If you get an urgent text message about a package, it's probably a scam. Here's how to tell, and how to avoid getting suckered.
If You Get a USPS Scam Text, You Need To Do This Immediately
Just yesterday, and last week, and the week before that, I got text messages from USPS informing me I had a package that couldn’t be delivered due to an incomplete address. To fix it, all I needed to do was click on a link and enter my personal info… Nope, I’m not falling for that scam text!
And I’m not alone. More than 400 million scam texts arrive on phones across the country every day, with an uptick during shopping events like Prime Day and Cyber Monday.
“Since the pandemic, online shopping has skyrocketed, and scammers tend to follow where the crowd goes,” says Vinicius Perallis, CEO of Hacker Rangers. “The more people shop online, the more these criminals take advantage of that behavior by sending out scam texts, pretending to be companies like USPS.”
If you’ve received a text from USPS, UPS or another shipping company, here’s how to recognize if it’s a scam and what to do next.
On This Page
What Is Smishing?
Smishing, or SMS phishing, is a type of fraud that attempts to use text messages to trick people into giving away sensitive information, clicking on a link that loads malware onto their device, or taking them to a deceptive website. And it’s surprisingly effective: according to research by Bitdefender, about 15% of people who receive these SMS messages end up clicking on a link.
“Although phishing has been a known technique for a long time, [it’s] still extremely successful because consumers and businesses are still struggling to effectively defend against them,” says Ben Eichorst, Director of Infrastructure Security at Yubico.
What To Do If You Get USPS or UPS Scam Texts
First, if you get a message you think is a scam, don’t click on the link, and also refrain from replying.
“These texts are annoying, and it’s tempting to reply with a few choice words,” says Seth Geftic, Vice President of Product Marketing at Huntress. “But you’re letting the scammers know your phone number is active, meaning you could receive more scam texts in the future.”
Instead, block the number on your device and report the text to the FTC by forwarding it to (7726) SPAM. For USPS, also send it to [email protected]. “This not only helps protect others but also gives USPS important information to fight these scams,” says Perallis.
Next, delete the text so you don’t accidentally hit the link later, which could be loaded with malware. As an added precaution, watch your bank accounts for unusual activity.
If you’re unsure whether a text is a scam, ask the organization by using contacts on their official website. Verify tracking numbers directly on the USPS or UPS website. If they’re invalid, they’re probably a scam, says Perallis. Also, find updates for ongoing scams and suggestions for what to do directly from USPS and UPS.
What To Do If You Engaged With a USPS or UPS Scam Text?
If you clicked on a link from a scam text and entered login information, like for your USPS account, change your password immediately both on that site and for any other sites on which you’re using that password, says Perallis. Then:
- If you gave out financial details, like a credit card number, call your bank to report it and watch statements for suspicious charges.
- If you provided personal information, like your Social Security number or address, monitor your accounts for signs of identity theft.
- If you clicked on a link and now think it might’ve been a scam, run a virus scan on your device for malware.
What Do USPS Scam Texts and Others Look Like?
Scam texts are ever-evolving and can take a number of forms, but in general, look for:
- Grammatical mistakes, strange punctuation and misspellings. “There is a theory that scammers do this deliberately, as people who reply to these messages might be more vulnerable to scams than your average person,” says Geftic.
- A sense of urgency, with alarming or threatening language aimed at getting you to take action without thinking.
- A request for personal or financial information, including passwords, credit card numbers or your date of birth. “A legitimate courier mall company does not and will not, out of the blue, send a text message requesting for more details or money,” says Chris Dukich, CEO of Display Now.
- A link to a website that includes misspellings, strange numbers or abbreviations.
Also, if you’re not expecting a package, that’s a red flag, since USPS doesn’t send texts unless you’ve requested tracking updates, says Yashin Manraj, CEO of Pvotal Technologies. “We recommend considering all text from unknowns as scams or spam and slowly building up a contact list of trusted providers,” he says. “For example, UPS will use 4601, 5289, 48515 or 69877, while USPS uses 28777.”
What Does It Mean If You’re Getting Smishing Texts?
There are many reasons you might be getting scam texts, from your number being involved in a data breach to entering your info on an unprotected website to your number coming up on automated random number-generating software.
It doesn’t mean the scammers targeting you specifically, says Dukich. “Scammers usually send enormous amounts of messages and hope for the best,” he says.
How To Protect Yourself from Scam Texts
Besides not opening any links and not responding, in general, never share personal information, like your banking password or credit card information. It is unlikely any legitimate organization would ask for this via text. Also:
- Use spam blockers provided by your network provider.
- Don’t freely give out your mobile number online. Manraj suggests using a virtual number in all online stores, which you can get from most modern app stores.
- Regularly update your phone/device software, which will help prevent malware.
- Enable accounts to use multifactor authentication (MFA), which will make it harder for scammers to succeed, even if they do get some info from you.
- For even more protection, Yubico suggests seeking out modern phishing-resistant MFA options with hardware security keys, like their YubiKeys.
And finally, trust yourself. “If your gut instinct tells you the message is suspicious because it has bad grammar, an alarmist tone or you weren’t expecting to receive the message, there’s a good chance it’s fake,” says Geftic.
About the Experts
- Vinicius Perallis is an expert in cybersecurity and CEO of Hacker Rangers, a company that fosters cybersecurity practices within businesses by using gaming techniques
- Seth Geftic is Vice President of Product Marketing at Huntress security platform, and has almost two decades of cybersecurity experience working across endpoint, MDR, phishing and identity
- Yashin Manraj is CEO of Pvotal Technologies, which helps build more secure systems at the world’s best engineering firms
- Chris Dukich is founder and CEO of Display Now, a SaaS platform focused on technology and user engagement
- Ben Eichorst is the Director of Infrastructure Security at Yubico, an industry leader in multifactor authentication and hardware security keys, which help secure consumers from phishing attacks.