking. The timing felt right. The branding looked right. The URL ended in `.com` and contained the word `usps`. She tapped the link.
The page that loaded looked exactly like usps.com — same logo, same color scheme, same layout. It asked her to confirm the delivery address and pay a $1.99 reshipment fee with a credit card. She entered the card details. The page said her information was being processed. Three hours later her bank texted about an attempted $480 charge at an electronics retailer in another state. She caught it because she had set up real-time alerts. Many people do not.
The thread is one of dozens, with 521 upvotes and a long comment chain documenting variants. The script underneath is the same one — only the carrier name and the URL pattern change. [r/phishing · 521 upvotes]
What These Scams Actually Are
Package-delivery smishing is SMS-based phishing that impersonates a major carrier — USPS, FedEx, UPS, DHL, or Amazon — and exploits the fact that most U.S. adults are actively expecting a package at any given time. Per the FTC's 2024 top text scams data spotlight, "messages about package deliveries, usually from someone pretending to be from the U.S. Postal Service, were the most reported text scam last year. These messages say there's a problem with a delivery and link to a website that looks like the real USPS site – but isn't. Many people reported paying a small 'redelivery fee' that turned out to be a trick to get their credit card or even Social Security number." The FTC's accompanying press release reports total text-scam losses of $470 million in 2024 — nearly $100 million more than the year before.
Mechanically, the script has four phases:
- Mass-blast intake. Scammers send millions of identical or near-identical SMS messages from international gateways — Philippines (+63), Nigeria (+234), UK (+44), or VoIP-spoofed +1 numbers. The cost per message is fractions of a cent; even a 0.1% click-through rate is profitable.
- Plausible pretext. The message names a real carrier, references a real-sounding tracking issue (incomplete address, customs hold, missed delivery), and provides a link with carrier branding embedded in the URL. Recipients who happen to be expecting a package read the timing as authentic.
- Lookalike landing page. The link routes to a website that closely mimics the real carrier's site — same logo, same fonts, same color palette, sometimes even working internal links to non-fraudulent pages. The page asks for credit card information (for the redelivery fee) or Social Security and DOB (for "address verification").
- Extraction and disappearance. Credit card details are immediately tested with small charges before being sold or used for larger fraud. SSN and DOB feed identity-fraud pipelines that may not surface as new credit lines or fraudulent tax returns until weeks or months later. The lookalike domain is rotated within days, before takedown reports can land.
The U.S. Postal Inspection Service maintains a dedicated smishing alert page and runs aggressive consumer-outreach campaigns — per USPS press materials, the agency's outreach "reached over 169 million addresses through regular outreach programs delivered by 34,000 Post Offices." Project Safe Delivery, the agency's broader anti-mail-crime initiative, has produced "a 27% reduction in letter carrier robberies and more than 2,400 arrests related to mail theft and related crimes." Smishing remains the harder problem because the scam infrastructure lives outside USPS's enforcement reach — most operations run from offshore SMS gateways and lookalike-domain registrars in non-cooperating jurisdictions.
🔑 The single rule that defeats every variant — never click a link in an unsolicited package text
No real carrier — USPS, FedEx, UPS, DHL, Amazon — sends unsolicited delivery texts to people who haven't signed up for tracking notifications. If you signed up for USPS Informed Delivery or for tracking on a specific package, the texts will only confirm tracking status. They will never ask for payment. They will never include a non-carrier-domain link. They will never request Social Security or date-of-birth information.
If you are expecting a package and want to verify status, the safe path has not changed in a decade: type the carrier's URL into your browser yourself (usps.com, fedex.com, ups.com, dhl.com, or amazon.com under "Your Orders"), and use the official tracking number from your purchase confirmation email. The two-second extra friction of typing the URL yourself is the entire defense — the scam infrastructure depends on you tapping the link in the text, not on you being unable to find the real carrier site.
Same script, three brand pretexts. The variants below cover the three pitches that account for nearly all 2024 package-smishing complaints.
The 3 Variants
The most-reported text-scam category in the FTC's 2024 dataset. A text claims USPS has a delivery problem and asks for a $1.99-$3.99 redelivery fee paid by credit card on what looks like the USPS website. The credit card data is immediately used for tens to hundreds of dollars in unauthorized charges or sold on darknet markets.
