Don't Fall For Fake USPS 'Your Package Is On Hold' Texts

A new smishing scam is targeting consumers via text messages pretending to be from USPS. The fraudulent texts state recipients have a package that couldn’t be delivered due to an incomplete address. The message provides a link to update your information so USPS can deliver your stuck package. However, the link sends users to a fake website designed to steal personal and financial data. This USPS “Your Package Is On Hold” phishing scam catches many victims off guard who urgently want their packages, tricking them into providing valuable details to scammers.

Continue reading to learn all about how this USPS phishing scam operates, how to identify fraudulent texts, what you can do if you unfortunately fell victim, and how to best protect yourself going forward.

This article contains:

USPS “Your Package Is On Hold” Scam Overview

The USPS “Your Package Is On Hold” phishing scam involves cell phone users receiving text messages pretending to be from the United States Postal Service. The texts inform the recipient that a package addressed to them has arrived at a USPS transit center but cannot be delivered due to an incomplete shipping address, invalid address details, or other fictitious address issues.

The fraudulent message then instructs the recipient to click on a link to a website in order to enter or correct their shipping address so that the Postal Service can complete delivery of the stalled package. However, the site linked in the text message is not a legitimate USPS site, but rather a sophisticated fake website designed by scammers to steal personal information and even install malware on victim’s devices.

This USPS scam is categorized as smishing, a form of phishing conducted through SMS text messaging. The texts originate from random phone numbers and email addresses not actually associated with the Postal Service. The messages are made to appear as if they are from USPS support teams or customer service to trick recipients into believing the notification is real.

The texts often start with “USPS” or “United States Postal Service” and some version of stating that a problem with the shipping address is preventing delivery. Two examples of the fraudulent USPS texts include:

“USPS: Your shipment has arrived at the transit center, but due to an incomplete shipping address, your shipment has been placed on hold. [Malicious Link] Sincerely, USPS Customer Service.“
“USPostal: Your package has arrived at the transit center, but we are unable to continue delivery due to missing address details. [Malicious Link] Best regards, The United States Postal Service.”

If a recipient clicks on the link, they are taken to a fake USPS site that looks like the real USPS site, but has a slightly different URL and web address. The scam websites are extremely convincing and sophisticated, formatted to mimic actual Postal Service sites with USPS logos, colors, graphics, and web links.

These imitation sites even have forms prompting the user to enter details like their name, address, phone number, and sometimes even financial information, account usernames, and passwords. All information entered on these fraudulent sites goes directly to the scammers behind the phishing scam.

Millions of these fake USPS texts are being sent to random phone numbers across the U.S. Most people receiving the messages do not have a package actually arriving and stuck in transit. The texts are blanketly distributed with the hope that some recipients will believe a real package is awaiting them.

For those who recently placed an online order for merchandise now anxiously awaiting their goods, the message incites even greater urgency and likelihood to comply with the call to action out of fear their items will be returned to sender. However, no matter the circumstances, the texts are always scams.

The USPS never communicates delivery issues via text, nor do they send links to sites outside of USPS.com. Any SMS messages or emails claiming to be Postal Service notifications regarding stalled packages or address problems are fraudulent. Unfortunately, many victims are falling for this trick and having their personal data compromised.

The scam is designed to collect user information for identity theft purposes and infect devices with malware. The scale of impacted individuals continues growing as more of these bogus texts are blasted out across the U.S. Protect yourself and stay vigilant by learning how to identify this USPS smishing scam and others like it.

How the USPS “Your Package Is On Hold” Scam Works

The USPS “Your Package Is On Hold” scam unfolds in several key stages:

1. Receiving the Fraudulent Text

The scam initiates with a smartphone user receiving an SMS text message stating that a package addressed to them has arrived at a USPS transit hub but cannot be delivered due to some shipping address issue.

The message will look like it comes from a legitimate USPS contact and often begins with “USPS” or “United States Postal Service.” The content informs the recipient that a package intended for delivery to them is stuck at a postal facility because the shipping label lacks a complete delivery address, contains inaccurate address details, or has some other unspecified address problem.

