Have you received a suspicious text message claiming to be from the U.S. Postal Service (USPS) saying they can’t deliver your package due to an invalid zip code? Don’t click any links – it’s a scam designed to steal your personal information and money.
Scam Overview
This scam starts with a text message claiming to be from USPS, stating that there is a problem delivering your package because the zip code is invalid. The message includes a link for you to “confirm your zip code information”. However, the link leads to a fake USPS website that steals your personal details.
The detailed scam process involves the following steps:
- You receive a text claiming to be from USPS about an invalid zip code preventing delivery of your package.
- The text includes a link to “verify your zip code information”.
- Clicking the link opens a fake USPS website asking you to enter personal details to “confirm your mailing address”.
- The site requests your full name, DOB, phone, home address, and sometimes SSN.
- You submit the data thinking it confirms your identity with USPS to release the package.
- The fake site then requests a small $2-$5 “redelivery fee” and your credit card details.
- Unknowingly, the personal details and credit card is sent directly to scammers.
- Scammers steal your information for identity theft and make fraudulent purchases.
This seamless process tricks victims into willingly handing over personal data and credit cards to scammers under the guise of a USPS delivery issue.
The scam is possible because the fake USPS site looks identical to the real USPS website. The convincing design and official branding fools victims into believing the site is legitimate.
Scammers register lookalike domains imitating the real USPS website to build plausibility. For example, using “usps-verify.com” instead of the official “usps.com”.
This domain name trickery assists the scam in passing as authentic USPS correspondence.
Why Scammers Target USPS
Scammers impersonate trusted brands like USPS to exploit public perception for profit. USPS is an ideal scam target because:
- USPS delivers over 480 million packages per year, so package delivery scams seem believable.
- USPS is a federal service familiar to all Americans, giving it automatic legitimacy.
- Concerns about missing mail make people more prone to verify situations with USPS.
- USPS tracking features condition people to check delivery status via links.
The broad familiarity and concern surrounding USPS package delivery enables scammers to cast a wide net with package-related scams.
When USPS is undergoing actual service delays or suspensions, scams become even more effective at capitalizing on public uncertainty.
Data Theft Goals
The USPS invalid zip code scam aims to steal two key types of personal data:
1. Contact and Identity Information
Full name, phone, home address, date of birth, and SSN are requested on the fake site.
Scammers use this contact and identity data to commit identity theft and wider fraud. Commonly stolen details include:
- Full Name – Enables identity impersonation and account access.
- Phone – Used to reset passwords and access accounts.
- Home Address – Assists opening fraudulent accounts.
- Date of Birth – Verifies identity and enables account takeover.
- SSN – The holy grail for full identity theft and financial fraud.
2. Credit Card Details
To complete the scam, victims must submit a credit card to pay the redelivery fee. Scammers steal this payment card data to make fraudulent purchases or resell on the dark web.
Once the scammers have your credit card number, expiration date, and CVV, they can freely use the card or make clones to rack up fraudulent charges in your name.
Scale of the Problem
The USPS invalid zip code scam exploded over 2021, with millions of Americans receiving the phishing texts.
According to USPS, scam texts impersonating them jumped by over 300% in 2021 compared to 2020. Over 10 million Americans lost money to scams feigning as USPS texts.
As scam text messages broadly increased by 850% from 2020 to 2021, USPS scams rode the rising tide.
The growing scam scale indicates how low-friction text messaging is for scammers to blast out phishing attempts en masse. Cheap, fast, and easy.
This scam is nationwide, with victims in every state reporting losses to the USPS invalid zip code scam through 2021. Nowhere is safe.
And reports to the FTC show the scam volume increasing month over month, with no signs of slowing.
Authorities struggle to tackle text scams compared to email, as tracing SMS origin points is near-impossible. For now, the scam continues unchecked.
How The Scam Works
The USPS invalid zip code scam ensnares victims through a coordinated process designed to extract personal information and credit card details. Here is how it works step-by-step:
1. You Receive The Scam Text
The scam starts with an SMS text message sent to your phone appearing to come from USPS.
The message claims there is an issue with a package meant for delivery to you. Specifically, that the postal service can’t verify or accept your address due to an invalid zip code.
Here is an example of the scam text:
U.S. Post: You have a USPS parcel being cleared, due to the detection of an invalid zip code address, the parcel cannot be cleared, the parcel is temporarily detained, please confirm the zip code address information n the link within 24 hours.
https://usps-verify.com
Please reply with a Y, then exit the text message and open it again to activate the link, or copy the link into your Safari browser and open it
Have a great day from the USPS team!The text content implies USPS has a package meant for you that cannot be delivered due to a zip code mix-up.
Urgency is introduced by stating the package will only be held for 24 hours until the zip code is fixed. This pressures victims to act quickly.
A legitimate looking link is provided to supposedly verify and fix the zip code issue.
