Holiday Package Customs Scam 2026: the November to January wave

The €4.50 customs fee Rebecca paid in late December

Rebecca ordered a Christmas gift for her younger sister on December 14, a $89 perfume from a small French boutique website she had read about on a holiday gift roundup. The order confirmation said ten to fourteen business days for international delivery. Her sister's birthday landed on January 3, so the timing felt fine either way.

December 22, around 8:40pm, she got the SMS.

"USPS: Your international package is held at customs. €4.50 import duty due. Click here to release: usps-customs-pay.com/release/9821"

Rebecca thought about it for maybe four seconds. Yes, she did order something from France. Yes, international parcels sometimes have customs duties. €4.50 was less than the cost of a coffee. The carrier name, USPS, was right there at the start of the text. Her sister's gift was inside the package. Christmas was three days away. The cognitive load of the week was about ninety percent gift logistics and ten percent everything else.

She tapped the link. The page that opened was a near-perfect clone of the USPS payment portal, blue eagle logo, the right shade of red and white, a tracking widget that returned a generic "Held: Import Service Center" status when she typed in the made-up tracking number from the SMS. There was a form for card number, expiration, CVV, and billing ZIP. She paid €4.50 with the Visa debit card linked to her main checking account. The confirmation screen said "Payment received. Your package will be released within 24 hours." A real-looking confirmation number. Nothing felt off.

The actual French boutique package arrived on December 28, completely separate from the SMS, no customs fees, no drama. Rebecca thought briefly that the timing was strange but did not connect the dots. The holidays moved on. New Year. Family visits. Back to work. The $89 perfume box went under the tree, then to her sister.

February 8, six and a half weeks after the SMS, Rebecca opened her bank app at lunch and found three transactions she did not recognize. A $640 charge to a luxury online retailer she had never used. A $720 ride-hailing top-up in a city she had never visited. A $440 gift card purchase. The total: $1,800. Her card had been tested with a small $1.50 charge a week earlier that she had missed because it looked like a recurring service fee. Then it was drained.

Her bank reversed the charges after a four-week dispute, which is the normal US Fair Credit Billing Act window for unauthorized transactions. She got the money back. But the card details from December 22 had been resold on a darknet bulk marketplace at least twice before the dispute closed the window, which means the card data is still in circulation. Rebecca's card got reissued. Her email and phone number are now permanent fixtures on multiple scam targeting lists, which is its own slow-burn problem.

The card data flowed into the same broad ecosystem we describe in our safe online payments and virtual card guide for 2026. The dominant darknet bulk-card markets process millions of stolen card records per quarter according to multiple 2024 underground market analyses, and seasonal smishing waves are one of their largest restocking events of the year.

Rebecca is one example. The FTC Consumer Sentinel Network 2024 report shows that text-message-driven fraud cost US consumers $470 million in 2024, the highest ever recorded for that vector, and the holiday quarter is consistently the heaviest. The FBI Internet Crime Complaint Center 2024 PSA on delivery and customs SMS scams specifically called out the November-January window as the peak risk period.

Why November to January is the perfect scam window

The holiday quarter is not just busier for smishing volume. It is structurally easier for attackers to succeed during this window for four specific reasons.

Reason 1: Real international package volume is at its annual peak. The US Postal Service Office of Inspector General's 2024 holiday season advisory noted that international inbound parcel volume to the US doubles between mid-November and late December compared to the rest of the year, driven by overseas e-commerce gift purchases. The same pattern shows up in Royal Mail data in the UK, Canada Post data in Canada, and Australia Post data in Australia. More real international parcels means more recipients who can plausibly believe "yes, I did order something from abroad."

Reason 2: Multiple expected deliveries blur which is which. A typical US household receives between five and fifteen packages between Black Friday and December 25 according to BBB Scam Tracker analysis of 2024 holiday complaints. With that many incoming parcels, the cognitive cost of cross-referencing a specific SMS notification against a specific order is high. The recipient often does not actually know which carrier is carrying which order, especially when retailers route through multiple carriers based on warehouse origin. "USPS says my package is held" registers as plausible without further checking.

Reason 3: Post-Christmas backlog extends the believable window. The myth that the smishing wave ends on December 25 is wrong. Carriers themselves publish "expect delays through mid-January" notices every year, which means SMS messages claiming "your package is delayed at customs" remain plausible deep into the new year. CISA's Holiday Shopping Cybersecurity advisory for 2024 specifically flagged the January post-holiday period as continued high-risk, not the off-season most consumers assume it is.