A couple examples of the fraudulent text include:

“USPS: Your package has arrived at our facility but is being held at our hub due to an incomplete shipping address label. Please visit: [malicious link] to update your delivery address so we can complete delivery of your package. Thanks, USPS Delivery Support.”
“United States Postal Service: Our records indicate we have a shipment for you that cannot be delivered because of an invalid destination address. Please tap here: [malicious link] to verify and correct your shipping address so we can complete delivery of your package successfully. USPS Customer Service.”

The messages give an air of urgency to incentivize the recipient to take action. Terms like “incomplete,” “invalid,” or “on hold” imply the matter needs resolution quickly or the package may face return to sender.

The texts capitalize on typical consumer frustrations with postal delays and missing mail. For victims anxiously awaiting online orders or important items, the phrasing preys on such concerns.

2. Visiting the Fake USPS Site

If the recipient taps the link, they are taken to what appears to be an official USPS site. The scam webpage mirrors legitimate Postal Service sites very convincingly with USPS branding, colors, graphics, navigation links, and domain name.

However, upon closer inspection, subtle differences reveal the fraudulent nature of the site. While seeming close to the real USPS.com URL, the domain will contain additional words or odd strings of numbers and letters.

For example, instead of USPS.com/packageinquiry, the link may direct to USPSonline-packagedelivery457.com. The scam sites are hosted on domains registered and controlled by the scammers specifically for this phishing campaign.

Additionally, though the site looks remarkably similar to the real USPS site, the content itself is limited to just a few pages focused on the address update forms. No other true USPS site navigation or pages beyond the package delivery address update sections exist.

3. Submitting Information

The fraudulent USPS site contains forms prompting users to enter details to “correct” or “update” their address before the package can be released from the transit center and delivered. An example form may request the following data:

Full name
Phone number
Email address
Physical address
USPS delivery zip code
Package tracking number
Additional package origin/destination details

If users enter this information, all their personal details and contact information go straight into the hands of scammers to be used for identity theft or sold on the dark web.

In some cases, the forms even ask for account login credentials, credit card numbers, social security numbers, or other highly sensitive information that enable financial fraud and account compromise.

4. Installing Malware

In addition to stealing entered data, some fake USPS sites linked in the smishing texts may attempt to download or install malware onto victim’s devices. The sites may feature pop-up windows to “update security settings” where users are prompted to click to download a file or enable external app permissions.

Granting such access can infect phones or computers with spyware, adware, keyloggers, info-stealing Trojans, and other malicious software designed to monitor activity and extract confidential information. The malware can secretly obtain usernames, passwords, financial details, and other sensitive data at huge risk.

How Scammers Use the Stolen Information

Once scammers behind the USPS smishing scam collect user information, it is leveraged for illicit activities like:

Identity theft – Full names, addresses, birthdates, etc. are used to impersonate victims and commit fraud in their names.
Phishing – Email addresses and phone numbers are added to phishing databases for distributing additional scam attempts.
Financial theft – Bank account and credit card data enables scammers to steal funds or make unauthorized transactions.
Account compromise – Login credentials allow scammers to directly access and take over the victim’s online accounts.
Dark web sales – All collected data may be sold on the dark web to identity thieves and other cybercriminals, resulting in even more unknown fraud.
Ransomware – Compromised personal data gives scammers leverage to launch ransomware campaigns or threats.
Malware-based theft – Any malware installed extracts additional sensitive info over weeks or months that gets forwarded to the scammers.
Spamming – In a final insult, victims’ email addresses are added to spam email lists for distribution of unwanted advertisements.

The cumulative effects of these fraud activities stemming from the initial USPS smishing scam can be extensive. A single pieces of data like an email address or phone number enables a cascading sequence of criminal misuse and access to additional details. Victims suffer from compromised finances, identities, sensitive accounts, and devices in addition to time and effort resolving the fallout.

