FedEx "Missed Delivery" Text Scam: how the smishing attack works and how to spot it

How FedEx smishing differs from USPS smishing

USPS smishing and FedEx smishing run on the same template, but FedEx variants target a slightly different demographic. USPS sees mostly residential mail and Amazon-tier consumer parcels. FedEx leans into business shipments, international packages, e-commerce express orders, and signature-required deliveries. Recipients of FedEx packages skew slightly higher-income, often hold business credit cards with higher limits, and are more likely to be expecting an international shipment that has a real customs component.

That demographic difference shows up in the smishing payloads. USPS scams ask for $1.99 or $2.99 redelivery fees. FedEx scams ask for $3, $6, sometimes $15 "customs duty" or "import processing fee" amounts - still small enough not to trigger user resistance, but large enough to match the real cost of a low-value international customs declaration. The credit card details are the actual target in both cases, but the FedEx version sells a more believable pretext because international customs fees are an actual thing that FedEx recipients sometimes do owe.

Per FedEx's own fraud awareness page, the company sees enough complaint volume that they maintain a dedicated security inbox at abuse@fedex.com and route victim reports to internal investigations plus to law enforcement when patterns warrant. The volume is high enough that FedEx publishes specific guidance in multiple languages on their report-fraud page. None of this stops the attackers - it just gives victims a place to report after the fact.

The seven message variants in active rotation

The wording shifts every few weeks as carrier spam filters catch up, but the underlying templates are stable. If your incoming text matches one of these, treat it as a scam by default.

Variant 1: Missed delivery / undeliverable

"FedEx: We attempted to deliver your package today but no one was available. Reschedule at [link]." The most common version. Works because the user mentally checks "did I miss a delivery?" and the answer for anyone working from home, in a meeting, or out for errands is plausibly yes. Doorbell missed, package re-routed to local facility, link to "reschedule." The real FedEx never sends reschedule links via SMS.

Variant 2: Customs / import duty payment required

"FedEx: Your international shipment is held at customs. Outstanding duty: $4.99. Pay now to release: [link]." The fee amount is deliberately small but believable - real customs duties on low-value international parcels do land in the $3-$15 range. The point is not to collect $4.99; it is to extract credit card details on the fake page. The card then sells for $5-$30 on dark-web markets, and the saved card may also be used immediately for higher-value fraud before the user notices. This is the highest-converting FedEx variant because the customs pretext is uniquely believable for international shipments.

Variant 3: Reschedule delivery preference

"FedEx: Update your delivery preference to ensure successful delivery of your package. Manage here: [link]." A clean variant designed to feel routine. The fake page asks for full address, phone number, and sometimes payment information for a "service upgrade." The real FedEx Delivery Manager is free, lives on fedex.com, and never charges to set preferences.

Variant 4: Tracking number issue / address verification

"FedEx: We could not verify the destination address for tracking number 7747 ... Please confirm at [link]." The fake tracking number looks real (FedEx tracking numbers are 12-15 digits and the pattern is easy to mimic), which adds legitimacy. The page collects full address re-entry, which is enough on its own for identity theft when combined with the name from the recipient's caller-ID or saved-contact metadata.

Variant 5: Signature required for high-value package

"FedEx: Your package requires adult signature on delivery. Confirm signature preferences and ID details: [link]." Plays on the user assumption that high-value or registered packages do require signatures - which is true for real FedEx. The fake page asks for a digital signature image, name, address, DOB, and sometimes a photo ID upload field. That bundle is a complete identity-theft package.

Variant 6: International shipment held - KYC verification needed

"FedEx International: Your shipment from [country] has been held. Verify identity to release: [link]." The KYC pretext is newer (2025-2026) and is designed to look like a regulatory step rather than a delivery step. The fake page asks for passport or driver's license number, full name, DOB, and address. Some variants also request SSN last 4 as "tax compliance." None of this is a real FedEx process - real customs identity verification happens through your shipper or licensed broker, not via SMS link.

Variant 7: Premium shipping upgrade offer

"FedEx: Your package qualifies for free Priority Overnight upgrade. Claim within 2 hours: [link]." The reverse-pretext variant - instead of threatening to lose the package, it offers a benefit. The page collects card details for a "verification charge" that is supposedly refunded once the upgrade is "applied." It never is. The card details flow into the same backend as every other variant.

What the destination page actually does

Every variant ends at a landing page that looks like fedex.com. The branding is exact - same purple and orange logo, same fonts, same nav structure, same tracking widget layout. Most fake pages embed a working-looking tracking field that returns a generic "in transit" result regardless of what you type. The visual mimicry passes a 5-second eye test for almost everyone.

