USPS "Failed Delivery" Text Scam: how the smishing attack works and how to spot it

What "smishing" means and why USPS is the dominant target

Smishing is phishing delivered by SMS or messaging app instead of email. The attacker sends a text that impersonates a brand, includes a link to a fake page that mimics the brand's website, and tricks the recipient into entering personal or financial information. Smishing surged starting in 2022 because mobile email filters catch most email phishing, but SMS has essentially no spam filtering at the network level. Carriers strip some spam by sender reputation, but a fresh sender number with no history sails through.

USPS is the dominant smishing target in the US for three reasons. First, USPS delivers around 130 billion mail items per year, which means at any given moment a meaningful fraction of the population is actually expecting a USPS delivery. Second, USPS is a federal agency, which gives the impersonation more authority weight than a private company. Third, the real USPS does send text notifications - if a user opts in for "USPS Informed Delivery" alerts - so a USPS-shaped text is not automatically suspicious to most recipients.

Per AARP's 2026 reporting, "Americans are swamped with USPS, FedEx, UPS scam delivery texts." Per FTC consumer alerts, the agency receives reports of these scams every single day. The volume is high enough that the USPS Postal Inspection Service set up a dedicated reporting channel at spam@uspis.gov and recommends forwarding every smishing text to 7726 (the universal SMS spam reporting shortcode). Reports do not always stop the attacker but they feed network-level signals that help carriers detect future campaigns from the same source.

The seven message variants in active rotation

The exact wording changes, but the underlying templates are stable. If your incoming text matches one of these, treat it as a scam by default.

Variant 1: Failed delivery / undeliverable

The most common version. "USPS: Your package could not be delivered due to incomplete address information. Please update your address at [link] to reschedule." This works because the user mentally checks "am I expecting a package?" The answer for most people most of the time is yes - even a single Amazon order or eBay purchase in the last week makes the message feel plausible.

Variant 2: Customs / unpaid postage fee

"USPS: Your shipment requires a customs fee of $1.99 to release. Pay here: [link]." The fee is deliberately small. The point is not to extract $1.99 - the point is to get the user to enter credit card details on the fake page. The credit card number then sells for $5-$30 on dark-web markets, and the saved card may also be used immediately for higher-value fraud before the user notices.

Variant 3: Reschedule delivery

"USPS: Delivery attempt unsuccessful. Schedule a new delivery time at [link]." A clean variant designed to feel routine. The fake page collects your address, phone number, and sometimes payment information for a "redelivery fee." The real USPS schedules free redelivery on usps.com without a payment step.

Variant 4: Invalid zip code

"USPS: Your package is on hold because the ZIP code in our system is invalid. Please verify at [link]." A version that targets the user's instinct that postal data errors are technical and need clicking-through to fix. The page asks for full address re-entry, which is enough on its own for identity theft when combined with a name from the carrier's caller-ID display.

Variant 5: Package on hold / pending action

"USPS: Your parcel has been held at the local distribution center awaiting your confirmation. Confirm here: [link]." Vague urgency without specifics. Works because the user fills in the blank ("oh, the package from the thing I ordered") and clicks before reading carefully.

Variant 6: Tracking number issue

"USPS: We could not match your tracking number 9400 ... to a valid address. Update at [link]." The fake tracking number looks real (USPS tracking numbers do start with 94 for standard mail), which adds legitimacy. Real USPS support never asks you to "update" a tracking number - tracking numbers are immutable.

Variant 7: Delivery preference / signature required

"USPS: Your package requires a signature for delivery. Please confirm signature preferences at [link]." Plays on the user assumption that high-value or registered packages do require signatures. The page asks for the user's signature image (a digital impression) along with name, address, and DOB - a small but useful identity-theft package.

What the destination page actually does

Every variant ends at a landing page that looks like usps.com. The branding is exact - same eagle logo, same blue and red color scheme, same fonts, same nav layout. Most fake pages even include a real-looking footer with privacy and terms links that go nowhere. The visual mimicry passes a 5-second eye test for almost everyone.