Difficulty Getting Help from USPS

Victims who realize they were scammed struggle to get assistance from USPS to recover from the fraud and misuse of their information. Since the attack did not actually occur on USPS systems or sites, the Postal Service has limited capability to aid victims.

USPS will try to take down the fraudulent domains pretending to operate on their behalf. However, plenty more mimic sites arise. The most USPS may offer are mail-forwarding or address change services to prevent physical mail fraud.

Victims are generally left attempting to resolve identity theft, financial fraud, and account access on their own through banks, credit bureaus, online merchants, and other providers. These processes to undo the damages inflicted can be tedious, stressful, and time-consuming.

This lack of help from USPS itself to rectify the phishing attack aftermath further exemplifies the separate systems and data breaches occurring here outside USPS infrastructure. By targeting random civilians not actually expecting packages, scammers maximize success while minimizing protective involvement by USPS against their mimicking scams.

What to Do If You Are Victimized By The USPS “Your Package Is On Hold” Scam

If you receive a text from USPS, UPS, FedEx, or any other delivery service claiming your package is stuck somewhere unless you enter your personal details, do not click the link or provide any information. However, if you did engage with the scam website and shared any data, here are important steps to take:

Do Not Provide Any More Information

If you realize you may have been fooled by a fake USPS site, immediately cease entering or submitting any additional personal data to the website. The more information given, the greater risk of identity theft and irreversible account access and financial theft. Strictly avoid further interaction with the fraudulent site.

Contact Banks and Financial Institutions

If any banking information, credit card numbers, account logins, or other financial data was shared on the phishing site, urgently alert those providers regarding potential compromise. Ask them to monitor for suspicious activity and enact heightened security protocols on your behalf.

Updating passwords and enabling two-factor authentication where possible should occur to block scammers from accessing financial accounts. Request assistance disputing any unauthorized transactions conducted in your name.

Report Malicious Links and Domains

Notify trusted cybersecurity authorities regarding the fake USPS smishing texts and phishing site links. Provide phone numbers, web addresses, and any other details to assist their investigations in dismantling the scams. Recommended contacts include:

Local police department fraud division
FBI Cyber Crime Division: ic3.gov
USPS Postal Inspectors: uspis.gov
Internet Crime Complaint Center: ic3.gov
Federal Trade Commission (FTC): reportfraud.ftc.gov
Anti-Phishing Working Group: apwg.org
SMS short code 7726 (spell SPAM)

Reporting the scam helps prevent continued victimization, aids tracking and prosecuting cybercriminals, and contributes to strengthening defensive measures across organizations.

Run Anti-Malware Scans

If prompted to download any files to your computer or phone from the fake USPS smishing site, conduct a full system scan using updated and trusted malware protection software. Scan all devices that accessed the scam links.

The scam sites may have stealthily seeded malware to extract more of your personal data in the background. Thorough scans can detect and quarantine such threats before additional damage occurs. Enable real-time protective monitoring as well for ongoing defense.

Reset All Account Passwords

If asked to enter any usernames or passwords on the phishing site, assume those credentials are compromised. Immediately reset the passwords of any accounts whose login information was entered.

Apply updated, unique passwords to every account connected to the details given to the scammers. Using a password manager helps create and organize strong credentials for each account. Enable two-factor authentication as well wherever possible.

Place Fraud Alerts and Freeze Credit

Since full personal information was likely exposed, report to the major credit bureaus (Equifax, Experian, TransUnion) that you were the victim of identity theft. Request fraud alerts be placed on your credit reports to flag suspicious activity. You can also proactively enact credit freezes to block scammers from opening unauthorized accounts in your name. Monitor credit reports carefully for signs of misuse.

Update Personal Information With Companies

Contact all providers that may have records containing the personal details handed to the phishing scam site and update your name, phone number, address, email, and other info. Creating new contact points prevents scammers from accessing existing accounts. Be sure to communicate only over known good channels, not via any information previously exposed.

Carefully Monitor Accounts and Credit

Remain extremely vigilant about reviewing all financial statements, online accounts, and credit reports to identify any indications of access or identity theft stemming from the scam. Precautionary monitoring may be necessary for years following significant personal data compromise. Consider enrolling in identity theft protection services as another layer of defense.