The scam text sender ID spoofs a real local USPS phone number. This tricks your phone into displaying the text as authentically sent from your local post office.
2. You Click The Link
If you click the link on your iPhone, it will open the Safari app and load the phishing site.
Alternatively, the scammers try to get you to reply “Y” then reopen the text message. This forces your phone to convert the dead link into an active clickable link inside the iPhone messaging app specifically.
Either way, the goal is getting you to click the link to open the phishing site.
3. You Are Sent To A Fake USPS Site
Clicking the link sends you to a scam USPS site instead of the real USPS website.
The fake site is completely under the scammer’s control but disguises itself as the official USPS site through:
- USPS branding, logos, graphics, and web design mimicking the real site.
- A URL designed to imitate the real USPS domain. For example, “USPS-verify.com” not “USPS.com”.
- Scannable fake USPS QR code graphics.
- USPS trademark and copyright references.
This convincing look and feel fools victims into believing they are on the actual USPS site.
4. You Are Asked To Enter Personal Information
The fake site displays a form asking you to enter personal details to “verify and correct the zip code problem” for your package delivery.
Details requested include your:
- Full name
- Phone number
- Home address
- Date of birth
Some versions of the scam also ask for your full Social Security Number.
The form claims this information is required to validate your identity, match it against postal records, and fix the zip code issue.
In reality, the details go straight to the scammers.
5. You Are Asked To Pay a Redelivery Fee
After submitting your personal information, the scam site displays another form stating a small redelivery fee is required to process the zip code change and ship your package.
This is the trap to steal your credit card details.
The form asks for:
- Credit/debit card number
- Card expiration date
- Card CVV code
And requests a $2 – $5 payment for the fictional redelivery fee.
This nominal fee makes the scam seem harmless and routine. But paying it hands your credit card details directly to scammers.
6. The Scammers Steal Your Details
Whether you entered personal info only or also submitted payment card details, all data entered on the site flows directly to the scammers.
Your contact, identity, and credit card information is harvested and used for:
- Committing identity theft in your name
- Making purchases with your stolen payment card info
- Resale of your information on the dark web black market
With your name, DOB, SSN, address, etc. the scammers can open fraudulent accounts and apply for loans or credit cards as if they were you.
Your credit card details are quickly used to make online purchases before you can notice and report the fraudulent charges. Criminals maximize the use of stolen cards in short bursts before discards.
Full identity and payment card information sets fetch high prices on dark web marketplaces frequented by cybercriminals.
Once stolen, your data can circulate indefinitely fueling a chain of downstream fraud. Making you a perpetual victim.
7. How Scammers Hide Their Trail
Spoofing the USPS branding, trademarks, and website design tricks victims but also disguises the scam from authorities.
The fake site domains impersonating USPS are continuously rotated to avoid blacklisting and takedowns. New domains pop up as old ones are shut down.
Text messages originate from burner phones using spoof SMS services to mask the real sending device. Calls and texts can’t be traced back to any individual scammer.
Stolen payment card funds are rapidly cashed out via cryptocurrency tumblers and offshore e-wallets disconnected from bank accounts or IDs.
These techniques allow scammers to operate anonymously and evade law enforcement interference.
What To Do If You Are Scammed
If you already submitted personal information or credit card details to the USPS invalid zip code scam, here are the key next steps to take:
1. Contact Banks And Close Compromised Accounts
If you gave card information, immediately call your bank to report fraudulent charges or close compromised accounts completely. Stop payments on the card to limit losses.
Alert your credit card provider to reverse any charges from scammers and issue a new card. Update other services using saved card data.
2. Place Fraud Alerts On Your Credit Reports
Contact Equifax, TransUnion, and Experian to place a 90-day initial fraud alert on your credit file. Avoid opening any new lines of credit until identity theft checks are complete.
Renew the 90-day fraud alert after the first period for ongoing protection.
3. Monitor Your Accounts Closely
Watch your financial accounts like a hawk for signs of misuse of your personal information over the next 12-24 months.
Report unauthorized transactions or accounts opened in your name quickly to limit damage. Promptness is key to curtailing identity theft.
Enable text or email alerts on all accounts whenever possible to monitor activity in real time. Review each notification.
4. Change Online Account Passwords
Reset passwords on all online accounts using that password elsewhere as a precaution. Avoid reusing passwords between accounts.
Use strong unique passwords for every account utilizing a password manager. Enable two-factor authentication (2FA) for added security.
5. File Reports With Relevant Agencies
Submit an identity theft report with the FTC detailing the scam specifics. Provide the same report when disputing fraudulent accounts opened in your name.
Report the scam text to USPS Postal Inspectors to aid investigations into scammers impersonating USPS.
File a complaint with the FCC on illegitimate use of your phone number via spoofing. Provide phone service records.
6. Assess Tax Identity Theft
If SSN was compromised, request your Identity Protection PIN (IP PIN) from the IRS to monitor tax return filings and verify your identity.