Reason 4: Reduced vigilance during the stress window. Holiday season correlates with elevated stress, reduced sleep, more financial decisions per day, and more SMS volume overall. The combination drops the average user's "check before tapping" threshold. Action Fraud UK's 2024 holiday advisory noted that reported losses per victim are 30 to 40 percent higher in the November-January window than the rest of the year, suggesting victims are not only more numerous but are also clicking through more of the funnel before catching themselves.

The 5 active 2026 variants

The wording rotates every few weeks as carrier spam filters catch up, but the underlying templates are stable. If your incoming text matches any of these, treat it as a scam by default.

Variant 1: The customs fee SMS

"USPS: Your international package is held at customs. €4.50 import duty due. Pay to release: [link]"

The dominant 2026 variant. Works because the fee amount is deliberately small (typically $2.99 to $8.99 or €2 to €8), the customs pretext is uniquely believable for international shipments, and the time pressure is implicit ("before delivery"). Card details are harvested on a near-perfect USPS, FedEx, DHL, Royal Mail, or Colissimo clone page. Real USPS, FedEx, DHL, UPS, Royal Mail, Australia Post, Canada Post, and La Poste Colissimo never charge customs duty through an SMS link. Customs is handled at delivery in person, through your customs broker, or via an invoice from the carrier billing department through email or postal mail.

Variant 2: Failed delivery reschedule

"USPS: We attempted to deliver your package today but no one was available. Reschedule before return to sender: [link]. $1.99 redelivery fee applies."

The classic missed-delivery template, repurposed for the holiday window. Sister content covers this in detail across our FedEx missed delivery text scam guide and our USPS failed delivery text scam guide. Holiday season turbocharges the conversion rate because the recipient is genuinely expecting deliveries and is not home to check whether a real delivery attempt happened. Real carriers leave physical notices or in-app account notifications, never SMS payment links.

Variant 3: Address verification

"FedEx: We could not verify the destination address for tracking number 7747... Please confirm at [link] within 24 hours."

The fake tracking number looks real (carrier tracking numbers follow standard length and pattern rules that are easy to mimic), which adds legitimacy. The page collects full address re-entry and sometimes phone, email, and date of birth. Identity profile harvest, sometimes paired with a "$0.99 verification charge" for credit card capture. The DHL version of this is covered in our DHL package tracking text scam guide.

Variant 4: Tax due before delivery

"Royal Mail: Your parcel from [country] is held for VAT payment of £2.99. Pay now to receive delivery: [link]"

The UK and EU specific variant. VAT on imported goods is a real obligation for parcels over certain value thresholds (£135 in the UK, €150 in the EU under current customs rules), which gives the pretext real-world weight. Action Fraud UK and Police Scotland both flagged this variant in their 2024 holiday advisories as the highest-volume UK smishing template through December and January. Real HMRC, Royal Mail, and La Poste Colissimo never collect VAT via SMS link. Our Colissimo and La Poste delivery smishing France guide covers the French version of this scam in depth.

Variant 5: Christmas gift held in warehouse

"USPS Holiday Service: Your gift package is held in our holiday warehouse. Confirm delivery preferences and pay $3.99 expedited release fee: [link]"

The seasonal-specific variant that only runs from late November through early January. Plays on the gift-delivery emotional weight (you do not want your sister's Christmas gift stuck in a warehouse). The "expedited release fee" framing makes the small payment feel like a service upgrade rather than a tax. Card data flows to the same backend as every other variant. There is no "holiday warehouse" at any real carrier. Standard delivery routes apply year-round.

How real USPS, FedEx, DHL, and customs notifications actually work

The simplest defense is knowing what a real notification looks like. Memorize these facts.

