Beware of the USPS “Package has Arrived at the Warehouse” Scam

The United States Postal Service (USPS) is warning customers about a new text message and email phishing scam telling recipients that a package requiring address confirmation has arrived at a warehouse. Scammers are sending out fake USPS alerts claiming “The USPS package has arrived at the warehouse and cannot be delivered due to incomplete address information,” along with a fraudulent link to redirect victims and steal their personal and financial information.

This article provides an in-depth overview of how the “USPS Package has Arrived at the Warehouse” scam works, what to watch out for, step-by-step details on the scam process, advice for victims, and key takeaways to avoid falling for this or similar parcel delivery cons.

Overview of the Scam

The “USPS Package has Arrived at the Warehouse” phishing scam is a new form of fraud seeking to steal sensitive personal and financial information from victims under false pretenses. Scammers are sending out official-looking text messages and emails stating that an undeliverable package intended for the recipient has arrived at a postal service warehouse facility.

The messages claim address issues are preventing the United States Postal Service (USPS) from completing delivery of this non-existent parcel. Links included redirect users to convincing but fake USPS websites asking visitors to enter details like their name, home address, email, phone number, Social Security Number, credit card info, and more under the guise this will allow postal workers to resend the stalled package.

In reality, these fraudulent USPS-branded sites are controlled by scammers who harvest all submitted user information. Criminals then either exploit the stolen data themselves for illicit purposes like identity theft or sell it for profit on dark web marketplaces to shady buyers planning similar schemes.

This widespread scam is also known by other tricky names intended to lure in victims expecting real packages, including:

  • USPS “Redelivery” scam
  • USPS “We ReDeliver for You” scam
  • USPS “Package Available for Pickup” scam
  • USPS “Unable to Deliver Your Package” scam

It preys on the flood of ecommerce deliveries and reliance on postal carriers like USPS to deploy urgent-sounding alerts using real company branding and messaging. The goal is tricking trusting recipients into believing a parcel intended for them has hit an address-related delivery snag that can be fixed by submitting personal details.

In reality, unsuspecting users who take the bait by clicking on links and entering any information or payments on the fake sites inevitably have their details swiped for exploitation by scammers.

Let’s break down how this scam works.

How the USPS “Package Arrived at Warehouse” Scam Works

The USPS “Package Arrived at Warehouse” scam unfolds in several key stages. Here is a step-by-step breakdown of how the con operates:

Step 1: Victims Receive a Phishing Text or Email

Victims receive an SMS text message or email supposedly from USPS, but actually from scammers.

Here is an example of the phishing alert:

“USPS package has arrived at the warehouse and cannot be delivered due to incomplete address information. Please confirm your address in the link within 12 hours. https://uisp.top/(Then instructions to open the link). The US Postal team wishes you a wonderful day!”

The messages are made to look official using USPS branding and messaging about an undelivered parcel requiring address confirmation before reattempting delivery.

In other cases, the texts or emails claim users must pick up the stalled package from a postal facility warehouse. These lies add legitimacy and urgency to convince recipients to click the link.

Step 2: Victims Click on the Fraudulent Link

If the recipient clicks the fraudulent link, they are redirected from the phishing text/email to a fake USPS site controlled by scammers.

The misleading domains often feature “USPS” in the URL or use misspelled lookalike URLs to appear to direct to a real postal service webpage.

For example:

  • ussp.com
  • uspss.com
  • usps-com.net
  • uspsverification.com

These fake sites display USPS logos and webpages mimicking legitimate USPS parcel tracking/update services.

Step 3: Victims Attempt to Reschedule Delivery or Update Their Address

The fake USPS site displays messages continuing the phishing premise that victims must enter or confirm their personal details for a package to be redelivered after failing to reach them initially.

Scam webpages emphasize verifying user address profiles so the stalled parcel can be dispatched again quickly from the warehouse where it is supposedly awaiting corrected delivery coordinates.

The sites prompt visitors to input information like:

  • Full name
  • Home address
  • Email address
  • Phone number
  • Social Security Number
  • Credit card number

Victims are led to believe inputting these details will allow USPS to resend the undelivered package to the now “updated” destination address.

USPS Scam 3

Of course, the parcel does not actually exist, and inputted data is harvested by scammers rather than reaching legitimate USPS databases.

Step 4: Victims Pay a Small “Redelivery” Fee

In additional to stealing entered personal information, some scam versions also persuade victims to pay a small “redelivery” fee.