Check your IRS records for any discrepancies indicating tax identity theft from your SSN being misused. Act swiftly to avoid fraudulent tax refunds.
7. Run Credit Reports
Order full credit reports from Equifax, Experian, and TransUnion every 3 months for the next year to watch for signs of identity theft.
Dispute any fraudulent accounts, addresses, or credit inquiries under your name via the credit bureaus. Alert them to potential identity theft.
8. Consider Credit Monitoring
Sign up for robust credit monitoring services that watch your credit 24/7 and alert you to any new accounts or inquiries. This provides peace of mind.
Look for services that monitor all three credit bureaus, public records, web surveillance, and provide insurance covering losses from identity theft issues.
Frequently Asked Questions about the USPS Invalid Zip Code Scam
1. What is the USPS invalid zip code scam?
The USPS invalid zip code scam is a phishing scam where targets receive a text message claiming to be from USPS stating there is an issue delivering your package due to an invalid zip code. The message contains a link to “verify your zip code” but it actually leads to a fake website controlled by scammers aiming to steal your personal and financial information.
2. How does the USPS invalid zip code scam work?
The scam works in several steps:
- You receive a text claiming to be USPS saying they can’t deliver your package due to a bad zip code
- The text includes a link to correct the zip code issue
- Clicking the link opens a fake USPS website mimicking the real one
- You are prompted to enter personal info like name, DOB, address, SSN to “confirm your identity”
- You are then asked to pay a small $2-$5 redelivery fee using a credit or debit card
- The site steals all the details you entered
- Scammers use your information for identity theft or sell it online
3. What are the scam text messages examples?
The USPS invalid zip code scam texts follow similar phrasing, for example:
“U.S. Post: You have a USPS parcel being cleared, due to the detection of an invalid zip code address, the parcel cannot be cleared…please confirm the zip code address information at the link within 24 hours”
4. What is the fake USPS website URL?
The fake USPS domains used in the scam try to mimic the real USPS.com, using lookalike URLs like:
- usps-verify.com
- usps-delivery.com
- usps-packages.com
The URL may change frequently as fake sites get taken down.
5. What are the red flags of the USPS invalid zip code scam?
Red flags include:
- Texts regarding USPS packages you didn’t order
- Messages requesting you click a link to verify personal information
- Typos, grammatical errors, and other text oddities
- Links leading to misspelled or suspicious domains
- Sites asking for sensitive information like SSN and date of birth
- Requests for payment card information
6. What happens if you fall for the USPS invalid zip code scam?
If you provide your personal or financial details, scammers can:
- Commit identity theft using your name, DOB, SSN, address, etc.
- Make fraudulent purchases with your credit/debit card info
- Sell your information on the dark web to other criminals
This can result in charges you didn’t authorize, accounts opened in your name, and significant identity theft headaches.
7. What should you do if you fell victim to the scam?
If you provided your information, take these steps:
- Contact banks to close compromised accounts and stop payments on cards used
- Place fraud alerts on your credit reports
- Monitor your credit reports and financial accounts for signs of misuse
- Reset account passwords and enable two-factor authentication
- File reports with the FTC, FCC, USPS Inspector General
- Enroll in credit monitoring services
Acting quickly limits the potential damage from identity theft.
8. How can you avoid the USPS invalid zip code scam?
To avoid falling victim, remember:
- USPS never sends texts about undelivered packages or zip code issues
- Don’t click on links in suspicious texts – navigate to USPS.com manually
- Never provide personal or financial data via text links
- Links can open convincing fake sites – check the URL closely
- Report scam texts to USPS Postal Inspectors at spam@uspis.gov
9. How can you protect yourself from other delivery scams?
General tips to avoid delivery scams:
- Don’t click links from texts about missed deliveries
- Call the shipper directly if tracking information seems suspicious
- Never provide personal or payment info via text or emails
- Always manually navigate to official sites – don’t use links
- Use strong unique passwords on all accounts
- Enable two-factor authentication when available
Staying vigilant stops scammers in their tracks. Report suspicious messages to protect yourself and others.
The Bottom Line
The USPS invalid zip code scam relies on tricking you into clicking a text link to steal your information on a fake website. But awareness of this fraud is the best defense.
Remember:
- USPS will never send texts about packages needing address confirmations or zip code verification. Anything sent is a scam.
- Never click links in suspicious texts or provide info to unverified sites. Manually navigate to USPS.com instead.
- Know that government agencies don’t demand personal details via text message links. This is always a scam tactic.
- If receiving a suspicious USPS text, report it directly to the USPS Postal Inspection Service by emailing spam@uspis.gov
Staying vigilant against package delivery scams using the USPS name prevents you from relinquishing personal data and payment info that fuels identity theft and financial fraud. Protect yourself by recognizing the scam warning signs.