A r/Scams victim describes the canonical loss in the thread "Fell for USPS text scam 😭" (80 upvotes). The author received the standard text — package delayed, please update delivery information at the linked URL. They were expecting a package. The page they landed on was, by their own description, indistinguishable from the real usps.com on a phone screen — same logo, same navigation, same tracking-number entry field. They entered the address and paid the $1.99 redelivery fee with their primary credit card. Within four hours, three transactions had appeared on the card: $89 at a gas station two states away, $217 at an electronics retailer, $89 again at a different gas station. The card was clearly being card-tested before resale.
The mechanism the FTC documented in its 2024 top-text-scams spotlight is identical: "Many people reported paying a small 'redelivery fee' that turned out to be a trick to get their credit card or even Social Security number." The fee is small precisely because it is a credential-harvest vehicle, not a payment scam in the traditional sense — the scammer does not care about the $1.99; they care about the 16-digit card number, expiration date, and CVV that the victim types in to "pay" it. Once the card data hits the scammer's database, it is tested with small probe charges (gas stations are common because of low-friction approval), then either used for larger purchases the same day or batched and sold to other operators within 24-72 hours.
The fix is upstream of the click. If you are expecting a package and want to check delivery status, type usps.com into your browser and use the tracking number from your purchase confirmation email. Real USPS does not send delivery-problem texts that include payment requests; the agency's official position, repeated on the USPIS smishing alert page, is that tracking texts only confirm status and never request payment or personal information. If you have already entered card information: call your card's issuing bank's fraud line on the number printed on the back of the card (not any number from the suspicious text), report the compromise, and request a card replacement. Most issuers can freeze the card within minutes and reverse pending unauthorized charges within hours.
Red Flags
- SMS from a 10-digit number (real USPS uses 5-digit short codes 28777 / 2USPS)
- Sender number with non-U.S. country code (+63 Philippines, +234 Nigeria, +44 UK)
- Message claims a delivery problem and provides a link to "update" or "verify"
- URL contains carrier branding but ends in unusual TLD (uspsreshipment.com, usps-track.online)
- Page asks for credit card information for a small redelivery fee — real carriers do not charge redelivery fees by SMS
How to Avoid
- Never click links in unsolicited package texts. Type usps.com / fedex.com / ups.com / dhl.com yourself.
- Forward the text to 7726 (SPAM on a phone keypad) so your carrier feeds it into network-level filters.
- Report at uspis.gov/report for USPS-specific intake — federal investigators track patterns across submissions.
- If you have already entered card data: call the bank's fraud line on the number from your card, request a freeze and replacement, and dispute any unauthorized charges. Most reversals happen within 24 hours when reported fast.
- Set up real-time transaction alerts on every credit card — the canonical r/Scams victim caught the test charges only because she had alerts enabled.
The USPS variant is the volume play because USPS is the most-recognized U.S. carrier brand. The next variant runs the identical script with the brand swapped out — and works for the same reason.
The same script with FedEx, UPS, DHL, or Amazon branding instead of USPS. Identical harvest pattern: fake delivery problem text, lookalike domain (fedex-redelivery.com, ups-tracking-update.com, amazon-orders.support), credit card or identity capture. Picks whichever carrier the recipient most likely actually uses.
The brand-swap variant exists because no single carrier dominates 100% of U.S. package volume. USPS handles roughly 40% of last-mile package deliveries; FedEx, UPS, and Amazon Logistics divide the remainder. A scammer running a USPS-only campaign reaches a fraction of recipients who happen to be expecting a USPS package; running USPS, FedEx, UPS, DHL, and Amazon variants in rotation increases the addressable base proportionally. The infrastructure is shared — same SMS gateways, same hosting, same lookalike-domain registrars, same credit-card-harvest backend — only the brand assets and URL pattern change.