These cons claim another attempt to ship the imaginary package requires a ~$0.30 charge to restart the dispatch process from the warehouse address correction phase.

The scam checkout pages even mimic USPS’s actual redelivery service ordering system. Below is an example requesting credit card details to process a fake $3 charge:

Order Summary 
#### United States Postal Service
Order Total:   $0.20
Handling:      $0.10   
Total:         $0.30
Billing Information
[Requested credit card fields]  

This secondary payment phase allows scammers to directly profit by stealing financial information on top of collecting personal data.

Step 5: Criminals Exploit or Sell the Stolen Information

Once scammers have extracted enough personal and financial information from victims via the fake USPS domains, they either exploit it themselves or sell it on dark web marketplaces.

Identity thieves use the names, addresses, SSNs, etc. to open fraudulent lines of credit under victims’ names or for other types of identity fraud.

Stolen financial data gets sold to other criminals to make unauthorized purchases or cloned onto fake cards still attached to the victim’s account credentials.

Either way, users whose data gets phished via this scam inevitably end up the targets of additional frauds and theft.

How to Spot “USPS Package Arrived at Warehouse” Scam Messages

With phishing texts and emails becoming increasingly sophisticated, avoiding falling victim requires awareness of some of the core traits that can help recipients identify fraudulent parcel alerts before potentially exposing personal data.

There are certain common red flags in scam USPS notifications that should automatically prompt skepticism and extra verification before clicking on links or attachments. Spotting a few core red flags can save consumers from compromising sensitive information.

Here are 5 key indicators to recognize likely phishing attempts masquerading as legitimate USPS parcel delays requiring user action:

1. Missing/Incorrect Contact Information

Genuine alerts from postal carriers will always include proper official business names, mailing addresses, websites, phone numbers, and other verified contact information.

Scam parcel alerts fail to include specifics beyond simple “USPS” branding with no verifiable physical address or customer service number.

Without an address or phone number to confirm validity, any email, text, or mailer claiming an association with USPS should be considered suspicious.

2. Poor Grammar/Spelling Errors

Phishing texts and emails often contain typos, awkward phrasing, grammatical errors, and other indicators of non-native English speaking scammers.

If a shipping notification from an established company like USPS seems riddled with poor linguistic construction or outright misspelled words, treat it as a likely fraudulent communication.

Any legitimate corporation should relay professional level writing in all customer correspondences.

3. Generic Greetings/Missing Personal Details

Another giveaway is greetings that fail to address the recipient by name and instead begin generically with “Valued Customer”, “Sir/Madam”, etc.

Additionally, details about the supposedly undelivered package itself tend to be vague or completely missing from these phishing scam parcel alerts.

So rather than mentioning your name and, for example, tracking number, supposed carrier, origin/destination postal codes, description of the stuck item itself, or other specifics, scam texts and emails stay ambiguous.

If there are no personal or logistical details pertaining directly to your name and your actual pending postal order, consider it a fraudulent alert.

4. Suspicious Links

Scrutinize the actual website URLs closely if included. As covered earlier, misleading links are designed to direct victims to convincing mockups of legitimate sites to harvest entered data securely via HTTPS protocols.

However, subtle use of misspelled or made up URLs specifically incorporating “USPS” or other official branding keywords can sometimes reveal their fraudulent nature upon closer inspection.

Hover over rather than directly clicking links when possible as another precaution.

5. Requests for Sensitive Information

No credible delivery carrier would request private account or identification details purely to remedy an address issue preventing delivery to a confirmed existing customer.

Seeing upfront demands for sensitive inputs like credit cards, Social Security numbers, email account credentials, etc. suggests attempted fraud rather than a typical ecommerce order update procedure. Refrain from directly entering any form of sensitive personal or financial information in response to an unsolicited parcel alert.

Identifying Fraudulent USPS Websites

Beyond suspicious texts and emails, the fraudulent links enclosed redirect to convincingly designed imposter USPS websites under the full control of scammers. Preying on victims anxiously expecting real packages, these fake sites encourage entering enough personal information under the parcel delivery ruse to open doors to identity theft and financial fraud.

However, some closer structural examination coupled with common sense can expose misleading elements useful in confirming scam websites masquerading as legitimate Postal Service interfaces.

