Is the USPS Package Text Real? No — the #1 Text Scam (2026)

The short answer

Yes, the USPS "package can't be delivered / incomplete address / small redelivery fee" text is a scam — every one. The U.S. Postal Inspection Service is explicit that USPS never sends unsolicited texts about a delivery problem and never texts a payment link unless you started a tracking request yourself. The FTC named fake package texts the most-reported text scam of 2024, part of $470 million in text-scam losses. It is run by the same China-based "Smishing Triad" behind the unpaid-toll wave — and the fake-USPS text is the original; the toll text is the follow-up act. The link leads to a lookalike USPS site built to harvest your address and card details. Delete it. Check any real package by typing usps.com yourself.

"Scammers often present themselves as a trusted source to lull consumers into a false sense of trust, gain access to their personal information, and use it for fraudulent purposes."
— Eric Shen, Inspector in Charge, U.S. Postal Inspection Service Criminal Investigations Group, in the USPIS warning on package-tracking smishing. USPIS is the federal law-enforcement arm of the Postal Service; its position is unambiguous — USPS does not send unsolicited delivery-problem texts, and it never charges a fee by text to release a package.

I think the fake-USPS text is the most quietly successful scam in America, and it is successful precisely because it does not look like a scam. There is no threat of arrest, no demand for thousands of dollars, no foreign prince. There is a package — and almost everyone is waiting on a package. The text arrives in the same gray bubble as the real delivery updates you actually signed up for, says your parcel is held over a trivial problem, and asks for two dollars or a confirmed address. That is the entire genius of it. It does not trip the alarm that a $1,200 demand would, so people who would never wire money to a stranger type their card number into a form without a second thought.

I am writing this in first person because I want to be the one on record saying the plain thing: this was the number-one text scam in the country last year, by the FTC's own count, and it is still arriving at millions of phones a week. The operators are not amateurs and they are not local. They are the same group security researchers have tracked through the toll-text wave — and the package text is where they started. If you have read our piece on the unpaid toll text, this is the prequel: same kit, same domains, same SMS rails, different logo on top.

Three things that prove it's a scam — every time

Most guides treat this as a "spot the typo" exercise. It is not. Three structural facts make every unsolicited package text a scam before you read a word of it:

—USPS does not text you about a delivery problem unless you started the tracking. The U.S. Postal Inspection Service states it plainly: USPS sends a text only if you initiated a tracking request for that specific package — by texting a tracking number to 28777, or enabling alerts inside a USPS.com account you logged into. It does not text about 'incomplete addresses,' it does not charge for tracking texts, and it never sends a link asking for your card or personal details. A package text you did not start is not from USPS.

—The link is never a real usps.com address. Real USPS tracking lives at usps.com (and tools.usps.com). The scam links are lookalikes — usps followed by random characters under .xin, .top, .cc, .info, or a hyphenated knockoff like 'usps-trackid[.]xin' or 'usps.delivery-fee[.]top'. The same .xin top-level domain abused in the toll campaign — tens of thousands of lookalike domains registered through a Hong Kong registrar — hosts the fake-USPS pages too. Blocking one does nothing when thousands are standing by.

—A real carrier never settles a 'held package' through a texted fee. USPS, UPS, and FedEx do not hold your parcel hostage over a $0.30 or $2.99 fee you pay by tapping a link. Genuine postage-due situations are handled at your door or your local post office, by mail, against the registered address — not by a stranger's text demanding card details inside an hour. The fee is bait; your card number is the product.

Who's sending these — and why the package text came first

This operation has a name, and the security-research community has documented it since 2023. Resecurity and Palo Alto Networks' Unit 42 independently traced the infrastructure to a China-based criminal collective referred to as the Smishing Triad; Brian Krebs connected the pieces in his reporting. The fake-USPS package-redelivery text was their breakout campaign — the toll text everyone is talking about now is what they pivoted to afterward.

—The package scam is the original; the toll scam is the rotation. As security researcher Ford Merrill put it (quoted by Krebs), the toll wave was "a continuation of the Chinese smishing groups rotating from package redelivery schemes to toll road scams." Same operators, same Lighthouse phishing kit, same SMS-as-a-service rails — they simply swapped the USPS logo for an E-ZPass logo when the package angle got more attention. The full teardown of the toll version is in our unpaid-toll-text piece.