The Amazon variant deserves separate attention because Amazon's volume is enormous and the brand exposure is daily for many recipients. The Amazon-impersonation text typically claims an order verification problem, a delivery exception, or a refund issue — anything to drive a click to a lookalike Amazon login page. Once the victim enters their Amazon username and password, the credentials harvest unlocks not just Amazon order history (which contains addresses, payment methods, and purchase patterns) but often other accounts as well — the same email-and-password combination is frequently reused on banking, retail, and email accounts. The Federal Communications Commission's package-delivery scam guidance specifically calls out Amazon-impersonation texts as a parallel category to the carrier-impersonation variants, with the same defense pattern.
What works is the same upstream rule with one extension. For any carrier — USPS, FedEx, UPS, DHL, Amazon — type the official URL into your browser yourself and use the tracking number from your purchase confirmation. Never tap a link in any package text, regardless of which carrier is named. If a text references "your Amazon order" but you do not currently have any open Amazon orders, that itself is the diagnostic — Amazon does not text recipients about orders that do not exist. The brand variation is the scammer's adaptation to carrier diversity; the defense does not adapt because the underlying mechanic is identical across all five major brands.
Red Flags
- SMS naming any major carrier (USPS, FedEx, UPS, DHL, Amazon) and claiming a delivery problem you didn't expect
- URL with carrier branding but unusual TLD or subdomain pattern (fedex-redelivery.online, ups-track.support, amazon-orders.help)
- Text references an order or package you don't have open — the brand-swap variant casts a wide net
- Page asks for full carrier-account login (Amazon username/password, FedEx Rewards login) rather than just tracking-number lookup
- Sender uses a non-U.S. country code or unfamiliar 10-digit number
How to Avoid
- Same rule for every carrier brand: type the official URL yourself. Never tap a link in any package text.
- For Amazon specifically: log into amazon.com directly and check "Your Orders" — the page surfaces real delivery exceptions and refund issues without requiring SMS interaction.
- If you reuse passwords across accounts and may have entered them on a fake site: change passwords on every account that shares the credential, prioritizing email and banking. Enable two-factor authentication on every account that supports it.
- Forward the message to 7726 (SPAM) and report the carrier's name in your filing at uspis.gov (USPS) or reportfraud.ftc.gov (any carrier).
- For elder relatives at higher risk, install carrier-level smishing filters (most major U.S. carriers offer free filtering), and walk through the "type the URL yourself" rule explicitly during a low-stakes conversation, not after a near-miss.
The first two variants harvest payment information. The third variant trades the credit card harvest for a slower, more dangerous identity harvest.
The slower, more damaging variant. Instead of asking for a credit card and a small redelivery fee, the lookalike page asks for "address verification" requiring full name, DOB, and Social Security information. The harvested identity feeds new-credit-line fraud, fraudulent tax returns, and darknet identity markets — surfacing weeks or months later, often when the victim no longer remembers the original text.
A r/phishing victim describes the variant in the thread "I think I just fell for a USPS text scam, let me know what I should do!" (41 upvotes). The author tapped the link in a USPS-branded text expecting the redelivery-fee variant — they had read about the credit-card harvest pattern and were prepared to abandon if a payment screen appeared. Instead, the page asked for "USPS account validation" requiring full name, complete address, date of birth, and Social Security number "to confirm postal-service eligibility." The framing was different enough from the credit-card variant to bypass their pattern recognition. They entered the information, then realized within minutes that USPS does not require Social Security numbers for any consumer service. They placed credit freezes the same evening, but the harvested identity bundle had already moved.
The identity-harvest variant is more damaging than the credit-card variant for two reasons. First: the attack surface is wider. A credit card can be canceled within hours; a Social Security number cannot be changed, and the harvested identity feeds fraud pipelines that can run for years. Second: the damage surfaces slowly. New credit lines opened in the victim's name may not appear on the credit report for 30-60 days; fraudulent tax returns may not surface until the victim files their own return and is rejected. The FTC's smishing data bundles this variant under the same package-delivery category, but the FBI tracks identity-fraud follow-on losses separately — and the per-victim losses on the identity-harvest variant are typically 10-50× the credit-card variant once the long tail plays out.