• Real carriers only text you if you opted in. USPS Informed Delivery, FedEx Delivery Manager, DHL eCommerce notifications, Royal Mail Track and Trace alerts, Canada Post Delivery Notifications, and Australia Post AusPost App alerts are all opt-in services tied to a real account and a real tracking number you registered. Random unsolicited SMS to people who never opted in are not legitimate.
• Real customs duties are paid at delivery in person or via the carrier's in-app account. USPS collects any owed customs duty from the recipient at the door before handing over the parcel. FedEx and UPS bill customs through your account or email an invoice. DHL collects through the recipient's in-app account or at the door. La Poste Colissimo and Royal Mail handle customs through their official apps or by sending a payable invoice through the postal channel. None of these companies use an SMS link to collect a $4 customs fee from a Visa card.
• Real carrier texts do not contain clickable payment links. Real status messages point you to the carrier's main domain to track and pay. You type the domain manually, you do not click.
• Customs fees do not show up before the package arrives in country. If you ordered something on December 14 and got a "held at customs" SMS on December 22, the package may not even have left the origin country yet. Track on the real carrier site to confirm transit status before paying any "fee."
• Real customs fees are not collected for parcels under value thresholds. US de minimis under $800, EU under €150 for VAT-free, UK under £135 for VAT-free (post-2021 rules). A €89 perfume from a French boutique is below the US duty threshold and the EU is irrelevant for a US recipient. A "€4.50 customs duty" claim on a sub-threshold parcel is mathematically wrong.

Red flags in any delivery SMS

• The text has a clickable link asking for a fee. Real carrier SMS never collect payment via embedded link. Single biggest tell.
• The URL is not on the real carrier domain. Real USPS lives on usps.com. Real FedEx on fedex.com. Real DHL on dhl.com or country variants. Real Royal Mail on royalmail.com. Real La Poste Colissimo on laposte.fr or colissimo.fr. Anything else is fake.
• The link is shortened. bit.ly, tinyurl.com, t.ly, cutt.ly, urlkub.co, or any other shortener. Real carriers do not shorten their own URLs.
• The domain has carrier keyword stitched with hyphens. Examples: usps-customs-pay.com, fedex-tracking.live, dhl-clearance.xyz, royalmail-postage.click, colissimo-verify.top. Real carriers do not hyphenate the brand name with descriptive words.
• The domain uses a suspicious TLD. .xyz, .top, .live, .click, .cn, .ru, .icu, or other low-cost TLDs. Real carriers use .com, country code TLDs like .co.uk, .fr, .de, .ca, or .com.au.
• The tracking number does not match the carrier format. USPS tracking numbers are 20 to 22 digits. FedEx are 12 to 15 digits. DHL are 10 digits or alphanumeric. UPS start with 1Z and are 18 characters. Royal Mail are 13 characters ending in GB. Anything off-pattern is fake.
• Urgency language tied to a small fee. "Pay within 24 hours" plus "$2.99 fee" is the exact emotional design used by smishing kits to bypass user verification.
• The fee amount is suspiciously specific and small. Real carrier fees are either zero (the carrier absorbs them) or invoiced through your account. They do not show up as a $3.97 or €4.50 demand via SMS link.

The 5-second URL check

You do not need to memorize every URL pattern. Use this routine on any holiday SMS.

1. Do not tap the link. Treat any carrier SMS with a payment link as a scam by default.
2. Open a fresh browser tab. Type the real carrier domain manually: usps.com, fedex.com, dhl.com, ups.com, royalmail.com, canadapost.ca, auspost.com.au, laposte.fr. Bookmark them for next year.
3. Search the tracking number on the real site. Paste the number from the SMS (if any) into the official tracking search box. Fake tracking numbers return "No information." Real tracking shows full transit history. If the number does not exist, the SMS is fake.
4. If you need to pay customs, do it through the carrier account or in their app. Real customs collection happens in the carrier's authenticated account or at delivery, not via random SMS link.
5. Report the smishing text. Forward to 7726 (the universal SMS spam shortcode in the US, Canada, UK, and Australia), report at reportfraud.ftc.gov, file at FBI IC3, and report carrier impersonation at uspis.gov/report for USPS impersonation specifically. Then delete the text.

If you want a second opinion on a specific link, paste it into the SafeBrowz URL checker. The checker unwraps shorteners, checks domain age (most smishing destinations are less than 30 days old), runs the URL through community blacklists, and returns a verdict in a few seconds. No login required.

The virtual-card defense

The single best technical defense against holiday card capture is to never enter your primary card number on a payment form you reached via SMS. Even if the page looks real. Use a virtual card number from your bank, your card issuer's app, or services like Privacy.com, Revolut Disposable Virtual Cards, Wise Virtual Card, or your Apple Card's Card Number feature. A virtual card lets you set a per-transaction or per-merchant limit, and you can kill the number with one tap if it gets scammed. Our complete walkthrough is in the safe online payments and virtual card guide for 2026.