Here are 5 primary indicators signaling likely fraudulent USPS-branded landing pages:

1. Non-Official Domains

As outlined previously, fake site URLs often contain red flag character strings like:

  • ussp.com
  • uspss.com
  • usps-com.net
  • uspsverification.com

Misspelled or altered official website names containing “USPS” or “United States Postal Service” keywords demonstrate likely frauds.

Links should route directly to usps.com domains exclusively to ensure real Postal Service managed web interfaces.

2. Missing Security Indicators

All legitimate USPS account tools would enable HTTPS browser encryption indicated by green padlock icons or highlighting of the protocol within the URL itself.

Lack of mandatory transport security confirms unofficial false sites more vulnerable to data access by criminal operators rather than USPS-backed defenses.

3. Spelling/Grammar Issues

Much like their phishing prompt messages, fraudulent websites also give themselves away via slipshod English writing quality and outright misspellings.

Poor grammar, repeating words, awkward sentences, misplaced punctuation, and typos indicate overseas scam operations lacking fluency crafting convincing domestic corporate messaging.

Any Postal Service customer interface should demonstrate clear professional level writing if legitimate.

4. Minimalistic Design

Fraudulent sites also fail to match the sophisticated frontend and backend programming legitimate multi-billion dollar delivery giants can invest in.

Thus, fake USPS pages often showcase limited functionality beyond harvesting user-entered data. Blurred images, broken menus, limited browsing options, flashing ads, and weak visual design expose low-budget scam works.

5. Requests for Sensitive Data

Potentially most telling are context-inappropriate demands for financial accounts, Social Security digits, card info, etc. just to regain delivery of an existing parcel delayed by address issues.

Real USPS may require entering some contact data for notifications, but they enable mail forwarding, hold orders, redelivery, and other options without needing private inputs like bank passwords or IDs.

What to Do If You Are a Victim

If you entered any sensitive personal, financial, or contact information into a fake USPS “Package Arrived at Warehouse” phishing site before realizing it is a scam, here are important steps to take right away:

  • Contact your bank/credit card company: If you paid any redelivery fee or entered full card data, immediately inform your bank and credit card company. Report any charges as fraudulent and work to freeze accounts, block payments, and get compromised cards canceled + replaced.
  • Place a fraud alert on your credit: Contact one of the three major credit bureaus (Equifax, Experian, TransUnion) to place an initial 90-day credit fraud alert on your account. This flags your credit as potentially compromised so lenders must verify your identity before approving new lines of credit. Also order a free credit report to check for any signs of existing fraud.
  • Monitor accounts closely: Keep an eagle eye on bank account and credit card statements over the following months for any signs of unauthorized access or activity. Report anything suspicious promptly to limit liability from fraudulent charges or transfers. Sign up for account alerts as well.
  • Change account passwords: If you used an existing password for any site the fake USPS domain had you sign into, change it immediately. Use strong, unique passwords for every account going forward to limit fallout from credential compromise. Enable two-factor authentication anywhere possible as well.
  • File an FTC complaint: Report details about the scam attack, including the malicious link, to the Federal Trade Commission so they can investigate and warn other consumers. This also helps authorities track and disrupt phishing networks.

Being proactive to lock down accounts, monitor credit reports, create new secure passwords, etc. helps limit damages from phished personal information. But acting quickly is key before fraudsters can leverage stolen data on the dark web or to open illicit lines of credit.

Frequently Asked Questions About the USPS “Package Arrived” Smishing Scam

This FAQ provides key information and tips for consumers regarding the latest USPS “package arrived” smishing phishing scam requesting personal information. Learn more about identifying and reporting these fraudulent text messages.

What is the USPS “package arrived” smishing scam?

This scam involves fake text messages pretending to be from USPS stating a package arrived but the address is incomplete, so it can’t be delivered. A link is provided to confirm your address, but it leads to a phishing site stealing entered personal and financial data.

What do the fake USPS “package arrived” texts say?

Common fake message examples include:

  • “USPS: Your package arrived but the delivery address is incomplete. Please verify your full address here within 24 hours: usps-addresscon.com”
  • “Your postal parcel arrived at our facility but we do not have your full address to deliver it. Kindly submit your updated address at: uspackagedelivery.net”
  • “Attention USPS Customer: A package shipped to you has arrived but we only have a partial address on file. Confirm info via: uspsaddressfix.com”

What happens if you click the link in the text?

The phishing link in the USPS smishing texts directs victims to elaborate fake websites pretending to be USPS delivery address confirmation portals. Victims then input personal details like names, numbers, account info, and even social security digits which gets stolen.