The page asks the user to enter, in sequence:

1. Tracking number (to anchor the page as "your specific package")
2. Full name (for identity profile)
3. Street address, city, state, ZIP (for the same)
4. Phone number (for further phishing follow-ups via call)
5. Email address (for password-reset attacks on other accounts)
6. Date of birth (for full identity theft kits)
7. Credit card number, expiration, CVV, billing ZIP (for the "customs fee" or "redelivery fee")
8. SSN last 4 (in higher-value variants, sometimes labeled as "tax compliance for international shipment")

The "small fee" charge on the card may or may not actually process. If it does, the resulting transaction confirmation reassures the user that the page was legitimate - the package will be released, the customs fee was real. The card details, address, and identity package then flow to a backend that resells on dark-web markets typically within hours. Higher-limit business cards (more common among FedEx recipients) may be used directly by the attacker for 6-24 hours before the chargeback dispute closes the window.

Some FedEx variants targeting Android users also push a "FedEx tracking app" APK download from the landing page. The APK installs a banking trojan that intercepts SMS one-time codes, harvests credentials from banking apps, and forwards them to a command-and-control server. iOS users see only the credential phishing flow because iOS does not allow sideloaded apps without developer enrollment.

Why FedEx URLs look almost convincing

The destination URLs follow a few predictable patterns. Recognizing the patterns is half the battle.

Pattern 1: FedEx keyword on a non-fedex.com TLD

Real FedEx lives on fedex.com (and a handful of country-specific subdomains like fedex.co.uk, fedex.fr, fedex.de, always with fedex as the second-level domain). Any URL with "fedex" in the domain on a different TLD or hyphen-stitched into a non-FedEx domain is a scam. Examples in active rotation:

• fedex-tracking[.]com
• fedex-info[.]xyz
• fed-ex[.]top
• fedex-delivery[.]live
• fedex[.]customs-pay[.]com
• fedex-reschedule[.]click

The hyphen-keyword construction is the easiest visual tell. Real FedEx subdomains are www.fedex.com, tracking.fedex.com, delivery.fedex.com, and similar - the brand name is always the second-level domain, never appended with hyphens.

Pattern 2: FedEx in a subdomain on a free hosting provider

Examples:

• fedex[.]vercel[.]app
• fedex-delivery[.]netlify[.]app
• fedex-track[.]pages[.]dev
• fedex-tracking[.]github[.]io
• fedex[.]wixstudio[.]com

Free hosting platforms like Vercel, Netlify, Cloudflare Pages, GitHub Pages, and Wix Studio take minutes to set up and provide automatic HTTPS. Attackers spin up a fresh subdomain, push the fake page, and start sending texts. The hosting provider is not at fault - they shut down reported phishing within hours - but the attack happens in those hours.

Pattern 3: URL shortener hiding the real destination

Examples:

• bit.ly/fedex-track
• tinyurl.com/fedex-reschedule
• t.ly/FedExVerify
• urlkub[.]co/randomstring

Shorteners are appealing to scammers because the user cannot tell from the text where the link actually leads. Hovering on a phone is hard, and the SMS preview does not unwrap shorteners. The destination is hidden until you click. Some attackers chain shorteners (shortened link goes to another shortened link goes to the phishing page) specifically to defeat automated link inspection.

Pattern 4: Homograph / lookalike substitution

Examples:

• fedx[.]com (missing "e")
• fedеx[.]com (Cyrillic "е" instead of Latin "e")
• fedexx[.]com (extra "x" at end)
• fedex-corp[.]com (suffix attached)
• ffedex[.]com (double letter at start)

Homograph attacks use lookalike characters from other Unicode scripts. The Cyrillic "е" looks identical to the Latin "e" in most fonts, so fedеx.com is indistinguishable from fedex.com at a glance. Browsers warn about some homograph patterns but not all of them, especially in SMS where the URL is plain text without browser protection.

How real FedEx delivery notifications actually work

The simplest defense is knowing what a real FedEx message looks like. Memorize these facts:

• FedEx only texts you if you opted in via FedEx Delivery Manager and only against a real tracking number you have registered. Random unsolicited FedEx texts to people who did not opt in are not legitimate.
• Real FedEx texts do not contain clickable links. Per FedEx's own fraud awareness page: "FedEx does not send unsolicited text messages or emails to customers requesting money or personal information in exchange for goods in transit." Real notifications point you to fedex.com to track - you go there yourself, you do not click.
• FedEx does not charge "customs duty" via SMS. Real customs fees on international parcels are handled by the shipper, by your customs broker, or via an invoice from FedEx's billing department through email or postal mail - never via SMS link asking for card details.
• Real FedEx does not need your SSN, DOB, or passport number to deliver a package. Identity verification happens at FedEx account creation time, not at delivery.
• Tracking numbers are looked up at fedex.com. Type fedex.com into your browser, paste the tracking number into the search box, and check status yourself. Never click a link to track.