For credit cards, the US Fair Credit Billing Act gives you 60 days to dispute unauthorized transactions, the UK Consumer Credit Act gives 13 months for Section 75 chargebacks on purchases over £100, and Canada's PSP code gives 30 days. Knowing the window matters because the smishing-card-fraud cycle often takes six to twelve weeks to play out, well past the moment of the original tap.

What to do if you already paid the fake fee

If you tapped the link and paid the fee, treat it as a credit card compromise, not just a small loss.

• Call your card issuer immediately. The number on the back of your physical card. Do not Google "[bank] fraud number" because tech support scammers run fake support listings, particularly during the holiday window when call volumes are high. The bank will cancel the card and reissue. Most major issuers have 24/7 fraud lines.
• Review the transaction history for unauthorized charges. Dispute anything suspicious within 60 days (US Fair Credit Billing Act), 13 months (UK Section 75), or your local equivalent window. Most attackers wait six to twelve weeks before testing the card, which means you have to keep checking through January and February.
• Add a fraud alert with the three US credit bureaus (Equifax, Experian, TransUnion). One call to any of the three propagates to the others. The alert is free and lasts 12 months. UK residents do the equivalent through Experian, Equifax, or TransUnion UK. Canadian residents through Equifax Canada or TransUnion Canada.
• File a report at reportfraud.ftc.gov (US), actionfraud.police.uk (UK), or antifraudcentre-centreantifraude.ca (Canada). This feeds law enforcement and consumer protection data.
• If you also entered SSN, passport, or DOB, place a credit freeze with all three bureaus (free, blocks new accounts in your name), file at identitytheft.gov, and check your IRS or HMRC account to make sure no fraudulent tax return has been filed.
• If you downloaded an APK on Android, uninstall it immediately and run a mobile antivirus scan. Some 2026 holiday smishing variants push a "carrier tracking app" that is actually a banking trojan harvesting SMS one-time codes from real banking apps.

How to report holiday smishing

Reporting feeds network-level detection signals and gives consumer protection authorities the data they need to issue fresh advisories. The channels worth using:

• Forward the SMS to 7726. Universal SMS spam shortcode in the US (works on AT&T, Verizon, T-Mobile), Canada, UK, and Australia. Free. Your carrier blocks the sender within hours if multiple reports stack.
• FTC Consumer Sentinel. reportfraud.ftc.gov. US federal consumer protection database. Feeds law enforcement and policy.
• FBI IC3. ic3.gov. US Internet Crime Complaint Center. Important for losses above $500 or for documented identity theft.
• USPIS for USPS impersonation. uspis.gov/report. US Postal Inspection Service. Handles mail and parcel fraud specifically.
• FedEx, DHL, UPS fraud inboxes. abuse@fedex.com, phishing-dpdhl@dhl.com, fraud@ups.com. The carriers maintain dedicated security teams that track campaigns and request takedowns from hosting providers.
• Action Fraud UK. actionfraud.police.uk or 0300 123 2040. UK national fraud and cyber crime reporting center.
• Canadian Anti-Fraud Centre. antifraudcentre-centreantifraude.ca or 1-888-495-8501. National database with strong holiday-window analytics.
• ScamWatch Australia. scamwatch.gov.au. ACCC consumer protection arm.
• Cybermalveillance.gouv.fr. French national cybercrime portal. Also reachable through 33700 for SMS spam reporting in France.

Why the holiday wave keeps growing year over year

BBB Scam Tracker's 2024 holiday season data showed the November-January smishing-and-package-scam category up roughly 35 percent year over year, with reported losses concentrated in the post-Christmas window when victims discover the fraud only after holiday statements arrive. Three structural reasons.

The attack infrastructure is now turnkey. Phishing-as-a-Service kits sold on underground markets for $50 to $500 ship with prebuilt carrier impersonation templates for USPS, FedEx, DHL, UPS, Royal Mail, Canada Post, Australia Post, La Poste Colissimo, and Deutsche Post DHL. No technical skill required to run a campaign. A laptop, a few dollars in domain registrations, a list of phone numbers, and you are in business.

SMS has no equivalent of email spam filtering. Carrier-level SMS spam filtering exists but is twenty years behind email and processes only a fraction of message traffic. Until STIR/SHAKEN-style sender authentication is fully deployed for SMS (it has been discussed since 2022 and remains incomplete), the channel is effectively wide open.

