Is That Delivery Text Real? How to Spot Package Smishing

Your phone buzzes. A text says your package could not be delivered and that you need to click a link to reschedule. It looks real. It feels real. And that split second of doubt is exactly what criminals count on. This guide walks you through everything you need to know about package smishing, the fastest-growing delivery scam hitting phones across the country right now.

1. What Is Package Smishing?

The word smishing combines two familiar ideas: SMS (text messaging) and phishing (the act of tricking someone into handing over personal information). Put them together and you get one of the most effective scam methods criminals are using right now.

A package smishing scam, specifically, is a fraudulent text message designed to look like it came from a real delivery company such as USPS, FedEx, UPS, or DHL. The message usually claims there is a problem with your shipment. Maybe the address is incomplete. Maybe a small customs fee is owed. Maybe the driver could not find your home. The goal is always the same: get you to tap a link and hand over your personal or financial information.

What makes this type of scam stand out from older forms of fraud is where it lands. Unlike email scams that you might scroll past in a spam folder, smishing arrives in your text message inbox. That is the same place where you receive messages from your family, your doctor, and your bank. The level of trust that comes with that channel is something criminals are working very hard to exploit.

2. Why Delivery Scams Work So Well

Think about the last week of your life. Did you order anything online? Did a family member or coworker receive something? Chances are very high that someone in your immediate circle is always waiting on a delivery. That universal reality is exactly why fake delivery notifications are so devastatingly effective.

When you are already expecting a package, a text that says there is a problem with your delivery does not feel like a threat. It feels like an inconvenience. That small emotional shift from suspicion to mild annoyance is enough to lower your guard and get you to tap without thinking.

Scammers also take advantage of the fact that text messages carry a different kind of trust than emails. Most people have learned to be cautious with emails from strangers. But a text? That still feels more personal, more direct, and more trustworthy. Criminals know this, and they have built their entire strategy around it.

On top of that, artificial intelligence tools are now making these messages nearly impossible to spot based on grammar and spelling alone. The old advice about looking for typos no longer applies. Today, a scam text can be perfectly written, professionally formatted, and completely convincing to even a careful reader.

3. The Numbers Behind This Growing Threat

This is not a small or niche problem. The scale of SMS phishing and delivery fraud has grown into one of the most significant consumer safety issues in the country.

• 31% of consumers say they have received a fake delivery text
• 14 scam messages the average person receives every single day
• $470M in reported text scam losses in 2024, up 5x from 2020
• 70% of all mobile phishing attacks arrive through smishing

Fake delivery and shipping notices are the single most commonly reported scam people encounter today. Delivery fraud is not just a holiday problem, either. It happens year-round because online shopping never stops. The only thing that changes is the volume, which spikes during major shopping events and shipping seasons.

The financial damage goes far beyond the losses people report. Identity theft, unauthorized credit card charges, and drained bank accounts often go unreported because victims feel embarrassed or unsure who to contact. The real number is almost certainly much higher than what official data captures.

4. How to Spot a Fake Delivery Text: 8 Key Red Flags

Even though today's scam messages are more polished than ever, they still follow patterns that you can learn to recognize. Here are the most important warning signs of a fake delivery notification.

• RED FLAG 1

  You did not sign up for text alerts. USPS does not send text notifications unless you specifically requested tracking updates for a particular package through their website. If you never set that up, any delivery text claiming to be from USPS is a red flag. The same logic applies to FedEx and UPS, neither of which will send unsolicited texts asking for payment or personal information.

• RED FLAG 2

  The message creates extreme urgency. Phrases like "immediate action required," "respond within 2 hours," "your package will be returned today," or "final notice" are designed to make you panic and act without thinking. Real delivery companies do not threaten you. They give you time to respond, and they provide multiple ways to do so.

• RED FLAG 3

  The link does not match the carrier's real website. A real USPS link goes to usps.com. A real FedEx link goes to fedex.com. Scam messages use lookalike domains with extra words, hyphens, or different endings such as .info, .net, or country codes you do not recognize. Always check the full URL before tapping anything.

• RED FLAG 4

  You are asked for payment by text. A fee to reschedule delivery. A small customs charge. A redelivery cost. These requests are almost always fraudulent. Real carriers bill shippers, not recipients. If there were a legitimate fee, you would be notified through the retailer you bought from, not through a cold text message.

• RED FLAG 5

  The message asks for personal information. No legitimate delivery service will ever ask for your Social Security number, date of birth, bank account details, or full credit card number through a text message. Ever. There is no delivery scenario that requires this information from a recipient.

