You’re sitting on the couch, maybe watching a game or scrolling through social media, when your phone buzzes. It's a text. It says there's a problem with your package. Specifically, a "US Post" delivery has been put on hold because of an incomplete address or a missing house number. There’s a link. It looks official-ish, maybe something like "https://www.google.com/search?q=usps-post-office.com" or a random string of numbers.
Stop. Don’t click it.
Honestly, it’s one of the most successful scams running right now because almost everyone is expecting a package at any given time. We live in an era of constant deliveries. When we see a US Post text message claiming our Amazon order or that birthday gift from Grandma is stuck in a warehouse, our lizard brain takes over. We want our stuff. We click. But that click is exactly what the "smishers"—SMS phishers—are counting on.
Why the US Post Text Message Scam is Exploding
Cybercriminals aren't original; they’re efficient. They use the United States Postal Service (USPS) name because it carries immediate brand authority. If a random guy emailed you asking for your address, you’d ignore him. If "USPS" texts you saying your mail is being returned to the sender, you panic.
This isn't just one guy in a basement. These are organized crime syndicates using "smishing" kits. According to the Federal Trade Commission (FTC), reported losses from text scams have skyrocketed over the last few years, reaching hundreds of millions of dollars. The US Post text message is the king of these lures.
The psychology is simple: urgency plus legitimacy. They create a "loss" scenario. You aren't gaining something; you're losing something you already paid for. That triggers a much stronger emotional response.
The Anatomy of the Fraud
Let’s look at what these messages actually look like. They usually follow a very specific, albeit slightly broken, template.
"The USPS package has arrived at the warehouse and cannot be delivered due to incomplete address information. Please confirm your address in the link."
Notice the phrasing. "The USPS package." Not "Your package." It’s generic. Then there’s the link. USPS will never send you a text with a link unless you specifically signed up for tracking updates for a specific tracking number first. If you didn't initiate it, it's fake. Period.
The links are the giveaway. They often use URL shorteners or domains that look almost right but are slightly off. Maybe it's ".top" or ".info" instead of ".com." Or it’s a site that looks like "https://www.google.com/search?q=uspstxt.com." The real USPS website is always usps.com. Anything else is a trap.
What Happens if You Actually Click?
Okay, let’s say you were distracted and you clicked. What’s the worst that could happen?
Usually, the link takes you to a "clone" site. These sites are beautiful. They look exactly like the real USPS homepage. They have the blue and white branding, the official logos, and even a "Track Package" button.
💡 You might also like: Why the Keep Awake Chrome Extension is the Only Way to Save Your Sanity During Long Downloads
Once you’re there, they ask for your "corrected" address. Fine, that seems harmless, right? But then comes the hook. They’ll tell you there’s a "redelivery fee." It’s usually something tiny. 30 cents. 99 cents. $1.25.
Because the amount is so small, people don't think twice. They pull out their credit card. They enter the number, the CVV, and the expiration date.
You just gave a criminal organization the keys to your bank account for 30 cents.
Within minutes, that card is being tested for a small "holding" charge, and then it’s off to the races with high-value purchases or the info is sold on a dark web marketplace like Genesis or Russian Market. Some of these sites even install malware or "spyware" on your phone the moment you click the link, though that's less common than simple credential harvesting.
Real Evidence from the USPS Inspection Service
The United States Postal Inspection Service (USPIS) has been shouting about this for a long time. They’ve even set up a dedicated email for reporting these: spam@uspis.gov.
They’ve noted that the US Post text message scam often circulates in waves. You might get three in a week and then nothing for a month. This is because the "botnets" sending these messages move through blocks of leaked phone numbers. If your number was part of a data breach—and let’s be real, whose hasn't been?—you’re on the list.
How to Tell a Real USPS Text from a Fake One
There are legitimate USPS texts. But the differences are stark.
- The Origin: Real USPS tracking updates come from a five-digit "short code" (like 28777), not a standard 10-digit phone number or an email address formatted as a text.
- The Content: A real text will contain a tracking number you recognize. It won't say "a package." It will say "Your item with tracking number 9400..."
- The Link: Most legitimate USPS texts don't even have links. They just give you the status update. If there is a link, it will always lead directly to usps.com.
- The Ask: USPS will never, ever ask for money via a text message to redeliver a package. Redelivery is a free service you schedule on their official site.
