FRAUD RESOURCE CENTER
En español | Americans spent $211.4 billion online over the 2021 holidays, according to retail research company Digital Commerce 360. That was up 10 percent from 2020 as consumers continued to gravitate toward the ease and convenience of e-commerce. Scammers love the trend, too: They've developed myriad tricks to take advantage of the proliferation of packages, especially during the holiday season.
Their primary ploy is a phony delivery notification, a scam that really ramped up amid the surge in stay-at-home shopping during the coronavirus pandemic. You’ll get an email or text message that claims to come from the U.S. Postal Service or a major delivery company like FedEx or UPS. The message may say you need to confirm an order so it can be delivered, or that an unsuccessful attempt was made to drop off a package and you need to schedule another. Clicking a link will take you to a website where you can straighten things out.
In all likelihood, it’s a ruse. The scammer is hoping you order so many things online that you can’t keep track of all your purchases, or that you’ll assume it’s a gift from a friend or relative. The link takes you to a bogus site where you’ll be asked to enter personal or financial data, enabling a crook to use it for identity theft. The fake site might also be a launchpad for malware that harvests sensitive information from your device.
Delivery cons have become the predominant form of "smishing," or text-message phishing scams. Crooks sent out an astonishing 23 billion messages about faux deliveries in 2021, accounting for more than 1 in 4 spam texts, according to phone-security service RoboKiller.
There are low-tech variations, too. Scammers might call you posing as employees from a delivery service, saying they need a credit card number or other private data to reschedule a drop-off. Or they’ll leave a failed-delivery notice on your door with a number to call; if you do, the person on the other end will try to talk you into providing personal information to collect your purported package.
Some package crooks resort to even simpler means. These “porch pirates” watch for delivery vans that leave legitimately purchased merchandise at consumers’ doorsteps, ideally when the targets aren’t home, then swoop in and make off with the goods. In a November 2021 survey of 2,000 consumers by market-research firm C+R, 23 percent said they'd had a package stolen from a doorstep or porch, and nearly a third of that group said it had happened more than once.
- You get an email or other communication about a delivery of something you don’t remember ordering.
- The message presses you to urgently make a payment or provide personal or financial information to facilitate a delivery.
- The message includes misspellings or poor grammar.
- A supposed delivery company email has a sender’s address or link with a slightly different version of a business name, such as fedx.com.
- Do be wary of unsolicited phone or electronic communications from a delivery service. Companies will usually alert you to a failed delivery by leaving a notice on your door.
- Do keep track of your online orders and their shipping status. Knowing what’s coming and when makes it easier to spot fake delivery messages.
- Do hover your cursor over links in a supposed delivery email to display the actual target URL.
- Do rely on safe ways to communicate with delivery companies. Call a confirmed customer-service number, or log on to a company’s official website and use the chat function.
- Do consider these steps to thwart porch pirates:
- Don’t respond to an unsolicited email claiming to be from a delivery service that asks you to provide, update or verify personal information.
- Don’t click on a link or open an attachment in an unsolicited email or text message that appears to be from a delivery company.
- Don’t give out personal or credit card information to a caller. Instead, find and call the company’s official customer-service number and ask if they were genuinely trying to contact you about a delivery.
- Don’t reveal your user ID or password for a delivery company’s website to a caller, or to anyone else.
- Don’t call the number on a delivery notice left on your door. If the notice names a company, call its official customer-service line to check on a supposed delivery.
- Don’t rely on official-looking logos or professional-sounding language as proof of authenticity. Scammers study and copy companies’ actual communications to make their ploys look and sound convincing.
- Report suspected package scams to the Federal Trade Commission, online or toll-free at 877-382-4357. If the scam occurred online, report it as well to the FBI’s Internet Crime Complaint Center.
- If you receive a suspicious message that claims to be from UPS, forward it to email@example.com for investigation, then delete the message.
- If the message appears to be from FedEx, or if you visit what you think might be a phony FedEx website, report it at firstname.lastname@example.org.
- Forward suspicious U.S. Postal Service emails to the U.S. Postal Inspection Service at email@example.com.
- If you have questions about a delivery notice from the U.S. Postal Service, visit its website or call 800-ASK-USPS (800-275-8777).
Updated March 8, 2022
About the Fraud Watch Network
Whether you have been personally affected by scams or fraud or are interested in learning more, the AARP Fraud Watch Network advocates on your behalf and equips you with the knowledge you need to feel more informed and confidently spot and avoid scams.
More From the Fraud Resource Center