The page asks the user to enter, in sequence:

1. Full name (for identity profile)
2. Street address, city, state, ZIP (for the same)
3. Phone number (for further phishing follow-ups via call)
4. Email address (for password-reset attacks on other accounts)
5. Date of birth (in some variants - for full identity theft kits)
6. Credit card number, expiration, CVV, billing ZIP (for the "redelivery fee" or "customs fee")
7. SSN last 4 (in higher-value variants - sometimes labeled as "address verification")

The "small fee" charge to the card may or may not actually process. If it does, it produces a transaction confirmation that reassures the user the page was legitimate. The card details, address, and identity package then flow to a backend that resells on dark-web markets typically within hours. Higher-value cards may be used directly by the attacker for 6-12 hours before the inevitable chargeback dispute closes the window.

Some sophisticated variants also drop a tracking cookie or browser fingerprint that flags the user for follow-up phishing across the next 30-60 days. The user gets a second wave of "USPS" texts, then a third, then a "Bank of America fraud alert" text - all matching the profile the attacker built on the first page.

Why the URLs look almost convincing

The destination URLs follow a few predictable patterns. Recognizing the patterns is half the battle.

Pattern 1: USPS keyword on a non-government TLD

Real USPS is on usps.com (and usps.gov for some federal-side pages). Any URL with "usps" in the domain on a different TLD is a scam. Examples in active rotation:

• usps-redelivery[.]com
• usps-tracking[.]top
• usps-confirm[.]xyz
• usps-info[.]live
• usps[.]package-update[.]com

The hyphen-keyword construction is the easiest visual tell. Real USPS subdomains are tools.usps.com, informeddelivery.usps.com, and similar - the brand name is always the second-level domain, never appended with hyphens.

Pattern 2: USPS in a subdomain on a free hosting provider

Examples:

• usps-track[.]vercel[.]app
• usps[.]netlify[.]app
• usps-delivery[.]pages[.]dev
• usps[.]github[.]io

Free hosting platforms like Vercel, Netlify, Cloudflare Pages, and GitHub Pages take minutes to set up and provide automatic HTTPS. Attackers spin up a fresh subdomain, push the fake page, and start sending texts. The actual hosting provider is not at fault - they shut down reported phishing within hours - but the attack happens in those hours.

Pattern 3: URL shortener hiding the real destination

Examples:

• bit.ly/usps-track-xyz
• tinyurl.com/usps-redelivery
• t.ly/USPSverify
• urlkub[.]co/randomstring

Shorteners are appealing to scammers because the user cannot tell from the text where the link actually leads. Hovering on a phone is hard, and the SMS preview does not unwrap shorteners. The destination is hidden until you click.

Pattern 4: Lookalike "usps" with substitutions

Examples:

• usрs[.]com (Cyrillic "р" instead of Latin "p")
• uspsa[.]com (extra letter at end)
• ussps[.]com (double "s" in middle)
• uspspackage[.]com (suffix attached)

Homograph attacks use lookalike characters from other Unicode scripts. The Cyrillic "р" looks identical to the Latin "p" in most fonts, so usрs.com is indistinguishable from usps.com at a glance. Browsers warn about some homograph patterns but not all of them, especially in SMS where the URL is plain text without browser protection.

How real USPS delivery notifications actually work

The simplest defense is knowing what a real USPS message looks like. Memorize these facts:

• USPS only texts you if you opted in. If you signed up for USPS Informed Delivery or requested specific tracking, you may get texts. Otherwise, you should never receive a USPS text out of nowhere.
• Real USPS texts do not contain links. Per the USPS Postal Inspection Service: "USPS will not send customers text messages or emails without a customer first requesting the service with a tracking number, and it will NOT contain a link."
• USPS does not charge "redelivery fees" or "customs fees." Redelivery is free and scheduled on usps.com. Customs fees on international parcels are handled by your local Customs and Border Protection or your shipping carrier directly - not USPS, and never via SMS.
• Real USPS does not need your SSN, credit card, or DOB. Address verification happens during shipping label creation, not at delivery time.
• Tracking numbers are looked up at usps.com. Type usps.com into your browser, enter the tracking number in the search box, and check status yourself. Never click a link to track.