The 10-second check that catches every variant

You do not need to memorize every URL pattern. Use this short routine instead:

1. Do not click. If the text claims to be from FedEx, the first action is to not click the link. The link is the entire attack.
2. Open a fresh browser tab. Type fedex.com manually. Bookmark it for future use.
3. Enter the tracking number from the text (if any) into the fedex.com tracking search box. If the tracking number is fake (the most common case), the search will return "No information for the tracking number" or similar. Real tracking numbers show full transit history.
4. Manage delivery preferences via FedEx Delivery Manager directly on fedex.com. The service is free, no extra payment required for any standard feature.
5. Report the smishing text to 7726 (the universal SMS spam reporting shortcode in the US, Canada, and UK) and to abuse@fedex.com. You can also file a report at fedex.com/en-us/report-fraud. Then delete the text.

If you want a second opinion on a specific link, paste it into the SafeBrowz URL checker. The checker unwraps URL shorteners, checks domain age (most smishing destinations are less than 30 days old), runs the URL through community blacklists, and returns a verdict in a few seconds. No login required.

What to do if you already clicked or entered information

If you clicked the link and the page opened, but you did not enter anything, you are probably fine. The page itself usually cannot install malware unless you also download something. Close the tab, clear browser cookies for that domain, and move on. If you downloaded an APK on Android, uninstall it immediately and run a mobile antivirus scan.

If you entered personal information (name, address, phone, DOB):

• Change passwords on accounts that share that information, especially financial accounts and your primary email.
• Enable two-factor authentication everywhere possible - SMS-based 2FA is weak against SIM swapping, so prefer authenticator-app 2FA for high-value accounts.
• Add a fraud alert with the three US credit bureaus (Equifax, Experian, TransUnion). One call to any of the three propagates to the others. The alert is free and lasts 12 months.
• File a report at reportfraud.ftc.gov. This feeds into law enforcement data and may help if you later need to dispute fraud.

If you entered credit card information:

• Call your card issuer immediately. Most major issuers have 24/7 fraud lines and will cancel and reissue the card on the same call. The phone number is on the back of the physical card - do not Google "[bank] fraud number" because tech support scammers run fake support listings.
• Review the transaction history for unauthorized charges. Dispute anything suspicious within 60 days (US Fair Credit Billing Act window).
• If the new card has not arrived yet and you must pay urgent bills, your issuer can usually expedite or add the card to Apple Pay / Google Pay digitally while the physical card is shipping.

If you entered SSN, passport number, or sensitive identity information:

• Place a security freeze (not just an alert) with all three credit bureaus. A freeze blocks new credit accounts from being opened in your name. Freezes are free and last until you remove them.
• File an identity theft report at identitytheft.gov. The FTC's identity theft recovery plan walks you through every cleanup step.
• Check your IRS account at irs.gov/payments/your-online-account to make sure no fraudulent tax return has been filed in your name.
• If passport details were entered, monitor your travel and immigration accounts. Consider filing a passport replacement if the document was photographed or fully transcribed.

Why FedEx is especially targeted

The FedEx smishing volume is high for three specific reasons.

Reason 1: FedEx recipients tend to have higher-limit credit cards. FedEx delivers business shipments, e-commerce express orders, and international parcels - the recipient profile skews slightly above the average consumer parcel recipient. A stolen FedEx-recipient card details package sells for more on dark-web markets than a typical residential card, and the attacker can extract more before the chargeback closes the window.

Reason 2: International FedEx shipments have legitimate customs fees. Real FedEx International shipments often do incur customs duties on arrival. The recipient may genuinely owe $5-$20 to customs through a broker or FedEx's billing department. That genuine possibility gives the "customs fee" smishing variant a much higher conversion rate than the equivalent USPS variant, because the pretext aligns with real-world expectation.

Reason 3: FedEx, UPS, and USPS rotation. Scammers typically run campaigns across all three major carriers simultaneously with different victim lists. A US phone number on an attacker's list might get a USPS text on Monday, a FedEx text on Wednesday, a UPS text on Friday - increasing the chance that at least one matches a real package the recipient is expecting. The volume per carrier looks lower than the total smishing volume from any single recipient's perspective.