The cost of a failed campaign is essentially zero. Domains burn in 24 to 72 hours after the first abuse reports, but the attacker spins up the next one immediately. Hosting on Cloudflare Pages, Vercel, Netlify, or any free TLS-equipped platform is automatic and instant. The takedown cycle is permanent background noise; the attackers operate on shorter cycles than the defenders.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1, Local detection: 60+ URL pattern signatures plus 550+ brand-specific signatures (USPS, FedEx, DHL, UPS, Royal Mail, Canada Post, Australia Post, La Poste Colissimo, Deutsche Post DHL, Japan Post, India Post, and other carrier brands) run directly in your browser. Catches the carrier-keyword-on-non-carrier-TLD, hyphen-stitched lookalike, Cyrillic homograph, and free-hosting subdomain patterns at click time, before the fake payment page loads.
• Layer 2, API checks: Google Safe Browsing, PhishTank, URLhaus, and ScamAdviser cross-references run server-side. Catches known malicious URLs the moment they are reported anywhere in the world, including the throwaway lookalike domains that get burned and rebuilt every 24 to 72 hours during the holiday window.
• Layer 3, AI deep scan (Premium): Content analysis flags brand-new carrier impersonation pages that no blocklist has seen yet. The fake USPS customs page that went live four hours ago and is being blasted via SMS right now. Works in over 100 languages, so the same engine catches French Colissimo lookalikes, UK Royal Mail lookalikes, Australian AusPost lookalikes, and Canadian Canada Post lookalikes the same way.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Frequently asked questions about holiday customs scams

Do real carriers ever charge customs fees by SMS?

No. USPS, FedEx, DHL, UPS, Royal Mail, La Poste Colissimo, Canada Post, and Australia Post do not collect customs duties or import fees via SMS link. Real customs is collected at delivery in person, through the recipient's authenticated carrier account or app, or via an invoice through the carrier's billing department through email or postal mail. Any SMS asking you to pay a customs fee on a card form via clickable link is a scam.

Why is the customs fee scam more common during the holidays?

Three reasons. Real international parcel volume to the US, UK, EU, Canada, and Australia roughly doubles between mid-November and late December, which means more people genuinely believe they have an inbound international package. Multiple expected deliveries blur which carrier carries which order, reducing the cognitive cost of cross-checking. And holiday stress reduces the average user's verify-before-tapping threshold. Action Fraud UK noted that per-victim losses are 30 to 40 percent higher during the November-January window than the rest of the year.

I paid the small fake fee. Should I worry about more than the $5?

Yes. The fee is not the target; your full card number, expiration, CVV, and billing ZIP are. The card details get resold on darknet bulk markets and typically get tested with higher-value fraud six to twelve weeks after the original tap, often after holiday card statements have already been reviewed and closed. Call your card issuer today and have the card cancelled and reissued. The US Fair Credit Billing Act gives you 60 days to dispute unauthorized charges. The UK Section 75 protection runs 13 months for purchases over £100. Acting now prevents the slow-burn fraud that follows.

How do I check whether a customs fee is real?

Type the carrier's real domain manually into your browser (usps.com, fedex.com, dhl.com, royalmail.com, colissimo.fr, canadapost.ca, auspost.com.au). Log into your account or use the tracking search to look up the tracking number on the SMS. Real fees show up inside your authenticated account. If the tracking number returns "No information" or does not exist, the SMS is fake. Also check whether the parcel value would even cross the customs threshold in your country (US de minimis $800, EU €150 for VAT-free, UK £135 for VAT-free). Sub-threshold parcels do not owe duty.

The SMS came from a 10-digit phone number, not a short code. Does that matter?

Yes, that is itself a red flag. Real carrier notifications come from short codes registered to the carrier (USPS uses 28777, FedEx uses 48773, DHL uses various country-specific short codes). A random 10-digit number sending you a delivery notification is almost certainly a scam. Forward it to 7726 to report.

I report scams every year and the volume only grows. Is reporting actually useful?

Yes, even though individual reports feel low impact. 7726 reports feed carrier-level sender blocking that takes effect within hours when reports stack. FTC, FBI IC3, Action Fraud, Anti-Fraud Centre, and ScamWatch data drives published advisories that warn other consumers and feeds law enforcement prioritization. Carrier fraud inboxes (abuse@fedex.com, phishing-dpdhl@dhl.com) feed takedown requests to hosting providers. The aggregate effect is real even when each individual report feels small.