Is Your Device Infected? Check for Malware

If your device is running slowly or acting suspicious, it may be infected with malware. Malwarebytes Anti-Malware Free is a great option for scanning your device and detecting potential malware or viruses. The free version can efficiently check for and remove many common infections.

Malwarebytes can run on Windows, Mac, and Android devices. Depending on which operating system is installed on the device you’re trying to run a Malwarebytes scan, please click on the tab below and follow the displayed steps.

Malwarebytes For WindowsMalwarebytes For MacMalwarebytes For Android

Scan your computer with Malwarebytes for Windows to remove malware

Malwarebytes stands out as one of the leading and widely-used anti-malware solutions for Windows, and for good reason. It effectively eradicates various types of malware that other programs often overlook, all at no cost to you. When it comes to disinfecting an infected device, Malwarebytes has consistently been a free and indispensable tool in the battle against malware. We highly recommend it for maintaining a clean and secure system.

Download Malwarebytes for Windows

You can download Malwarebytes by clicking the link below.

MALWAREBYTES FOR WINDOWS DOWNLOAD LINK
(The above link will open a new page from where you can download Malwarebytes)
Install Malwarebytes

After the download is complete, locate the MBSetup file, typically found in your Downloads folder. Double-click on the MBSetup file to begin the installation of Malwarebytes on your computer. If a User Account Control pop-up appears, click “Yes” to continue the Malwarebytes installation.
Follow the On-Screen Prompts to Install Malwarebytes

When the Malwarebytes installation begins, the setup wizard will guide you through the process.
- You’ll first be prompted to choose the type of computer you’re installing the program on—select either “Personal Computer” or “Work Computer” as appropriate, then click on Next.
- Malwarebytes will now begin the installation process on your device.
- When the Malwarebytes installation is complete, the program will automatically open to the “Welcome to Malwarebytes” screen.
- On the final screen, simply click on the Open Malwarebytes option to start the program.
Enable “Rootkit scanning”.

Malwarebytes Anti-Malware will now start, and you will see the main screen as shown below. To maximize Malwarebytes’ ability to detect malware and unwanted programs, we need to enable rootkit scanning. Click on the “Settings” gear icon located on the left of the screen to access the general settings section.

In the settings menu, enable the “Scan for rootkits” option by clicking the toggle switch until it turns blue.

Now that you have enabled rootkit scanning, click on the “Dashboard” button in the left pane to get back to the main screen.
Perform a Scan with Malwarebytes.

To start a scan, click the Scan button. Malwarebytes will automatically update its antivirus database and begin scanning your computer for malicious programs.
Wait for the Malwarebytes scan to complete.

Malwarebytes will now scan your computer for browser hijackers and other malicious programs. This process can take a few minutes, so we suggest you do something else and periodically check the status of the scan to see when it is finished.
Quarantine detected malware

Once the Malwarebytes scan is complete, it will display a list of detected malware, adware, and potentially unwanted programs. To effectively remove these threats, click the “Quarantine” button.

Malwarebytes will now delete all of the files and registry keys and add them to the program’s quarantine.
Restart your computer.

When removing files, Malwarebytes may require a reboot to fully eliminate some threats. If you see a message indicating that a reboot is needed, please allow it. Once your computer has restarted and you are logged back in, you can continue with the remaining steps.

Your computer should now be free of trojans, adware, browser hijackers, and other malware.

If your current antivirus allowed this malicious program on your computer, you may want to consider purchasing Malwarebytes Premium to protect against these types of threats in the future.
If you are still having problems with your computer after completing these instructions, then please follow one of the steps:

Run a computer scan with ESET Online Scanner
Ask for help in our Windows Malware Removal Help & Support forum.

Scan your computer with Malwarebytes for Mac to remove malware

Malwarebytes for Mac is an on-demand scanner that can destroy many types of malware that other software tends to miss without costing you absolutely anything. When it comes to cleaning up an infected device, Malwarebytes has always been free, and we recommend it as an essential tool in the fight against malware.

