You’re busy. Your phone buzzes. It’s a text from "USPS" or "Postal Service" claiming your package is held up because of a missing house number or an unpaid $1.35 redelivery fee. You actually are expecting a package—who isn't these days?—so you click.
Stop.
That click is exactly what scammers are banking on. This specific brand of fraud, often called "smishing" (SMS phishing), has absolutely exploded over the last few years. It’s not just you being "careless." These attacks are sophisticated, timed perfectly with our global obsession with e-commerce, and designed to bypass the logical part of your brain by triggering a "micro-urgency" response. Honestly, it’s one of the most effective digital traps out there right now because it mimics a very mundane, believable part of modern life.
The "Incomplete Address" Hook
Most post office text scams follow a very specific script. They don't usually claim you won a billion dollars; they claim something went slightly wrong with a delivery. It’s a small, manageable problem. Maybe the zip code was smudged. Maybe the street number is "missing."
✨ Don't miss: iphone 14 back glass repair cost: What Most People Get Wrong
The text usually includes a link that looks vaguely official—think something like usps-delivery-update.com or post-office-redeliver.top. To a tired person checking their phone at a stoplight, that looks real enough. Once you click, you’re sent to a spoofed website that looks identical to the real USPS.com, complete with the blue and white branding, the tracking search bars, and the official-looking navigation menus.
According to the United States Postal Inspection Service (USPIS), the USPS does not send text messages about unclaimed packages unless you specifically signed up for a tracking request and provided your phone number first. If you didn't initiate it, it's a scam. Period. They won't "randomly" find your number to tell you a box is stuck in a warehouse in New Jersey.
How They Actually Steal Your Money
It's rarely about the $1.00 redelivery fee. That’s just the "foot in the door." When you enter your credit card information to pay that tiny fee, the scammers aren't just taking your dollar; they are capturing your full card details, name, and billing address.
Sometimes, they go further. Some of these malicious links are designed to install "dropper" malware on Android devices. This software sits quietly in the background, waiting for you to open your banking app so it can overlay a fake login screen and steal your actual credentials. It’s a multi-layered attack. You think you're fixing a shipping error, but you're actually handing over the keys to your financial life.
The sheer volume is staggering. In 2023 alone, the Federal Trade Commission (FTC) reported that "bank impersonation" and "package delivery" were the top two categories of text scams reported by consumers. We are talking about hundreds of millions of dollars in losses annually. It’s a numbers game for the scammers. If they send out 100,000 texts and only 0.1% of people click, they still win.
Why Your Spam Filter Misses Them
You might wonder why your phone doesn't just block these. Scammers use "neighbor spoofing" or "SMS gateways" to send these messages from what look like legitimate, local 10-digit numbers. They also frequently change the URL in the text. By the time a specific domain gets flagged as malicious by Google or Apple, the scammers have already moved on to a new one.
They also use "homograph attacks." This is where they use characters from different alphabets that look like Latin letters—like using a Cyrillic "о" instead of an English "o"—to trick the automated filters into thinking the link is a new, unique site.
✨ Don't miss: Are the drones looking for radiation? What’s actually flying over our heads
Recognizing the Red Flags
There are some dead giveaways if you know where to look. First, look at the greeting. Is it generic? "Dear Customer" is a red flag. Real USPS notifications generally reference a specific tracking number that you should already recognize.
Check the link closely. If it doesn't end in .gov, it’s fake. The United States Postal Service is a government entity. They will never use a .com, .net, or .org for their primary tracking services.
Then there's the tone. Scammers love words like "Urgent," "Final Notice," or "Action Required within 24 hours." They want you to panic so you don't think. Real postal delays are annoying, but they aren't emergencies. If a package truly can't be delivered, they usually just leave a physical slip at your door or return it to the sender after a week or two. They don't text you threats about "permanent disposal" of your items.
What to Do if You Already Clicked
Look, it happens. If you’ve already entered information into one of these sites, you need to move fast.
- Call your bank immediately. Don't wait for a suspicious charge to show up. Tell them you've been a victim of a phishing scam and need a new card number.
- Change your passwords. If you used the same password for that "postal site" as you do for your email or bank, change it now. Use a password manager.
- Check for malware. If you're on an Android, run a scan with a reputable mobile security app. On an iPhone, ensure your iOS is updated to the latest version to patch any security holes.
- Report it. Copy the text and forward it to 7726 (which spells SPAM). This helps carriers identify and block the sender's origin point.
The USPS also has a specific email for this: spam@uspis.gov. Sending a screenshot of the text and the phone number to them helps federal investigators track the larger syndicates running these campaigns.
The Reality of Data Leaks
You might be asking, "How did they know I was expecting a package?" Honestly? They probably didn't.
Because of the "Amazon effect," the average household receives multiple packages a month. The scammers don't need to hack your Amazon account; they just need to send out enough texts that they eventually hit someone who happens to be waiting for a delivery. It's a coincidence that feels like a targeted attack.
However, data breaches do play a role. If a smaller online boutique you shopped at two years ago had a data leak, your phone number and name might be on a "sucker list" sold on the dark web. These lists are gold for scammers because they know the numbers are active.
👉 See also: Facebook Poke Means What: The Real Reason Meta Just Brought It Back
Moving Forward Securely
The best way to handle post office text scams is to adopt a "zero trust" policy for your phone. If a text has a link and asks for money or personal info, assume it's a lie.
If you're genuinely worried about a package, don't use the link in the text. Open your browser, manually type in usps.com, and paste your tracking number there. If there’s a real problem, it will show up on the official site.
Actionable Steps to Protect Yourself
- Enable Two-Factor Authentication (2FA) on all financial accounts. Even if they get your password, they can't get into your bank without that second code.
- Use the USPS Mobile App. If you do a lot of shipping, the official app is much safer than clicking links in texts.
- Never pay for redelivery via text. The USPS does not charge for redelivery for most standard packages; that's what your initial postage covered.
- Block the number. As soon as you see the scam, block it. It won't stop them from using a different number next time, but it cleans up your inbox.
Taking five seconds to breathe before clicking can save you weeks of headache dealing with identity theft. The Postal Service is a massive, slow-moving government agency—they aren't going to text you with "urgent" demands for a dollar. Stay skeptical.