How SafeBrowz catches the destination page

SafeBrowz runs as a browser extension on Chrome, Firefox, and Edge. The moment a smishing link is opened in the browser, the three-layer detection model kicks in.

Layer 1 - Local checks (offline, instant). Bundled rules running inside the extension. They look for known smishing URL patterns (fedex as a keyword on a non-fedex.com TLD), suspicious TLDs (.xyz, .top, .live, .click), free-hosting destinations (*.vercel.app, *.netlify.app, *.pages.dev, *.wixstudio.com), and homograph or hyphen-stitched lookalikes (fedеx.com with Cyrillic characters, fed-ex.com, fedx.com). The check completes in milliseconds without any network call.

Layer 2 - API checks (community + shortener unwrap + page fetch). If the URL slips past local checks, SafeBrowz queries Google Safe Browsing, a community-reported scam URL list, and a domain age lookup. URL shorteners (bit.ly, tinyurl.com, t.ly, urlkub.co, and any path-pattern-detected shortener) are unwrapped server-side so the verdict runs against the real destination instead of the shortener interstitial. Domain age under 30 days, suspicious WHOIS data, or a Google Safe Browsing hit pushes the verdict.

Layer 3 - AI deep scan (content + brand impersonation). The fetched page content is analyzed by a content-aware model that detects brand impersonation in 100+ languages. If the page renders the FedEx purple-and-orange logo, FedEx fonts, or text like "FedEx tracking" or "Reschedule delivery" on a domain that is not fedex.com or one of its official country sites, the page is flagged as brand impersonation. The same layer catches USPS, UPS, DHL, Royal Mail, India Post, Australia Post, Japan Post, Deutsche Post, and other carrier impersonations the same way.

For users who do not want to install an extension, the same engine is exposed at the free public URL checker. Paste any link from a suspicious text, get a verdict in seconds, no login. For wallet and security apps that want to integrate, the same detection is available as an API at api.safebrowz.com/v1/detect at $0.001 USDC per call.

For dApp builders and e-commerce operators

If you run a service that ships physical goods, sends transactional notifications, or settles fulfillment via FedEx (or any major carrier), the smishing problem becomes your problem because your customers receive forgeries of your messages and then call your support team. Mitigations you control:

• Publish your real sender numbers and domains. List them on your security page. "We text from short code XXXXX. We email from no-reply@yourdomain.com. We never send links asking for redelivery fees."
• Run customer education campaigns proactively. A one-paragraph reminder in every order confirmation ("Your real tracking is at fedex.com/track. Ignore any SMS asking for a customs fee") costs nothing and saves customer support volume.
• Set up DMARC, DKIM, and SPF on your transactional email domains. Email auth limits the attacker's ability to spoof your real address, pushing them toward lookalike domains that customers can spot.
• Train your customer service team on the most common smishing patterns. Customers calling in panicked after clicking a link need clear, calm instructions - not boilerplate "check your account." A 15-minute training session on the seven variants saves hours of confused calls.
• Use one consistent sender ID per channel. Frequent sender-number changes train customers to accept unfamiliar SMS sender IDs as legitimate, which is exactly the gap smishers exploit.

The bigger picture

FedEx smishing is one specific case of a broader problem: SMS is now the dominant channel for retail phishing because it bypasses the email security layer that everyone has spent twenty years hardening. The same attack pattern targets USPS ("failed delivery"), UPS ("package on hold"), DHL ("customs duty"), Amazon ("order verification"), Apple ("Apple ID sign-in"), Netflix ("subscription expired"), and government agencies ("IRS tax refund pending"). The visual and operational template is identical. The brand changes. The damage shape stays the same.

Until carriers implement universal STIR/SHAKEN-style sender authentication for SMS - which has been discussed since 2022 and remains incomplete - the defense burden falls on individuals and on the third-party tools they install. The 10-second check (do not click, open a fresh browser tab, go to the real site, verify there) is reliable but only if used every single time. Tools like the SafeBrowz extension and URL checker exist because human discipline is not actually consistent enough to defend against a daily, year-round, multi-billion-message attack volume.

Block smishing destinations automatically

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge that detects FedEx, USPS, UPS, DHL, Amazon, and other smishing destinations the moment they load. The core protection is free forever. Premium adds drainer JavaScript detection and unlimited daily AI scans for $14.99 per year - or hold 10 million $SAFEBROWZ tokens on Base for unlimited Premium access. No install required to check a single link - the free public URL checker handles one-off cases.