• RED FLAG 6

  There is no tracking number or order reference. Real shipping notifications almost always include a specific tracking number, an order number, or the name of the retailer. A vague message that says "your package" without any identifying details is a strong sign that a criminal is casting a wide net, hoping someone who happens to be waiting on a delivery will bite.

• RED FLAG 7

  The phone number looks strange. Real carrier alerts typically come from five or six-digit short codes. If the text comes from a standard ten-digit phone number you do not recognize, or from an international number, that is a meaningful warning sign. Scammers rotate through new numbers constantly, which is why even an unfamiliar local number should raise your suspicion.

• RED FLAG 8

  You are not expecting anything. This sounds simple, but it is powerful. If you have not placed a recent order and no one you know has mentioned sending you something, a delivery notification text has no legitimate reason to exist. Trust that instinct.

5. Real-World Examples of Scam Delivery Texts

Reading about warning signs is helpful. Seeing what these messages actually look like is even better. Below are three representative examples of phishing text messages that circulate widely. These messages are constructed to look completely authentic at first glance.

• USPS ALERT: Your package tracking #US9456873001 has arrived at our facility but cannot be delivered due to incomplete address information. Confirm your delivery address to avoid return: usps-delivery-confirm.info/update
• FedEx: We attempted to deliver your parcel but no one was available. A redelivery fee of $2.99 is required to reschedule. Complete payment within 24 hours to avoid return to sender: fedex-redeliver-now.com/pay
• UPS Delivery Notice: Our driver was unable to locate your address. Your package is pending. Please provide your complete delivery details to avoid automatic return: ups-parcel-update.net/confirm

Notice what each of these has in common. They claim to be from trusted brands. They reference a specific or semi-specific tracking number. They create urgency. They include a link. And that link does not go to a real carrier website. The domains are designed to look close enough to the real thing that someone skimming quickly might not notice the difference.

With AI tools now generating these messages in bulk, they are becoming even more polished. The days of spotting a scam by its awkward phrasing are largely behind us.

6. What Actually Happens When You Click

Understanding the consequences makes the risk real. If you tap a link in a fake shipping notification, one or more of the following things can happen, often without you realizing it until the damage is done.

Your personal information gets stolen

The link takes you to a fake website built to look exactly like the real carrier's site. When you enter your name, address, and email to "confirm delivery," those details go directly to criminals. That information is then used for identity theft or sold to other fraudsters.

Your credit card details are captured

If the fake page asks for payment, entering your card number, expiration date, and security code gives scammers everything they need to make unauthorized charges. Some victims do not notice fraudulent activity for days or weeks.

Malware is installed on your device

Some smishing links do not even need you to fill out a form. Simply visiting the page on certain devices can trigger a silent download that installs spyware or malware. This software can log your keystrokes, capture screenshots, and access your saved passwords over time.

Your other accounts get compromised

If you use the same password across multiple accounts, and a scammer captures your login from a fake site, they can try that same combination on your email, banking app, or social media platforms. A single click can become a chain reaction.

The Federal Trade Commission reported $470 million in consumer losses from text scams in 2024 alone, a fivefold increase from just a few years earlier. That number represents only the cases that were reported. The actual total is widely believed to be far higher.

7. What to Do Instead of Clicking

The right move when you receive a suspicious delivery text is always the same: do not click the link in the message. Verify through a completely separate channel instead. Here is exactly how to do that.

• Open your phone's browser and type the carrier's real web address directly:usps.com,fedex.com,ups.com, ordhl.com. Do not copy the link from the text. Type it fresh.
• Use the official tracking tool on that site and enter any tracking number you have from your original order confirmation email.
• Check the email confirmation you received when you placed your order. Most retailers include a real tracking link there, and that one goes to the actual carrier's website.
• If you are genuinely unsure about a delivery, call the carrier's customer service line. Find that number on their real website, not in the suspicious text.
• Delete the suspicious text after verifying. There is no need to keep it.

The key principle here is simple. Never let a text message be your source of navigation. Scammers are counting on you to tap the link they provide. If you always find your own way to the carrier's website instead, the scam has no power over you.

8. What to Do If You Already Clicked

First, take a breath. You are not alone, and quick action can significantly limit the damage. Here is what to do right now.