The 10-second check that catches every variant

You do not need to memorize every URL pattern. Use this short routine instead:

1. Do not click. If the text claims to be from USPS, the first action is to not click the link. The link is the entire attack.
2. Open a fresh browser tab. Type usps.com manually. Bookmark it for future use.
3. Enter the tracking number from the text (if any) into the usps.com tracking search box. If the tracking number is fake (the most common case), the search will return "Status Not Available" or similar.
4. If you genuinely have a real package issue, usps.com lets you reschedule delivery, change address, or update preferences without any third-party link.
5. Forward the smishing text to 7726 (this is the universal SMS spam reporting shortcode in the US, Canada, and UK) and to spam@uspis.gov. Then delete the text.

If you want a second opinion on a specific link, paste it into the SafeBrowz URL checker. The checker unwraps URL shorteners, checks domain age (most smishing destinations are less than 30 days old), runs the URL through community blacklists, and returns a verdict in a few seconds. No login required.

What to do if you already clicked or entered information

If you clicked the link and the page opened, but you did not enter anything, you are probably fine. The page itself usually cannot install malware unless you also download something. Close the tab, clear browser cookies for that domain, and move on.

If you entered personal information (name, address, phone, DOB):

• Change passwords on accounts that share that information, especially financial accounts and your primary email.
• Enable two-factor authentication everywhere possible - SMS-based 2FA is weak against SIM swapping, so prefer authenticator-app 2FA for high-value accounts.
• Add a fraud alert with the three US credit bureaus (Equifax, Experian, TransUnion). One call to any of the three propagates to the others. The alert is free and lasts 12 months.
• File a report at reportfraud.ftc.gov. This feeds into law enforcement data and may help if you later need to dispute fraud.

If you entered credit card information:

• Call your card issuer immediately. Most major issuers have 24/7 fraud lines and will cancel and reissue the card on the same call. The phone number is on the back of the physical card - do not Google "[bank] fraud number" because tech support scammers run fake support listings.
• Review the transaction history for unauthorized charges. Dispute anything suspicious within 60 days (US Fair Credit Billing Act window).
• If the new card has not arrived yet and you must pay urgent bills, your issuer can usually expedite or add the card to Apple Pay / Google Pay digitally while the physical card is shipping.

If you entered SSN or sensitive identity information:

• Place a security freeze (not just an alert) with all three credit bureaus. A freeze blocks new credit accounts being opened in your name. Freezes are free and last until you remove them.
• File an identity theft report at identitytheft.gov. The FTC's identity theft recovery plan walks you through every cleanup step.
• Check your IRS account at irs.gov/payments/your-online-account to make sure no fraudulent tax return has been filed in your name.

Why this scam keeps working despite years of warnings

The scam works because of three specific psychological levers, not because the victims are careless.

Lever 1: Reasonable expectation of a package. The average American household receives more than one delivery per week between Amazon, eBay, retail subscriptions, and family gifts. The base rate of "am I expecting something" is high, so even a generic smishing text lands on a context where the user has a real package in mind.

Lever 2: Mobile context destroys URL inspection. On a phone, SMS does not display the full destination URL when the user previews the link. Hovering does not work on touchscreens. Most users tap the link from inside the SMS app, which opens in the system browser without any of the desktop habits (read URL, check certificate, hover over button). The mobile UX removes every defense layer that desktop browsing trains the user to use.

Lever 3: Small dollar amounts feel low-stakes. A $1.99 redelivery fee feels harmless. Most people would not engage with a "send us $500 for verification" prompt, but $1.99 reads as the kind of nuisance fee that real services charge. The user enters card details thinking they are losing two dollars. The actual loss is the card number, which is worth significantly more.

How SafeBrowz catches the destination page

SafeBrowz runs as a browser extension on Chrome, Firefox, and Edge. The moment a smishing link is opened in the browser, the three-layer detection model kicks in.