Download Malwarebytes for Mac.

You can download Malwarebytes for Mac by clicking the link below.

MALWAREBYTES FOR MAC DOWNLOAD LINK
(The above link will open a new page from where you can download Malwarebytes for Mac)
Double-click on the Malwarebytes setup file.

When Malwarebytes has finished downloading, double-click on the setup file to install Malwarebytes on your computer. In most cases, downloaded files are saved to the Downloads folder.
Follow the on-screen prompts to install Malwarebytes.

When the Malwarebytes installation begins, you will see the Malwarebytes for Mac Installer which will guide you through the installation process. Click “Continue“, then keep following the prompts to continue with the installation process.

When your Malwarebytes installation completes, the program opens to the Welcome to Malwarebytes screen. Click the “Get started” button.
Select “Personal Computer” or “Work Computer”.

The Malwarebytes Welcome screen will first ask you what type of computer are you installing this program, click either Personal Computer or Work Computer.
Click on “Scan”.

To scan your computer with Malwarebytes, click on the “Scan” button. Malwarebytes for Mac will automatically update the antivirus database and start scanning your computer for malware.
Wait for the Malwarebytes scan to complete.

Malwarebytes will scan your computer for adware, browser hijackers, and other malicious programs. This process can take a few minutes, so we suggest you do something else and periodically check on the status of the scan to see when it is finished.
Click on “Quarantine”.

When the scan has been completed, you will be presented with a screen showing the malware infections that Malwarebytes has detected. To remove the malware that Malwarebytes has found, click on the “Quarantine” button.
Restart computer.

Malwarebytes will now remove all the malicious files that it has found. To complete the malware removal process, Malwarebytes may ask you to restart your computer.

Your Mac should now be free of adware, browser hijackers, and other malware.

If your current antivirus allowed a malicious program on your computer, you might want to consider purchasing the full-featured version of Malwarebytes Anti-Malware to protect against these types of threats in the future.
If you are still experiencing problems while trying to remove a malicious program from your computer, please ask for help in our Mac Malware Removal Help & Support forum.

Scan your phone with Malwarebytes for Android to remove malware

Malwarebytes for Android automatically detects and removes dangerous threats like malware and ransomware so you don’t have to worry about your most-used device being compromised. Aggressive detection of adware and potentially unwanted programs keeps your Android phone or tablet running smooth.

Download Malwarebytes for Android.

You can download Malwarebytes for Android by clicking the link below.

MALWAREBYTES FOR ANDROID DOWNLOAD LINK
(The above link will open a new page from where you can download Malwarebytes for Android)
Install Malwarebytes for Android on your phone.

In the Google Play Store, tap “Install” to install Malwarebytes for Android on your device.

When the installation process has finished, tap “Open” to begin using Malwarebytes for Android. You can also open Malwarebytes by tapping on its icon in your phone menu or home screen.
Follow the on-screen prompts to complete the setup process

When Malwarebytes will open, you will see the Malwarebytes Setup Wizard which will guide you through a series of permissions and other setup options.
This is the first of two screens that explain the difference between the Premium and Free versions. Swipe this screen to continue.

Tap on “Got it” to proceed to the next step.

Malwarebytes for Android will now ask for a set of permissions that are required to scan your device and protect it from malware. Tap on “Give permission” to continue.

Tap on “Allow” to permit Malwarebytes to access the files on your phone.
Update database and run a scan with Malwarebytes for Android

You will now be prompted to update the Malwarebytes database and run a full system scan.

Click on “Update database” to update the Malwarebytes for Android definitions to the latest version, then click on “Run full scan” to perform a system scan.
Wait for the Malwarebytes scan to complete.

Malwarebytes will now start scanning your phone for adware and other malicious apps. This process can take a few minutes, so we suggest you do something else and periodically check on the status of the scan to see when it is finished.
Click on “Remove Selected”.

When the scan has been completed, you will be presented with a screen showing the malware infections that Malwarebytes for Android has detected. To remove the malicious apps that Malwarebytes has found, tap on the “Remove Selected” button.
Restart your phone.

