Date:Posted By:

At vali.now, we regularly analyze emerging threats in information security, including phishing variants that exploit everyday conveniences like online shopping.

Delivery message scams – often called “smishing” when delivered via text – have surged with the rise in e-commerce, preying on expectations of quick deliveries. These scams impersonate trusted carriers like USPS, FedEx, or UPS to steal personal data, financial information, or install malware. In this post, we outline how these scams operate, key detection methods, and proven protection strategies, drawing from verified reports and our expertise in threat intelligence.

The Scope of the Problem: Alarming Statistics

The proliferation of online deliveries has made these scams a prime vector for cybercriminals. According to the Federal Trade Commission (FTC), consumers reported over 330,000 business impersonation scams in 2023, with delivery-related fraud comprising a significant portion—nearly half of all direct fraud reports. Fast-forward to 2025: NordVPN’s Threat Protection Pro tracked an 86% increase in malicious postal service websites from August through October, including a staggering 850% month-over-month spike in fake USPS sites. Brushing scams, where unsolicited packages come with QR codes linking to phishing sites, rose 46% compared to 2024, per the Better Business Bureau (BBB).

On the theft front, Security.org estimates 37 million packages will be stolen in 2025, totaling over $8 billion in losses – up from 58 million the previous year, affecting up to 25% of Americans. The FBI has logged over 5,100 account takeover complaints this year alone, with losses exceeding $262 million, many tied to holiday delivery phishing. In the UK, courier Evri reported 10,000 delivery fraud cases from November 2024 to January 2025. With projections of 2.3 billion holiday deliveries in the US – a 5% increase – and 70% of shoppers opting for home delivery, the risk is at an all-time high.

These numbers underscore a critical security truth: Scammers exploit volume and urgency, but awareness can disrupt their operations.

How Delivery Message Scams Work

These scams typically arrive as unsolicited texts, emails, or even voicemails claiming an issue with a package – such as a missed delivery, address error, or customs hold (especially post-2025 de minimis tariff changes for imports under $800). The message urges immediate action via a link, often to pay a small “redelivery fee” (e.g., £2 or $5) or update details.

Common variants include:

  • Phony tracking links: Directing to fake sites mimicking legitimate carriers, where entering card info leads to theft.
  • Brushing with QR codes: Unsolicited packages arrive with scannable codes that install malware or harvest data or just to boost “verified reviews” with fake customers (you!).
  • Spray-and-pay fraud: Mass texts claiming a non-existent package requires rescheduling, capturing payment details.
  • Porch pirate tie-ins: Fake “attempted delivery” notices to lure victims into revealing location data.

From an infosec perspective, these are social engineering attacks amplified by AI-generated realism, making them harder to spot without vigilance.

Detecting Delivery Message Scams: Red Flags to Watch

Early detection is key to infosec hygiene. We recommend scrutinizing every unsolicited communication using these indicators using these guidelines:

  1. Unexpected Contact: If you didn’t order anything, it’s likely brushing or phishing. Even if you did order something verify by logging into your account directly on the carrier’s official app or site. Don’t click links in SMS regarding deliveries.
  2. Urgent or Threatening Language: Phrases like “immediate action required” or “package will be returned if unpaid” create panic. Real notifications are neutral and provide clear, official contact info.
  3. Suspicious Links or Attachments: Hover over URLs (without clicking)—they often lead to misspelled domains (e.g., “usps-trackk.com” instead of usps.com). QR codes on unsolicited items are a dead giveaway for malware.
  4. Requests for Payment or Data: Carriers don’t demand fees via links or gift cards. Unsolicited asks for addresses, SSNs, or card details scream scam.
  5. Poor Grammar or Sender Anomalies: Spoofed numbers may look official but originate from odd area codes. Always cross-check via official channels.
  6. No Matching Order History: Track your actual deliveries. If the message doesn’t align with known shipments, delete it.

In our research, 70% of victims fall for urgency alone—pausing to verify disrupts 90% of these attacks.

Protecting Yourself: Practical Steps from Infosec Best Practices

Protection starts with proactive measures. We at vali.now advocate layered defenses: technical controls, behavioral habits, and rapid response protocols.

Immediate Actions

  • Verify Independently: Never use provided links. Access carrier sites directly (e.g., usps.com/track) or call official numbers from their verified listings.
  • Report and Block: Forward scam texts to 7726 (SPAM) in the US, or spam@uspis.gov for emails. Block the sender and mark as junk.
  • Secure Devices: Use antivirus with phishing detection (e.g., scanning QR codes) and enable two-factor authentication (2FA) on shopping accounts.

Long-Term Strategies

  • Track Proactively: Use apps from UPS, FedEx, DHL or USPS for real-time alerts. Opt for secure delivery options like Amazon Lockers or in-store pickup to avoid porch exposure.
  • Monitor Finances: Set up transaction alerts and review statements weekly. Tools like credit freezes (free via Equifax, Experian, TransUnion) block unauthorized access.
  • Educate and Share: Discuss these with family – holiday distractions amplify risks. Install package guards or cameras; over 50% of homes now use such devices, reducing theft by 60%.
  • For Businesses: Train employees on smishing recognition and implement email filters. In 2025, AI-driven tools can flag 95% of impersonation attempts pre-click.

If victimized, act fast: Contact your bank to dispute charges, change passwords, and report to the FTC at ReportFraud.ftc.gov or IC3.gov. Recovery rates exceed 80% with prompt action.

Conclusion: Stay Vigilant in a High-Delivery World

Delivery message scams thrive on trust in logistics, but with these detection cues and protections, you reclaim control. As we navigate 2025’s record 165 annual packages per US household, remember: True security blends awareness with tools. At vali.now, we’re committed to sharing actionable intel – stay safe this season and beyond. If a scam variant seems novel, more research is warranted; reach out via our channels for tailored advice.

If in Doubt: vali.now

Your best defense is healthy skepticism. If something seems just a little off or a bit too good to be true – it probably is. Your best option is to forward the details to help@vali.now. Our cybersecurity professionals have been recognizing and fighting off such attacks for decades. Your first case (up to one hour of research) on our side is free, with affordable rates after that. You’ve got nothing to lose and you might just prevent catastrophic losses by reaching out.

Leave a comment

Your email address will not be published. Required fields are marked *