Layer 1 - Local checks (offline, instant). Bundled rules running inside the extension. They look for known smishing URL patterns (usps as a keyword on a non-usps.com TLD), suspicious TLDs (.xyz, .top, .live, .click), free-hosting destinations (*.vercel.app, *.netlify.app, *.pages.dev), and homograph or hyphen-stitched lookalikes (usрs.com with Cyrillic characters, usps-redelivery.com). The check completes in milliseconds without any network call.

Layer 2 - API checks (community + shortener unwrap + page fetch). If the URL slips past local checks, SafeBrowz queries Google Safe Browsing, a community-reported scam URL list, and a domain age lookup. URL shorteners (bit.ly, tinyurl.com, t.ly, urlkub.co, and any path-pattern-detected shortener) are unwrapped server-side so the verdict runs against the real destination instead of the shortener interstitial. Domain age under 30 days, suspicious WHOIS data, or a Google Safe Browsing hit pushes the verdict.

Layer 3 - AI deep scan (content + brand impersonation). The fetched page content is analyzed by a content-aware model that detects brand impersonation in 100+ languages. If the page renders the USPS eagle logo, the USPS blue and red color scheme, or text like "USPS tracking" or "Reschedule delivery" on a domain that is not usps.com or usps.gov, the page is flagged as brand impersonation. The same layer catches FedEx, UPS, DHL, Amazon, Royal Mail, India Post, Australia Post, and other carrier impersonations the same way.

For users who do not want to install an extension, the same engine is exposed at the free public URL checker. Paste any link from a suspicious text, get a verdict in seconds, no login. For wallet and security apps that want to integrate, the same detection is available as an API at api.safebrowz.com/v1/detect at $0.001 USDC per call.

For organizations: how to protect your customers from this attack

If you operate a service that ships physical goods or sends transactional notifications, the smishing problem is your problem because your customers receive forgeries of your messages. Mitigations you control:

• Publish your real sender numbers and domains. List them on your security page. "We text from short code XXXXX. We email from no-reply@yourdomain.com. Anything else is a forgery."
• Use 10-digit long codes or short codes consistently. Frequent changes in sender numbers train customers to accept unfamiliar sender IDs as legitimate.
• Set up DMARC, DKIM, and SPF on your sending domains. Email auth limits the attacker's ability to spoof your real email address, pushing them toward lookalike domains that customers can spot.
• Run customer education campaigns proactively. A one-paragraph reminder in every order confirmation ("Your real tracking is at usps.com/track. Ignore any SMS asking for a redelivery fee") costs nothing and saves customer support volume.
• If you have a customer service team, train them on the most common smishing patterns. Customers calling in panicked after clicking a link need clear instructions, not boilerplate "check your account."

The bigger picture

USPS smishing is one specific case of a broader problem: SMS is now the dominant channel for retail phishing because it bypasses the email security layer that everyone has spent twenty years hardening. The same attack pattern targets FedEx ("UPS package on hold"), Amazon ("Your order could not be confirmed"), Apple ("Your Apple ID was used to sign in"), Netflix ("Your subscription expired"), and government agencies ("IRS tax refund pending"). The visual and operational template is identical. The brand changes. The damage shape stays the same.

Until carriers implement universal STIR/SHAKEN-style sender authentication for SMS - which has been discussed since 2022 and remains incomplete - the defense burden falls on individuals and on the third-party tools they install. The 10-second check (do not click, open a fresh browser tab, go to the real site, verify there) is reliable but only if used every single time. Tools like the SafeBrowz extension and URL checker exist because human discipline is not actually consistent enough to defend against a daily, year-round, multi-billion-message attack volume.

Block smishing destinations automatically

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge that detects USPS, FedEx, UPS, DHL, Amazon, and other smishing destinations the moment they load. The core protection is free forever. Premium adds drainer JavaScript detection and unlimited daily AI scans for $14.99 per year - or hold 10 million $SAFEBROWZ tokens on Base for unlimited Premium access. No install required to check a single link - the free public URL checker handles one-off cases.