USPS "Your package could not be delivered" text is a smishing scam

USPS “Your package could not be delivered” text is a smishing scam

A scam is doing the rounds which begins with a text from what claims to be the US Postal Service. The SMS reads as follows:

[U.S. Postal Service] We’re sorry to let you know that your package could not be delivered. To reschedule a delivery please visit [bit(dot)ly]

I’ve never received an SMS from the US Postal Service, but I have to imagine they don’t use redirect links in text messages. The link hides the actual URL being sent to people’s phones. You can view stats for a link by placing “+” at the end of the URL. Detailed stats about the shortener’s creation date, number of clicks, and more are available through this method. On this occasion, data is hidden with the message “This link has been flagged as redirecting to malicious or spam content”.

Clicking through reveals the following warning:

  • The link may be listed on a website blocklisting service.
  • The link may have been reported to Bitly by a member of the public.
  • The link may contain malware (software designed to harm your computer), attempt to collect your personal information for nefarious purposes, or otherwise contain harmful and/or illegal content.
  • The link may be attempting to hide the final destination.
  • The link may lead to a forgery of another website or may infringe the rights of others.

Not a promising start for our missing package. Shall we take a look at the final destination?

Phishing for info

The actual landing page, located at us(dot)awaiting(dot)host, claims to be a USPS parcel tracking page. It says:

USPS Currently Awaiting Package
Undeliverable as Addressed(UAA) Problem with Address
USPS Allows you to Redeliver your package to your address in case of delivery failure or any other case.
You can also track the package at any time, from shipment to delivery.

It asks visitors to “verify address”, by filling in their name, address, city, state, ZIP code, phone number and email.

Clicking Continue at this point would normally display a second page asking for payment information. At the time of writing, clicking continue triggers a .php URL and then redirects to the 3M science website. It’s likely the data entered has been submitted to the phisher, but why didn’t they ask for payment details too?

Forgetful phishers or long-haul social engineering?

Sometimes scammers simply forget to make sure their ruse sails smoothly from A to B. It may be that they’re only actually interested in grabbing name and address information for now via the website. The logical progression would be to follow up by phone, mail, or post.

It’s also possible they realise they’ve attracted some heat and are trying desperately to put the flames out. The site is flagged via the link and produces warning pages in browsers such as TOR. The creators may figure it’s not worth the potential risk of keeping payment detail requests online anymore – if they were there in the first place, that is.

The right way to arrange a redelivery

This is “basic parcel delivery information” as opposed security advice, but If you do use USPS, you’ll want to head over to their dedicated redelivery page. It explains in detail what USPS customers should expect when waiting on a parcel, and what to do next.

As for the security angle: Fake USPS delivery notification spam is a popular tactic for scammers, and USPS’s advisory on the topic includes instructions on how to report bogus SMS messages.

No matter the delivery service, always pay attention to the URL on the landing page and ensure it matches up with the official site you’re familiar with. It’s no fun having your data harvested, even if they miss out on your payment details. There’s no guarantee they won’t follow up on such a thing at a later date, so it’s well worth taking the time to get it right the first time around.

Reporting on numbers for delivery scams is becoming trickier to monitor as the pandemic slowly recedes and other forms of scam become more interesting to the public. While data is harder to come by, there are still pockets of information available to gauge the popularity of fake delivery scams. The UK’s Citizens Advice organisation reports that as of 2023, delivery scams are still very popular with fraudsters. In fact, they may well be at the top of the threat list depending on your region. From the report:

Parcel delivery scams are by far the most common scam faced by the public so far this year. Almost half of people (49%) targeted by scammers had been on the receiving end of a malicious parcel delivery scam, with scammers attempting to get hold of personal information or bank details. 

The second most popular attack is banking scams with 29% of the total reported, and online shopping scams weighing in at 25%. There’s a clear drop off between first and second place. The message is clear: fake delivery scams are not only here to stay, but perhaps as popular as they’ve ever been. Next time your receive a text about a package you have no memory of, it might be worth checking your most recent purchases before responding. If the parcel is real, it’ll still be there – unlike the fly-by-night scammers.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.