"Your package cannot be delivered. Please update your address: usps-redelivery84.com." If you have received a text like this, you are not alone. The United States Postal Service does not send unsolicited text messages asking you to click a link, yet millions of Americans receive these fakes every month. The FBI's Internet Crime Complaint Center logged over 300,000 smishing reports in 2025, and USPS delivery scams accounted for a significant share.
What a Real USPS Notification Looks Like
USPS offers a service called Informed Delivery that sends email (not SMS) previews of incoming mail. If you have signed up for USPS text tracking, messages come only from shortcode 28777 and only include a tracking number you already know. Legitimate texts never contain a clickable link to a third-party domain.
Here is what a real USPS tracking text looks like:
USPS: Your item 9400111899223100012345 was delivered at 2:14 PM on Feb 2 in/at mailbox. More info at usps.com
Notice: no hyperlink, no urgency, no request for personal information.
Received a suspicious message?
Paste the message here for instant analysis.
Free · No signup required · Cmd+Enter to scan
Anatomy of a USPS Scam Text
Scam texts follow a predictable pattern. Understanding each element helps you recognize them instantly.
1. The Fake Urgency
Most scam texts tell you a package "cannot be delivered" or "is being held." The goal is to make you panic. If you are expecting a real delivery, the instinct to click is strong. Scammers time these blasts during holiday shipping peaks and major sale events.
2. The Suspicious Link
The link is always wrong. USPS owns exactly one domain: usps.com. Scammers use look-alikes such as:
usps-redelivery84.comusps.delivery-update.comuspstracking.infous-ps.org
Some use URL shorteners like bit.ly to hide the destination entirely. If you cannot see usps.com as the root domain, it is fake.
3. The Phishing Landing Page
Clicking the link takes you to a page that mimics the USPS website. You are asked to enter your full name, address, and often a credit card number to pay a small "redelivery fee." USPS never charges redelivery fees via text. The data you enter goes straight to the scammer.
4. The Real Damage
With your name, address, and card number, scammers can make fraudulent purchases, open credit accounts, or sell your data on dark web markets. Some phishing pages also install malware on Android phones by prompting you to download a "USPS app" that is actually spyware.
Real Examples We Have Analyzed
Our team at IsThisAScam regularly analyzes reported texts. Here are three real examples from early 2026:
"USPS: We attempted delivery of your parcel on 01/28/26 but nobody was home. Schedule redelivery: https://usps-pkg-redeliver.com/t/80d3"
This one creates urgency by specifying a real-sounding date. The domain usps-pkg-redeliver.com was registered just 48 hours before the campaign started — a hallmark of throwaway scam infrastructure.
"USPostal Notice: Your package is waiting at facility. Confirm identity to release: https://bit.ly/3xK9mRz"
The sender name "USPostal" does not match any official USPS branding. The bit.ly link redirected to a phishing page hosted in Russia.
"USPS Delivery Exception — Item held due to incorrect ZIP. Update now or item returns to sender in 24hrs: usps-zipfix.com"
The 24-hour deadline is entirely fabricated. USPS holds undeliverable mail for 15 days before returning it, and they notify you by physical mail, not text.
Why These Scams Work So Well
Package delivery scams exploit three psychological triggers:
- Expectation bias: Americans receive an average of 54 packages per year. At any given moment, many people are waiting for a delivery, which makes the message seem plausible.
- Loss aversion: The threat of losing a package or having it returned feels worse than the annoyance of clicking a link.
- Authority trust: USPS is a government institution. People trust communications that appear to come from it.
How to Verify a Suspicious USPS Text
Follow these steps every time you receive a delivery-related text:
- Do not click the link. This is the single most important step.
- Check your real tracking. Go directly to usps.com/tracking and enter any tracking numbers you have from recent orders.
- Use IsThisAScam. Paste the suspicious message text into IsThisAScam.to for an instant analysis. The tool checks the URL, message patterns, and known scam databases to give you a clear verdict.
- Check the sender. If the text is from a 10-digit phone number rather than shortcode 28777, it is not from USPS.
How to Report USPS Scam Texts
Reporting helps law enforcement shut down scam operations and protects others. Here is where to report:
- USPS: Forward the text to spam@uspis.gov. Include a screenshot if possible.
- FTC: File a report at ReportFraud.ftc.gov.
- Your carrier: Forward the text to 7726 (SPAM). This works on AT&T, Verizon, T-Mobile, and most MVNOs.
- FBI IC3: For significant financial losses, file at ic3.gov.
Protecting Yourself Going Forward
These habits reduce your exposure to delivery scam texts:
- Sign up for Informed Delivery. When you know exactly what mail and packages are coming, fake notifications lose their power.
- Use your carrier's spam filter. T-Mobile Scam Shield, AT&T Call Protect, and Verizon Call Filter all include SMS filtering.
- Never pay a "delivery fee" via text link. USPS, FedEx, and UPS do not charge delivery fees through text messages.
- Keep your phone number private. Avoid entering your phone number on unfamiliar websites. Data breaches are the primary source of phone numbers for smishing campaigns.
What to Do If You Already Clicked
If you entered information on a phishing page:
- Contact your bank immediately. If you entered credit card information, request a new card number and dispute any unauthorized charges.
- Change your passwords. If you used the same email and password combination on the phishing site as you do elsewhere, change those passwords now.
- Place a fraud alert. Contact one of the three credit bureaus (Equifax, Experian, TransUnion) to place a fraud alert on your credit file.
- Monitor your accounts. Watch for unauthorized transactions for at least 90 days.
- Scan your phone. If you downloaded anything from the phishing site, run a security scan. On Android, use Google Play Protect. On iPhone, the risk of malware installation is lower, but you should still delete any downloaded files.
Received something suspicious? Check it now for free →