—The phishing kit serves a pixel-perfect fake USPS site. The kit detects mobile devices: a desktop visitor sees a dead page, a phone sees a flawless replica of the USPS tracking-and-payment screen. It captures keystrokes as you type, so your data is exfiltrated whether or not you ever press submit. The fake site asks for your address 'to redeliver,' then a card 'for the fee' — and harvests both.

—The texts are sent at industrial scale and near-zero cost. Underground platforms sell bulk SMS with sender-ID spoofing for Apple iMessage and Android RCS, marketed on Telegram, at roughly eight dollars per thousand messages. At that price the campaign is pure volume — they are not targeting you, they are dialing every US number that exists. Getting the text does not mean you were singled out; it means your number is a number.

—They rotate brands and ride the calendar. The same infrastructure runs fake USPS, UPS, FedEx, DHL, and Amazon texts, and spikes during the holiday shopping season when nearly everyone is genuinely expecting a delivery and a 'package problem' is most believable. USPIS issues a fresh holiday-smishing warning every November for exactly this reason.

USPS does not text you about a package unless you started the tracking yourself, and it never charges a fee by text to release a delivery. A package text from a number you don't recognize, about a parcel you didn't knowingly track, with a link and a fee, was never real — no matter how routine it looked.

The exact script — "your package is held"

The wording rotates, but the structure is fixed. Knowing the four standard variants makes every one of them obvious:

—The incomplete-address variant. "USPS: Your package could not be delivered due to an incomplete address. Please update your information within 24 hours or it will be returned." There is no real address problem. The form harvests your full name and address — identity data — and often a card 'to confirm.'

—The unpaid-fee variant. "USPS: A $0.30 unpaid shipping fee is required to release your parcel. Pay now to avoid return." The trivial amount is the trick — small enough to pay without thinking, but paying it means typing your full card number, expiry, CVV, and billing ZIP into the fake site.

—The failed-delivery / reschedule variant. "USPS: We attempted delivery but no one was available. Click to reschedule." This one needs no fee at all — the 'reschedule' form is the harvest. It is the cleanest version because it asks for nothing that feels like money.

—The customs / duty variant. Aimed at people expecting international parcels: "Your package is held at customs pending a duty payment." Real customs charges are handled by the carrier at delivery, never by an unsolicited text with a link.

It's not just USPS — UPS, FedEx, and the UK's Royal Mail and Evri

The brand on the text is interchangeable. The same kit prints whatever logo gets the highest response rate in a given week. If you are outside the US, the mechanics are identical — only the carrier name changes.

—UPS, FedEx, DHL, Amazon (US). All impersonated by the same operation. None of them text you out of the blue demanding a fee or a personal-details form to release a parcel. Verify any real shipment on the carrier's own site, reached by typing the address yourself, using the tracking number from the retailer you actually ordered from.

—Royal Mail and Evri (UK). The UK 'parcel held — pay a small redelivery fee' text is one of the most common scam texts in Britain, branded as Royal Mail or Evri (formerly Hermes). Same Smishing Triad rotation, same lookalike-domain trick. Royal Mail will text about fees to release an item only in a genuine customs scenario tied to a real item, and never via an unsolicited link to a card form.

—DPD and the parcel-locker variants. DPD and various courier and parcel-locker brands round out the UK and EU set. The discriminating question is the same everywhere: did I knowingly give this carrier my number for this parcel? If not, it is smishing.

—Reporting outside the US. In the UK, forward the text to 7726 and report at the carrier's official fraud page and Action Fraud (now Report Fraud). The full UK reporting and reimbursement directory is in our 2026 UK scam-reporting guide.

Why this keeps working — the same institutional gap as the toll text

The fake-USPS text is not clever. The tells are right there: a number you do not know, a link you have never used, a fee no real carrier charges that way. What makes it the number-one text scam in the country is not skill — it is that the systems built to stop it have moved slower than the people running it.

—The carriers' SMS blocking lagged the campaign by years. The FCC's mandatory robotext-blocking enforcement only went live in December 2025 — well over two years after this style of package smishing became a mass phenomenon. The capability to filter spoofed commercial SMS existed long before the obligation to use it did.