If you have already entered identity information on a fake USPS page, the response is structural and time-sensitive. Place a credit freeze with all three bureaus (Experian, Equifax, TransUnion) the same day — free, takes 5 minutes per bureau, prevents new credit lines from being opened in your name. File an IRS Form 14039 Identity Theft Affidavit before the next tax-filing season to flag your account. Sign up for free credit monitoring through one of the bureaus or through a service like AnnualCreditReport.com. File at uspis.gov/report and at identitytheft.gov (the FTC's dedicated identity-fraud portal) — the latter generates a personalized recovery plan based on what you entered. Watch your bank, credit card, and IRS accounts for at least 12 months; identity-fraud follow-on can take that long to surface.
Red Flags
- Lookalike USPS / FedEx / UPS page asks for Social Security number, date of birth, or "full account verification"
- Framing references "account validation," "postal-service eligibility," or "delivery account confirmation" — not just a redelivery fee
- The page does NOT ask for credit card information — that is the diagnostic for the identity-harvest variant specifically
- Form fields include both last-four and full Social Security number, sometimes also driver's license number
- "Verification" framing is specifically designed to bypass victims who learned to spot the credit-card-harvest variant
How to Avoid
- USPS does not require Social Security numbers for any consumer service. Any page claiming to is a scam.
- Place a credit freeze with all three bureaus immediately if you entered SSN/DOB. Free, 5 min each, prevents most identity follow-on.
- File at identitytheft.gov for a personalized FTC recovery plan, plus uspis.gov/report for USPS-specific tracking.
- File IRS Form 14039 Identity Theft Affidavit before next tax-filing season to flag your account with the IRS.
- Set up free credit monitoring through Experian, Equifax, TransUnion, or AnnualCreditReport.com — watch for 12+ months. New credit lines opened with stolen identity may not surface for 30-60 days.
The Numbers (and Where They Come From)
Every figure below is from a primary source with the verbatim quote on file in our research log.
One additional fact worth knowing: per Proofpoint's analysis, the company processes more than 80% of North America's mobile messages — meaning their statistics on smishing prevalence are derived from majority-share visibility into U.S. and Canadian SMS traffic. The 7%+ year-over-year growth in U.S. smishing volume that Proofpoint reported in 2024 reflects scammer infrastructure scaling, not just better detection.
Recovery Reality (and the Time-Sensitive Defenses)
Recovery from package-text-scam losses depends entirely on what you entered and how fast you act. Three time horizons matter.
If you only landed on the page without entering anything, the damage is essentially zero. Some malicious sites attempt drive-by malware installation on Android devices (iOS is more sandboxed and less exposed), so run a malware scan if you tapped through on Android. Otherwise close the tab, delete the original text, forward it to 7726 so your carrier filters similar messages, and ignore further communications. No recovery action needed.
If you entered credit card information, act in the first 24 hours. Call the issuing bank's fraud line on the number printed on the back of your card. Report the compromise, request a card freeze and replacement, and dispute any unauthorized charges. Most U.S. issuers reverse pending unauthorized charges within hours when reported fast, and Regulation E protects consumers from liability for unauthorized credit-card transactions reported within 60 days. Set up real-time transaction alerts on the new card so future probe charges trigger immediately.
If you entered Social Security number or date of birth, the damage is structural and the response runs longer. Place a credit freeze with all three bureaus (Experian, Equifax, TransUnion) the same day — free, 5 minutes each, prevents new credit lines from being opened in your name. File at identitytheft.gov for a personalized FTC recovery plan; the portal walks you through Social Security Administration outreach, IRS notification (Form 14039), and credit-bureau coordination. Watch credit reports monthly for at least 12 months — fraudulent new accounts and tax-return identity theft can take 30-90 days to surface.
🆘 What to Do If You Clicked or Entered Information
📵 Forward to 7726 + Delete
Forward the original text to 7726 (SPAM on a phone keypad). Most major U.S. carriers feed these reports into network-level filters. Then delete the message. This works even if you didn't click — the report still helps protect other recipients.
📞 Bank Fraud Line — If Card Entered
Call the issuing bank's fraud line on the number printed on your credit card. Report the compromise, request a card replacement, and dispute any unauthorized charges. Most reversals happen within 24 hours when reported fast. Set up real-time transaction alerts on the new card.
🛡 Credit Freeze — If SSN/DOB Entered
Place credit freezes with Experian, Equifax, and TransUnion the same day. Free, 5 minutes each, prevents new credit lines. File IRS Form 14039 before next tax season. Sign up for free credit monitoring and watch for 12+ months.