Immediate Steps After Clicking a Smishing Link

1. Close the page immediately without entering any information, if you have not already done so.
2. If you entered payment details, call your bank or card issuer right now and explain what happened. Ask them to freeze the card and monitor for fraud.
3. Change the password on any account you logged into through the suspicious link. Do this immediately, and also change the password on any other account that uses the same login credentials.
4. Turn on two-factor authentication on your key accounts, especially your email, banking apps, and shopping accounts.
5. If you shared personal information like your Social Security number or date of birth, contact the three major credit bureaus to place a fraud alert on your file. The bureaus are Equifax, Experian, and TransUnion.
6. Run a security scan on your phone if you believe malware may have been installed. Most major mobile security apps can do this.
7. Monitor your bank and credit card statements closely for the next several weeks and report any unauthorized charges immediately.

Acting quickly is the most important thing. The faster you close the loop, the less time criminals have to use your information. Banks and card issuers have fraud teams available around the clock specifically for situations like this. Do not wait until morning if it happens at night.

9. How and Where to Report a Smishing Attempt

Reporting a delivery text scam matters more than most people realize. When enough people flag the same number or domain, carriers and federal agencies can move faster to shut it down and warn others. Here is where to send your report.

Forward to 7726 (SPAM)

Supported by most mobile carriers. Forwarding the scam text to 7726 flags the number and helps build a shared database used to block similar messages.

FTC: reportfraud.ftc.gov

The Federal Trade Commission tracks scam patterns and uses reports to take action against fraud operations. You can also call 1-877-FTC-HELP.

IC3: ic3.gov

The FBI's Internet Crime Complaint Center accepts detailed reports of online fraud including smishing. Include screenshots and any financial loss details.

USPS: spam@uspis.gov

Forward suspicious texts or emails claiming to be from USPS directly to the Postal Inspection Service.

FedEx: abuse@fedex.com

FedEx accepts reports of fraudulent messages using their brand. Include a screenshot of the suspicious text.

UPS: fraud@ups.com

UPS maintains a fraud alert system and accepts reports from consumers who receive suspicious messages claiming to be from UPS.

One important note: do not reply to the suspicious text, even to say "STOP." Replying confirms to the sender that your number is active and monitored, which can result in more targeted scam messages in the future. Simply forward it to the appropriate contact above and then delete it.

10. How to Protect Yourself Long Term

Good habits built now will protect you from smishing scams consistently over time. None of these steps require technical expertise. They are straightforward changes that make a meaningful difference.

Be selective about sharing your phone number

Your phone number is more valuable to scammers than most people realize. Be thoughtful about which websites and services you give it to. Avoid entering your number in response to pop-up ads, contest entries, or free trial offers. Each unnecessary share increases the chances of your number ending up in a scammer's list.

Use your carrier's built-in spam filters

Both iOS and Android have native tools for filtering messages from unknown senders. On iPhone, go to Settings, then Messages, and turn on Filter Unknown Senders. On Android, open the Messages app, go to Settings, and enable spam protection. These tools are not perfect, but they catch a meaningful share of smishing red flags before they reach your main inbox.

Never reply to messages from numbers you do not know

Even typing "STOP" to opt out of a message you did not sign up for confirms that your number is real. Scammers use this information to confirm active numbers and sell them to other fraud operations. Silence is always the right response to suspicious texts.

Verify every delivery through the original source

Make it a habit to track packages only through the confirmation emails you received when you placed your order, or by going directly to the carrier's website. This single behavior eliminates the risk from almost every fake delivery notification that could ever land in your messages.

Keep your accounts separated

Use unique passwords for every online account, especially your email and banking apps. A password manager makes this practical and removes the burden of memorizing dozens of different credentials. If one account is compromised, unique passwords mean the damage stays contained.

Stay informed about new tactics

Scammers update their methods regularly. QR code scams embedded in fake shipping labels, voicemail-based delivery fraud, and AI-generated messages that address you by name are all growing. Staying aware of what is currently circulating gives you a meaningful edge.

"The best defense against smishing is a pause. Just one second of doubt, before tapping any link in a text, is enough to stop the vast majority of these scams from working."

The Bottom Line

Package smishing is the number one reported scam people encounter right now, and it works because it targets something completely normal: the everyday experience of waiting for a delivery. The moment a suspicious text lands in your inbox, slow down. Do not tap that link. Navigate to the carrier's real website on your own. Check your original order confirmation email. Call the carrier directly if you are unsure.

Every one of these scams depends on speed. They need you to act before you think. When you pause, you win. When you verify through official channels, the scam fails. The tools to protect yourself are already in your hands. Now you know exactly how to use them.