Package delivery

# what it is

A package-delivery scam is a phishing scam delivered by SMS (sometimes called smishing). The text claims a courier is holding a package because of an address issue, an unpaid customs fee, or a missed delivery. It includes a link to "resolve" the issue. The link goes to a fake USPS / UPS / FedEx / DHL page that asks for your address, and a credit card to pay a tiny "redelivery fee".

The fee itself is small ($1–$3) on purpose. The real goal is the card number. Within hours that card is being tested on subscription services, then used or sold.

# how they reach you

Package-delivery scams are heavily SMS-driven, but a few other channels show up:

• An SMS from an unknown number, by far the most common. Generic enough to feel plausible: "USPS: Your package could not be delivered due to an incomplete address. Please update at: [link]". Often from long international numbers, email-to-SMS gateways, or weird short codes.
• An iMessage / RCS message that mimics a real courier's branding more convincingly than plain SMS. Apple's recent move to filter unknown senders has helped, but operators have adapted by flooding through international gateways.
• An email with the courier's logo, a tracking number, and a link. Less common than SMS but still active.
• A robocall voicemail about a "held package" with a callback number.
• A WhatsApp message to numbers that have WhatsApp accounts, common internationally, increasingly common in the U.S.
• A spoofed-sender SMS showing "USPS" or "FedEx" as the sender name. Carriers can sometimes filter these, but a lot still get through.

What they share: you didn't ask for the message, the courier mentioned often isn't the one you actually use, and "resolution" requires clicking a link and entering payment information.

# how it works after you click

1. The fake URL. Almost always a domain that looks like the real one but isn't: usps-redelivery.com, usps.delivery-update.info, usps-pkg.com, track-fedex.app, dhl-claim.live. Sometimes the link is shortened (bit.ly) so you can't see it.
2. The convincing page. A pixel-perfect clone of the real courier's site. Sometimes even copies their cookie banner and chatbot.
3. The "fee". $1.99 redelivery, $2.50 customs, $3.00 update fee. They want you to enter your credit card.
4. The card harvest. Card number, expiration, CVV, ZIP, sometimes name, address, phone, and email too. Sometimes a fake "verify with your bank app" step that asks for your one-time passcode.
5. The card test and resale. Within hours your card is being tested on small charges (Spotify, Apple Music, $1 charity donations). If those go through, larger charges follow. Many cards get resold on underground markets within a day.

# why couriers don't do this

This scam works because it imitates a real workflow that people half-remember (customs fees, redelivery fees) but with a key change: real couriers don't text you to collect them. The breakdown:

• Real customs fees (international shipments) are paid through the courier's official site or app, which you log into yourself, or settled with the recipient at delivery, or routed through customs brokers, never by SMS link.
• Real redelivery for a missed delivery is free in the U.S. for USPS, UPS, and FedEx. You schedule it on the courier's app or website.
• Real shipping notifications go to the email you used at checkout from the courier's actual domain, with a tracking number you can verify in their app.

If you got a text about a package and you actually have a package in flight, open the courier's app or type the URL directly (usps.com, fedex.com, ups.com, dhl.com) and look up the tracking number from your order confirmation email. Never from the text.

# red flags

• A delivery notification for a package you didn't order, or one that's already been delivered.
• The text comes from a long unknown number, an @something.com email-to-SMS gateway, or a foreign country code.
• The link is not on the real courier's domain.
  • Real: usps.com, ups.com, fedex.com, dhl.com
  • Fake: anything with hyphens, country codes, weird TLDs, or extra words bolted on
• The text demands a small payment to release a package. Couriers do not text you for fees. Customs fees are paid through real customs agencies, on the courier's official site or app, never through a one-time SMS link.
• Urgency: "expires in 24 hours", "package will be returned to sender today".

# the URL test (again)

Same rule as phishing: before clicking any "tracking" link, look at the URL.

• The real domain is everything between the last two dots before the path.
• usps.com/redelivery, real
• usps-redelivery.com, fake (the domain is usps-redelivery, not usps)
• usps.com.update-pkg.info, fake (the domain is update-pkg.info, not usps.com)
• bit.ly/3xK4, opaque; do not click. If you must check the destination, paste it into unshorten.it instead.

If you think the package is real, go to the courier's app or type the URL yourself (usps.com, fedex.com, ups.com, dhl.com) and enter the tracking number from your order confirmation. Never from the SMS.

# what to do if you entered card details

• Call your card issuer immediately. Tell them you entered your card on a phishing site. Ask them to:
  • Cancel the card and reissue.
  • Flag any pending or recent unrecognized transactions.
  • Watch the account for the next 30 days.
• Change passwords on any account you might have entered on the same page (some kits also collect email + password).
• Save the SMS, the link, and any screenshots before deleting.
• Report.
  • Forward the SMS to 7726 (SPAM), works on AT&T, Verizon, T-Mobile, and most other U.S. carriers. Free. Actually used by carrier filters.
  • USPS phishing reporting for USPS imitations.
  • FedEx Customer Protection for FedEx imitations.
  • UPS fraud for UPS imitations.
  • FTC for the consumer record.
• Do not click any "fix it" follow-up texts. Once you respond to one, you'll be flagged in the operator's database as a live target and the next round of scams (often "your card has been compromised" calls) will start within days.

# why this scam is so effective

You probably do have packages in flight at any given time. The text usually arrives during a window where it's plausible. The brain pattern-matches on the courier name and the real-looking link before noticing the small details.

The only reliable defense is the habit: never tap a link in a delivery text. Always go to the courier's app or website yourself.

# the bottom line

USPS, UPS, FedEx, DHL, Amazon, and Walmart will never charge you a redelivery fee by SMS link. Any text that does is a phishing site harvesting cards.