Malwarebytes for Android will now remove all the malicious apps that it has found. To complete the malware removal process, Malwarebytes may ask you to restart your device.

Your phone should now be free of adware, browser hijackers, and other malware.

If your current antivirus allowed a malicious app on your phone, you may want to consider purchasing the full-featured version of Malwarebytes to protect against these types of threats in the future.
If you are still having problems with your phone after completing these instructions, then please follow one of the steps:

Restore your phone to factory settings by going to Settings > General management > Reset > Factory data reset.
Ask for help in our Mobile Malware Removal Help & Support forum.

Frequently Asked Questions About the USPS “Your Package Is On Hold” Scam

What is the USPS “Your Package Is On Hold” scam?

This is a smishing (SMS phishing) scam where victims receive a text message claiming to be from USPS stating that they have a package that couldn’t be delivered due to an incorrect shipping address. The message contains a malicious link that leads to a fake USPS site designed to steal personal information.

How does the scam work?

You receive a text claiming to be from USPS informing you about an undelivered package. It says you must click a link and enter your information to correct the address so USPS can deliver your package. The link goes to a fake website impersonating USPS and collects your data.

What information do scammers aim to get?

Scammers want your full name, physical address, phone number, email address, passwords, financial information, and any other personal details they can gather by fooling you into entering it on their phishing site.

What do scammers do with my information?

Scammers use your details for identity theft, accessing accounts, and financial fraud. They may sell it online or use it themselves to impersonate you and commit crimes in your name. Your data is now in the hands of criminals.

Why does USPS need me to update address details online?

USPS does not contact customers via unsolicited texts with links to non-USPS websites. They communicate postal issues through official channels only after you initiate contact. Any SMS messages about an undelivered package requiring your immediate address update are scams.

How do I tell if a USPS notification is legitimate?

Real USPS texts will come from a verified USPS number only. They will never contain links outside of USPS.com or request personal details to correct address problems. Contact USPS directly if you have delivery concerns.

I entered my details, what now?

If you shared any personal or financial information, immediately contact those providers to lock down accounts. Watch for fraudulent activity in your name. Enable credit freezes and fraud alerts. Scan devices for malware and reset all account passwords as a precaution.

Can USPS help me if I was scammed?

Unfortunately, USPS has limited capability to aid scam victims since the fake texts/sites are not within their systems. They may attempt shutting down fraudulent domains impersonating them but cannot restore compromised data. Managing fallout is up to individual victims.

How can I protect myself from future scams?

Be wary of texts claiming to be from USPS, UPS, FedEx or others with links requiring you to enter any personal data. Verify the sender’s number first. Never click links or provide information without confirming validity on official sites. Use unique passwords and enable two-factor authentication where possible.

Conclusion

The USPS “Your Package Is On Hold” smishing scam poses serious risks to anyone fooled into clicking the phishing links and submitting their information. These fraudulent text messages and fake websites are intentionally convincing, making it easy to fall victim.

However, being aware of their tactics and following recommended precautions can help you avoid getting swindled. Legitimate delivery notifications will only come from verified sources and numbers. Critically analyzing any communications can expose red flags like odd links, typos, threats, or requests for sensitive data.

If unfortunately deceived, rapidly contact banks, account providers, and credit agencies regarding potential identity theft and account compromise stemming from the breached information. Place fraud alerts, reset account passwords, monitor for suspicious activity, and thoroughly scan devices.

Report all details about the scam instances to cybersecurity authorities. The most vital defense remains exercising extreme caution when contacted over digital channels and never clicking links or entering data unless certain of their authenticity. With vigilance and safe online practices, customers can steer clear of phishing scams while still taking advantage of convenient communications and package tracking from reliable delivery carriers.

Here are 10 basic security tips to help you avoid malware and protect your device:

To avoid potential dangers on the internet, it's important to follow these 10 basic safety rules. By doing so, you can protect yourself from many of the unpleasant surprises that can arise when using the web.