You’ve surely received one (if not dozens) of these texts, noting that your U.S. Postal Service, UPS or FedEx delivery has been kept on hold because of an issue with your address, insufficient postage, or nobody was home to receive it. Just visit [a link will usually be included here] to provide more information, pay for extra postage or reschedule delivery.
The link might take you to a legit-looking website, often with the logo of the delivery service and an actual tracking number, where you are asked to verify your address, and perhaps pay a small “redelivery fee.”
One caller to AARP’s Fraud Watch Network Helpline paid with her credit card — in her case the charge was 99 cents — and discovered later that she'd been charged $400.
That’s just one example from the endless stream of fake delivery-service texts Americans have been receiving from scammers, who are smishing (the term for scam attempts made via text, or SMS) for personal info and money. According to the Federal Trade Commission (FTC), Americans reported $330 million in losses to text scams last year, more than double the reported losses from 2021. And delivery scams — with most messages purportedly from the U.S. Postal Service, FedEx and UPS — were the third most commonly reported type (behind fake bank texts and promises of free gifts or prizes).
These smishing attempts can be extremely effective, says Amy Nofziger, director of victim support for the AARP Fraud Watch Network. We may be hit with a delivery-related smishing attempt when we have just mailed or are expecting a package — something that’s likely these days, with so much online ordering. The criminals “are playing off people’s emotions, and people’s need for what’s coming in the mail, to get them to click on the link,” she says.
“Like all phishing, they’re trying to create the idea that there’s something you need to deal with right away,” says Steve Weisman, a professor of white-collar crime at Bentley University in Waltham, Massachusetts, and an expert in scams, identity theft and cybersecurity.
It’s not always clear what the criminals do with the personal information they collect through smishing, Weisman says, but they may sell it to other bad actors, or plan to use it in the service of future scams. You are more likely to trust future communications from them if they can provide personal details about you, he notes.
Warning signs of smishing
You receive notice about a problem with the delivery of your USPS package when you haven’t made a tracking request (or haven’t even mailed one). Unless you explicitly sign up for status alerts on a package, you won’t receive a text from USPS, says Donna Harris, public information representative with the United States Postal Inspection Service (USPIS). “That’s not how the Postal Service connects with the customer,” she says. And if you never signed up for a USPS tracking request for a specific package, a text message citing one is certainly a fake.
The message has misspellings or awkward grammar. These are classic signs of a scam attempt (UPS also cites “excessive use of exclamation points”). But note that with artificial intelligence and other advanced technology, scammers are growing more sophisticated in their replication of legitimate communications.