—The lookalike domains stay online because nobody owns the takedown. Tens of thousands of .xin and similar lookalike domains host these pages, registered through registrar relationships that have not lost their accreditation despite documented, systemic abuse. Blocking one is meaningless against thousands; revoking the registrar's accreditation would matter, and it has not happened.

—Sender-ID spoofing on iMessage and RCS remained possible at consumer scale. Apple and Google mediate nearly every phone in the country and had the engineering capacity to block spoofed foreign-originated commercial SMS. Both have shipped anti-spam features; neither has shipped a default change that stops this pipeline at scale. The full accounting of who could have stopped this and didn't is in the toll-text piece — the package version is the same failure, one logo earlier.

The 8-step playbook: what to do

This is the sequence I would follow if the text arrived right now — whether you have already clicked, already typed something, or just received it:

1Do NOT click the link. It loads a lookalike USPS page that captures what you type in real time. The link is the entire scam. Delete the text.

2Verify any real package by typing usps.com into a fresh browser yourself — never the link. Enter the tracking number from your own order confirmation. No pending shipment, or no problem shown on the official site, means there is nothing to pay and nothing to fix.

3Forward the text to 7726 (SPAM on the keypad). This routes it to your carrier's abuse desk and the industry reporting database. Free, thirty seconds, the only carrier-side reporting channel there is.

4Report to the U.S. Postal Inspection Service: email spam@uspis.gov with a screenshot showing the sender number and date, plus the message body. USPIS runs the criminal cases; the reports are the evidence.

5Report to the FTC at reportfraud.ftc.gov, and if money or data moved, to the FBI at ic3.gov with the sender number and full URL. See the full US scam-reporting directory for every agency and what it does.

6If you clicked but typed nothing — clear the browser's history and cookies and run a malware scan. The kits need you to type; they rarely drop device malware by default, but the precaution is free.

7If you typed card information — call your card issuer's fraud line within the hour, freeze and reissue the card, and dispute charges under Regulation E (debit) or the Fair Credit Billing Act (credit). The data is resold within minutes, so move fast. See the 72-hour recovery playbook for the odds by payment method.

8If you entered identity details — freeze your credit at all three US bureaus (Experian, Equifax, TransUnion; free, ~5 minutes each). The name-plus-address-plus-DOB harvest feeds synthetic-identity fraud months later. Our identity-theft guide has the full lock-down sequence.

If you posted publicly that you lost money to a fake package text, "recovery" scammers will reach you within days. They will offer to retrieve your money for an upfront fee and will reference details of your scam, because that information is sold on the same channels the texts are sent from. Real recovery channels — your bank, the dispute process, USPIS, the FTC, FBI IC3 — are always free. See the recovery-scams piece for the full pattern.

From the field. The fake-USPS text produces two very different kinds of victim. The first paid the small fee, lost the contents of a card, and got it back by chargeback within a week — annoying, survivable. The second typed nothing financial at all: just a name, an address, and a date of birth into the 'confirm your delivery details' form, paid no fee, and walked away thinking they had dodged it. Those are the ones I worry about. A year later a synthetic-identity account or a credit pull they never made shows up, and nobody connects it back to a routine package text from the previous spring. The card harvest is the loud half of this scam. The identity harvest is the quiet half, and it never appears in the year's loss tallies because the damage lands two tax seasons later.

So why is the most-reported text scam still arriving?

Because it is cheap to send, it impersonates the one institution almost everyone is currently waiting to hear from, and the fee it asks for is small enough to slip under the suspicion that a bigger demand would trigger. None of that is sophisticated. What sustains it is the same gap that sustains the toll version: lookalike domains that stay online for months, SMS rails that route spoofed sender IDs at eight dollars a thousand, and an enforcement timeline that has consistently run years behind the operators.

The FTC put a number and a rank on it — most-reported text scam of 2024, inside $470 million of text-scam losses — and that designation is built entirely from reports people bothered to file. The reporting is the lever. It will not feel like it is doing anything when you forward one text to 7726 and email one screenshot to USPIS. In aggregate it is the entire evidence base for every takedown that does happen.

If you take one rule from this whole piece, take this: a carrier you did not give your number to, texting about a package you did not knowingly track, with a link and a fee, is a scam — every time, no exceptions. Real package problems are solved by typing the carrier's address into your own browser, never by tapping a link someone sent you.

