Scam Identification

Package Delivery Scams: Fake Tracking and Shipping Notifications

By AntiPhishers Published

Package Delivery Scams: Fake Tracking and Shipping Notifications

Security Education: This article describes cyber threats for defensive awareness and education purposes only. Understanding how attacks work helps organizations and individuals protect themselves. Never use this information for unauthorized access or malicious purposes.

With billions of packages shipped annually and most consumers expecting deliveries at any given time, fake package delivery notifications have become one of the most effective phishing vectors. These scams exploit the near-certainty that you are actually waiting for a package, making the fraudulent notification feel legitimate.

How Package Delivery Scams Work

Smishing (SMS phishing). You receive a text message claiming to be from USPS, UPS, FedEx, or Amazon: “Your package could not be delivered. Schedule redelivery here: [malicious link].” The link leads to a phishing page that mimics the carrier’s website, requesting personal information, a credit card number for a “redelivery fee,” or login credentials.

Email phishing. Emails with carrier branding and tracking numbers claim a delivery failed, a customs fee is required, or a package is waiting for pickup. Attachments may contain malware disguised as shipping labels or invoices. The emails increasingly use real tracking number formats and reference actual carrier services.

Fake delivery apps. Text messages prompt you to install a “tracking app” that is actually spyware or a banking trojan. FluBot, a major Android malware campaign, spread entirely through fake delivery SMS messages, stealing banking credentials from hundreds of thousands of victims across Europe.

The “missed delivery” card. Physical cards left at your door or in your mailbox claim a delivery was attempted, with a phone number or website to reschedule. The phone number connects to a scammer, and the website captures your information.

Recognizing Fake Notifications

Check the sender. Legitimate carriers send from official domains (usps.com, ups.com, fedex.com), not from random phone numbers or generic email domains. However, spoofed sender addresses can appear legitimate, so do not rely solely on this.

Check the tracking number independently. Copy any tracking number from the message and enter it directly on the carrier’s official website (not through the link provided). If the tracking number does not exist in the carrier’s system, the notification is fake.

Watch for urgency and fees. Real carriers do not demand immediate payment via text to release packages. USPS never charges redelivery fees. UPS and FedEx handle customs charges through established processes, not text message links.

Examine links without clicking. The URL in a fake USPS text might be “usps-tracking-delivery.com” rather than “usps.com.” On mobile, press and hold the link to preview the URL before opening.

Protection Steps

Never click links in delivery notification texts or emails. Instead, go directly to the carrier’s website or app to check delivery status. If you are expecting a package, use the tracking information from the original order confirmation, not from unsolicited messages.

For more on SMS-based phishing, see our smishing guide. To understand how attackers craft convincing brand impersonations, explore our brand impersonation phishing guide.

Protecting Against Seasonal Surges

Package delivery scams spike dramatically during holiday shopping seasons when consumers expect multiple deliveries. During November and December, apply extra scrutiny to any delivery notification you receive. Bookmark the tracking pages for carriers you use frequently and check tracking status only through these bookmarks or the carrier’s official app, never through links in messages.

Consider using a delivery management service like UPS My Choice, FedEx Delivery Manager, or USPS Informed Delivery. These free services consolidate delivery notifications into a single authenticated dashboard, making it immediately obvious when a notification from an unfamiliar source is fraudulent. Informed Delivery from USPS also sends images of incoming mail, helping you identify fake postal notifications.

The FluBot Lesson

The FluBot Android malware campaign, which spread through fake delivery SMS messages across multiple countries, demonstrated how effective package delivery scams can be at scale. The malware intercepted banking credentials from infected phones and spread itself by sending the same fake delivery messages to all contacts. This demonstrates why SMS links should never be clicked regardless of how legitimate they appear.

More in Scam Identification

Timeshare Resale Scams: Exit Company and Resale Fraud Investment Scam Red Flags: Ponzi Schemes and Pump-and-Dump MLM vs Pyramid Schemes: Spotting the Difference Fake Check Scams Explained: Overpayment and Money Order Fraud

View all Scam Identification articles →