How can you spot fake USPS smishing texts?

Be wary of texts with:

  • Unknown local phone numbers
  • Odd links to misspelled websites
  • Requests for personal/financial data
  • Threats of delivery cancellations
  • Poor grammar/spelling errors

What should you do about suspicious USPS texts?

If the text appears fake:

  • Avoid clicking links or entering information
  • Forward for investigation to SPAM (7726)
  • Report it directly to USPS email
  • Monitor accounts if previously exposed

How can you avoid falling for smishing?

Tips to avoid smishing scams:

  • Never click links in odd texts
  • Independently verify urgent requests
  • Use multi-factor authentication
  • Pay attention to senders and links
  • Report scam texts to proper contacts

What should you do if you entered info?

If you input any data into scam sites:

  • Immediately contact banks about compromised cards
  • Reset passwords on affected accounts
  • Sign up for credit monitoring to detect fraud
  • Closely inspect statements and credit reports
  • Avoid communications claiming to recover losses

Stay vigilant of new USPS smishing scams stealing personal information. Use caution with texts from unknown numbers and do not provide data through unverified links.

The Bottom Line

The USPS “Package Arrived at Warehouse” phishing scam uses deceptive branding, fake tracking updates, and requests for address profile “corrections” in order to steal users’ personally identifiable and financial information.

Victims who input the requested details into scam webpages believing this will allow a real undelivered package to be redispatched face risks of identity theft or direct financial fraud.

Anyone receiving suspicious text messages or emails claiming to be from USPS requiring personal information—especially with regard to a non-existent stalled or undeliverable parcel—should delete the messages immediately without clicking links or responding.

How to Stay Safe Online

Here are 10 basic security tips to help you avoid malware and protect your device:

  1. Use a good antivirus and keep it up-to-date.

    Shield Guide

    It's essential to use a good quality antivirus and keep it up-to-date to stay ahead of the latest cyber threats. We are huge fans of Malwarebytes Premium and use it on all of our devices, including Windows and Mac computers as well as our mobile devices. Malwarebytes sits beside your traditional antivirus, filling in any gaps in its defenses, and providing extra protection against sneakier security threats.

  2. Keep software and operating systems up-to-date.

    updates-guide

    Keep your operating system and apps up to date. Whenever an update is released for your device, download and install it right away. These updates often include security fixes, vulnerability patches, and other necessary maintenance.

  3. Be careful when installing programs and apps.

    install guide

    Pay close attention to installation screens and license agreements when installing software. Custom or advanced installation options will often disclose any third-party software that is also being installed. Take great care in every stage of the process and make sure you know what it is you're agreeing to before you click "Next."

  4. Install an ad blocker.

    Ad Blocker

    Use a browser-based content blocker, like AdGuard. Content blockers help stop malicious ads, Trojans, phishing, and other undesirable content that an antivirus product alone may not stop.

  5. Be careful what you download.

    Trojan Horse

    A top goal of cybercriminals is to trick you into downloading malware—programs or apps that carry malware or try to steal information. This malware can be disguised as an app: anything from a popular game to something that checks traffic or the weather.

  6. Be alert for people trying to trick you.

    warning sign

    Whether it's your email, phone, messenger, or other applications, always be alert and on guard for someone trying to trick you into clicking on links or replying to messages. Remember that it's easy to spoof phone numbers, so a familiar name or number doesn't make messages more trustworthy.

  7. Back up your data.

    backup sign

    Back up your data frequently and check that your backup data can be restored. You can do this manually on an external HDD/USB stick, or automatically using backup software. This is also the best way to counter ransomware. Never connect the backup drive to a computer if you suspect that the computer is infected with malware.

  8. Choose strong passwords.

    lock sign

    Use strong and unique passwords for each of your accounts. Avoid using personal information or easily guessable words in your passwords. Enable two-factor authentication (2FA) on your accounts whenever possible.

  9. Be careful where you click.

    cursor sign

    Be cautious when clicking on links or downloading attachments from unknown sources. These could potentially contain malware or phishing scams.

  10. Don't use pirated software.

    Shady Guide

    Avoid using Peer-to-Peer (P2P) file-sharing programs, keygens, cracks, and other pirated software that can often compromise your data, privacy, or both.

To avoid potential dangers on the internet, it's important to follow these 10 basic safety rules. By doing so, you can protect yourself from many of the unpleasant surprises that can arise when using the web.