🏛 Report to USPIS + FTC
File at uspis.gov/report for USPS-specific tracking, and at reportfraud.ftc.gov for federal data. If you entered SSN/DOB, also file at identitytheft.gov for a personalized recovery plan.
🔐 Password Reset — If Login Entered
If you entered an Amazon, FedEx, or carrier-account login, change the password immediately on that account AND every other account where you reuse the same password. Prioritize email and banking. Enable two-factor authentication on every account that supports it.
📲 Phone Cleanup — Android
For Android devices, run a malware scan with Google Play Protect or a reputable security app. iOS is more sandboxed but worth checking app installs you don't recognize. Reboot the phone after cleanup to clear any in-memory artifacts.
If You're Reporting Outside the United States
Package-text smishing is global. The same scam infrastructure runs against Royal Mail (UK), Canada Post, Australia Post, and major European carriers — only the brand names and the lookalike domains change.
- United Kingdom: Forward suspicious texts to 7726 (the international free-forwarding short code most carriers honor). Report at Action Fraud; report Royal Mail impersonation directly to Royal Mail's scam-reporting page.
- Canada: Forward suspicious texts to 7726. Report at Canadian Anti-Fraud Centre (CAFC). Canada Post tracks impersonation separately.
- Australia: Forward to 7726. Report at Scamwatch (run by the ACCC). Australia Post publishes its own smishing alerts and provides a forwarding address for suspicious messages.
- European Union: Report to your national consumer-protection agency and to Europol's online crime portal. Most EU national posts have dedicated smishing-reporting pages.
- Ireland: An Garda Síochána Garda National Economic Crime Bureau (GNECB).
Frequently Asked Questions
📚 Source Threads (Reddit, 2024–2026)
The canonical USPS text scam
"USPS text" — r/phishing, 521 upvotes. The most-engaged USPS smishing thread on r/phishing; documents the redelivery-fee credit-card harvest variant in detail.
The "fell for it" victim post
"Fell for USPS text scam 😭" — r/Scams, 80 upvotes. First-person account of the credit-card harvest with same-day card-test charges.
The damage-control thread
"I think I just fell for a USPS text scam, let me know what I should do!" — r/phishing, 41 upvotes. Documents the identity-harvest variant — the page asked for SSN, not credit card.
The reschedule-delivery variant
"USPS reschedule delivery scam?" — r/Scams, 30 upvotes. Variant focused on "reschedule delivery" framing rather than redelivery fee.
USPS Postal Inspection Service alert
USPIS Smishing: Package Tracking Text Scams — federal agency primary source. Defines the script and provides the official reporting channel.
FTC top-text-scams data spotlight
FTC Consumer Protection Data Spotlight: Top Text Scams of 2024 — primary federal source documenting the $470M total and the package-delivery #1 designation.
Related Reading
Package text scams overlap with several other scam mechanisms documented on tabiji. Internal: the Everywhere hub; Recovery Scams (smishing victims who post publicly about their loss become recovery-scam targets within hours); Bank-Impersonation & Zelle Scams (the credit-card-harvest mechanic shares infrastructure with Zelle smishing variants); Medicare & Elder-Targeted Scams (older adults are disproportionately targeted by smishing per Proofpoint's awareness data); Tech-Support Scams (clicked-but-didn't-enter scenarios occasionally lead to follow-on tech-support pop-up scams). External authorities: the USPS Postal Inspection Service smishing alert; FTC Top Text Scams of 2024; the FCC package-delivery scam guidance; Proofpoint 2024 State of the Phish; the AARP smishing coverage.
This page is consumer education, not legal or financial advice. The scams documented here are real and the defenses are drawn from patterns across 4,045+ Reddit posts and comments (276 threads, 3,769 comments) plus the federal-agency, NGO, and industry sources cited inline, but every situation is different. If you have lost money or had identity information harvested, file at uspis.gov/report and identitytheft.gov, and consult a licensed attorney through your state bar's lawyer-referral service before paying anyone for "recovery" services. Reddit thread upvote counts are reported as of April 2026 and may have changed since publication. Last updated: April 30, 2026. Next scheduled refresh: July 30, 2026.