The "Incomplete Address" Myth
Think about the logic for a second. If the USPS doesn't have your address, how do they have your phone number?
They don't.
💡 You might also like: Rio de Janeiro Overlay: Why Your Map Data Is Probably Wrong
Unless you are a registered USPS.com user who has explicitly linked your phone number to a specific tracking number in your dashboard, they have no way of connecting your mobile phone to a cardboard box with a smudged label in a warehouse in Chicago. It’s a logical gap that we overlook when we’re in a hurry.
Technical Nuances of the Attack
The scammers are getting smarter. They’ve started using "look-alike" characters. In the world of URLs, this is called a homograph attack. They might use a Cyrillic "а" instead of a Latin "a." To your eyes, the link looks like usps.com. To the computer, it’s a completely different IP address.
They also use "cloaking." If you click the link from a desktop computer, it might redirect you to the actual Google homepage so you think it was just a dead link. But if you click it from an iPhone or Android device, it shows you the scam site. They do this to hide from security researchers who use automated tools to scan for phishing sites.
Variations of the Scam
It’s not just the US Post text message anymore. You might see versions for:
- FedEx: "We missed you for your delivery."
- UPS: "Package 1z-999 is pending."
- DHL: "Duty fees unpaid."
They all lead to the same place: a fake payment portal designed to steal your financial data.
Protecting Yourself: Beyond "Just Don't Click"
Education is great, but we’re human. We make mistakes. You need layers of defense.
First, use a dedicated tracking app. Apps like "Shop" or even the official USPS Mobile app pull data directly from the carriers. If the app says your package is fine, but a text says it’s stuck, believe the app.
Second, if you’re ever in doubt, go to the source. Don’t click the link in the text. Open your browser, manually type in usps.com, and paste your tracking number there. If there’s a real issue, it will show up in the official system.
Third, report it. On an iPhone, you can click "Report Junk" under the message. On Android, you can report it as spam within the Messages app. This helps carriers like Verizon and AT&T block these numbers for everyone else.
What to do if you already got scammed
If you’ve already entered your card info, don't feel stupid. These people are professionals.
- Call your bank immediately. Tell them you’ve been a victim of a "smishing" scam. Cancel the card and get a new one issued.
- Change your passwords. If the scam site asked you to "log in" to your USPS account, change that password. If you use that same password for your email or bank, change those too.
- Check for malware. If you downloaded anything or "allowed" a profile to be installed on your phone, you might need to do a factory reset or run a mobile security scan.
The Future of Text-Based Fraud
As AI gets better, these texts will get more convincing. No more "kindly" or weird grammar. They will sound perfect. They might even use your actual name, which they can get from any number of public data brokers.
The defense remains the same. Be skeptical.
The postal service is a massive, slightly slow-moving government agency. They aren't going to text you out of the blue with a high-pressure demand for 45 cents to save your package from destruction. It's just not how they operate.
Key Takeaways for Staying Safe
- Trust the Short Code: Real USPS texts come from 28777.
- Manual Entry Only: Never use a link in a text message to go to a government or financial site. Type the URL yourself.
- Zero Payment via Text: USPS doesn't charge for redelivery via text message.
- Verify Logic: If they don't have your address, they shouldn't have your phone number.
If you want to be a good digital citizen, take a screenshot of the scam and send it to the USPIS. Then block the number and go back to your day. Your package—the real one—is probably just fine.
Actionable Next Steps
If you’ve been receiving a lot of these messages lately, your phone number is likely "hot" on a scammer's list. You can't necessarily get off the list, but you can make your phone a harder target.
Start by enabling "Filter Unknown Senders" in your phone settings. On an iPhone, this is under Settings > Messages > Filter Unknown Senders. This will put texts from people not in your contacts into a separate tab so you don't get a notification and an adrenaline spike every time a scammer hits "send."
Next, check your email and phone number on HaveIBeenPwned.com. This site is run by security expert Troy Hunt and will tell you exactly which data breaches leaked your information. Knowing where your data is floating around can help you stay alert for specific types of scams. For instance, if you were part of a healthcare breach, you might start seeing fake "medical bill" texts next.
✨ Don't miss: The Real Picture of DNA: What Scientists Actually See Through the Microscope
Stay vigilant, keep your software updated, and remember: when in doubt, delete it. The mail will eventually find its way to you without you having to risk your bank account.