Already entered details on a fake USPS page? Let's look at the damage together.

Tell us what you entered — card, address, identity, or all of it — and what's happened since. A real expert reviews every case and replies within 24 hours. Free, confidential, no pressure.

Submit a free case review →Try the Scam Checker

Common questions about the fake USPS package text

Is the USPS 'package can't be delivered' text real?

No. The U.S. Postal Service does not send unsolicited texts about a delivery problem, an incomplete address, or an unpaid fee. The U.S. Postal Inspection Service is explicit: USPS will only text you about a package if you specifically started a tracking request for that package, and it never charges a fee by text to 'release' or 'reschedule' a delivery. Any text claiming your USPS package is held over a small fee or a missing detail, with a link to click, is a scam — it was the single most-reported text scam in America in 2024 per the FTC. Delete it. If you are genuinely expecting a package, check its status by typing usps.com into your browser yourself and entering the tracking number from your own order confirmation.

Does USPS ever text you about a package?

Only if you started it. USPS texts exist for one reason: you signed up for tracking alerts on a specific package by texting your tracking number to 28777 (2USPS) or by enabling alerts inside a USPS.com account you logged into. In that case the texts reference the tracking number you provided and never contain a payment link. USPS does not charge for tracking texts, does not text about 'incomplete addresses,' does not text demanding a redelivery fee, and does not send links asking for your card or personal details. If a text about a package arrives that you did not initiate, it is not from USPS — it is smishing.

I clicked the USPS text link and entered my address or card — what now?

Act by category and by speed. If you entered card details: call your card issuer's fraud line within the hour, freeze the card, and dispute any charges under Regulation E (debit) or the Fair Credit Billing Act (credit) — the phishing kits resell card data within minutes, so speed matters more than anything. If you entered identity details (name, full address, date of birth, or worse, SSN): freeze your credit at all three US bureaus (Experian, Equifax, TransUnion — all free, five minutes each) because the address-plus-identity combination feeds synthetic-identity fraud months later. If you clicked but typed nothing: clear your browser data and run a malware scan; you are most likely fine. In every case, report it (next answer) and watch your statements.

Why does the fake USPS text ask for such a small fee?

Because the small fee is not the point — your card number is. A scammer demanding $1,200 triggers suspicion; a scammer asking for a $0.30 or $2.99 'redelivery fee' or 'address correction charge' feels trivial enough to pay without thinking, and paying it requires you to type your full card number, expiry, CVV, and billing address into their lookalike site. That card data is the actual product. The tiny fee is bait engineered to lower your guard and harvest payment details the operators resell in bulk. Some variants skip the fee entirely and just ask you to 'confirm your address,' which harvests identity data for the same downstream fraud.

What about UPS, FedEx, DHL, and Royal Mail package texts?

Same scam, different logo. The same operation that impersonates USPS also sends texts branded as UPS, FedEx, DHL, Amazon, and — in the UK — Royal Mail, Evri (formerly Hermes), and DPD. The UK 'parcel held, pay a small redelivery fee' text is one of the most common scam texts in Britain. None of these carriers text you out of the blue demanding a fee or a personal-details form to release a parcel. The rule is identical regardless of the brand: a carrier you did not give your number to, texting about a package you did not knowingly track, with a link and a fee, is a scam. Verify on the carrier's real website by typing the address yourself.

How do I report a fake USPS text?

Three steps, all free. First, forward the text to 7726 (SPAM on the keypad) — this routes it to your mobile carrier's abuse desk. Second, report it to the U.S. Postal Inspection Service: email spam@uspis.gov with a screenshot of the text showing the sender's number and the date, plus the body of the message. Third, report to the FTC at reportfraud.ftc.gov, and if you lost money, to the FBI's Internet Crime Complaint Center at ic3.gov. Then delete the text. Reporting does not usually recover anything directly, but the aggregate volume is what drives the carrier blocking, the takedowns, and the federal action.

Sources & further reading

Every figure in this piece is drawn from these authorities. Click any of them to verify.

Is the USPS "package can't be delivered" text real? No — it was the most-reported text scam in America last year, and the toll text is its sequel.