Don’t Fall for the USPS “Shipment On Hold” Text Message Scam

A new text message scam has emerged that’s deceiving thousands into handing over personal information and payment card details, all under the familiar guise of a United States Postal Service delivery notification. But what appears to be a routine update about an “on hold” package is actually a cleverly designed phishing attempt aimed at stealing identities and money.

This scam starts with an urgent-sounding SMS about verifying your address so USPS can deliver a package that’s been processed but is mysteriously stuck in transit. The message includes a link to fix the problem, but clicking sends victims to a fake website impersonating the postal service and angling to steal highly sensitive information.

Once hooked, unsuspecting targets are reeled in further as the fraudulent site convinces them to enter credit card numbers to pay a small “redelivery” fee. But behind the convincing USPS branding and website lies an intricate identity theft racket enriching cybercriminals.

This article provides an in-depth investigation of how this devious multi-step scam works, how to protect yourself, and what to do if you took the bait on this “package held hostage” ruse.

An Overview of the USPS “Shipment On Hold” Scam

The “USPS shipment on hold” scam is a worrisome new phishing technique that uses text messages to trick users into visiting fake USPS websites. These sophisticated counterfeit sites are designed to harvest personal information and even payment card details from unsuspecting victims under the guise of resolving delivery issues.

This scam has been increasingly reported over the past few months, with many receiving out-of-the-blue SMS messages claiming USPS needs them to “verify their address” so that a package awaiting delivery can be released and shipped. The messages include a link to what appears to be the official USPS website, but is in reality a convincing replica operated by scammers to steal data.

Once users visit these fraudulent sites, they are prompted to enter details like their name, physical address, phone number, and sometimes additional information such as date of birth or social security number. The sites also display fake package tracking details to add legitimacy to the supposed shipping snafu. In some reported cases, victims were further tricked into entering payment card numbers to pay a small “redelivery fee”.

By gathering this sensitive personal and financial information, the scammers behind these fake postal sites can steal identities, commit payment fraud using victims’ card details, or sell the data to other cybercriminals on the dark web.

For example, names, addresses, and birth dates can allow criminals to open fraudulent accounts and lines of credit in the victims’ names via identity theft. Payment card information is either used to make direct purchases or sold in bulk “card dumps” to shady sites and individual thieves online.

Additionally, phone numbers and emails harvested through this scam are often added to lists for future smishing and phishing campaigns, allowing scammers to target victims repeatedly. Or they are sold to shady “marketing” firms who may resell the data or use it to bombard people with spam calls and messages.

In summary, this USPS text phishing scam is on the rise and highly effective due to its sophisticated social engineering. By studying legitimate USPS communications and mimicking their look and wording in the SMS messages and fake sites, scammers are able to trick many people into handing over information of value.

How the USPS “Shipment on Hold” Scam Works

The USPS text scam is worryingly simple yet cleverly effective. Here’s a step-by-step look at how it ensnares victims:

Step 1: Receiving the Fake USPS Text

The scam starts with an SMS text message sent to the target’s mobile device. The message is made to look like an official notice from USPS.

Here’s an example of the text people receive:

USPS SMS: Your shipment has been processed at our facility but is currently on hold due to incomplete address information. To facilitate timely delivery, we request you verify your address through the link below:

The text appears to come from a USPS shortcode number and mentions USPS in the body. The goal is making it seem like a legit message from the post office regarding an actual package.

Step 2: Visiting the Fake USPS Website

If the recipient clicks the link, they’re taken to a website designed to mimic an official USPS domain. The site has USPS branding and web pages mimicking ones on the real USPS site.

The fake site will display information about a package using a made-up tracking number. It will claim that the delivery address for the package is incomplete, preventing final delivery.

The scam page will have an online form, asking the victim to enter their name, address, phone number, and other details to “correct” the bad address and schedule redelivery.

Step 3: Entering Personal Information

If the victim falls for the scam and enters their info, they have already put their identity and security at risk. But the scam goes further to extract money too.

After submitting their details, the victim is taken to another page asking for payment to reschedule delivery. The page claims there is a small shipping/handling fee that must be paid, usually $1-$3.

If the user enters card information, the scammers can use it to make fraudulent purchases or withdrawals. Even if no payment is made, the user’s details have still been harvested by the scammers.

Step 4: Stealing the Victim’s Identity & Money

The scammers now have the victim’s full name, cell number, home address, email address, and potentially credit card details. This is a goldmine of information for committing identity fraud.

They can open bank accounts or credit cards in the victim’s name or sell the info on the dark web. The credit card can also be charged monthly for unwanted services by shady companies, generating fraudulent revenue for the scammers.

The user won’t even realize these things are happening until they spot unauthorized charges or accounts appear on their credit report. By then, the damage is already done.

This simple but effective scam allows fraudsters to make big money from victims who fall for the fake USPS messages and websites. Losses can be financial, emotional, and require legal action to undo identity theft.

What to do if You Have Fallen Victim to the USPS Text Scam

If you entered any personal data, handed over credit card details, or paid money to the scammers, here are important steps to take right away:

  • Contact your bank and credit card companies: Alert them to possible fraudulent charges or accounts opened in your name. Cancel any cards used on the fake sites.
  • Place fraud alerts: Notify credit bureaus to flag your credit report for suspicious activity. This helps prevent scammers taking out new lines of credit.
  • Monitor your credit reports: Check your reports frequently for any signs of misuse of your identity, such as new credit cards or loan applications.
  • File an FTC complaint: Reporting the scam to the Federal Trade Commission helps warn others and aids investigations.
  • Change online account passwords: Reset passwords on your email, banking, and other sensitive accounts to prevent access.
  • Watch for additional spam/phishing: Scammers may target you with more scams or sell your details to shady marketers. Ignore unsolicited contacts.
  • Consider an identity theft protection service: A credit monitoring service can provide additional layers of protection against identity theft.

The quicker you act, the less damage the scammers can inflict on your finances and identity. It also limits the ability for them to profit off your details. If the identity theft is severe, you may need to work with attorneys to restore your credit status.

Frequently Asked Questions About the USPS “Shipment on Hold” Scam

1. How does the USPS “Shipment on Hold” scam work?

The scam typically begins with a text message claiming to be from USPS, stating that they need you to “verify your address” or provide additional information before a package can be delivered. The message contains a link that leads to a fake USPS website designed to steal your personal and financial information.

On the phony site, you’ll be prompted to enter details like your name, address, phone number, and sometimes credit card information under the guise of completing delivery or paying a small “redelivery fee.” Armed with this data, scammers can then commit identity theft or sell your details online.

2. What are some examples of the phishing texts sent in this scam?

The texts are made to look like real USPS tracking updates. Here are some examples:

“USPS: Your package arrived at the transit center but was halted due to incomplete address information. Please click below to verify your delivery address:”

“USPS SMS Alert: We cannot deliver your package because of an incorrect shipping address. Please tap the link below to edit and verify your information:”

“USPS Delivery Update: Your package is on hold with a label created due to missing address details. Please tap link to provide complete info:”

3. How can I recognize these USPS scam texts?

Watch for these red flags:

  • Generic greetings like “Dear customer” instead of your name
  • Suspicious or invalid looking links (tinyurl, bitly links)
  • Requests for sensitive personal information
  • Typos, bad grammar
  • Threatening urgent language
  • Requests to pay a fee or provide payment info

4. I entered my information on the fake USPS site – what now?

If you provided any personal or financial details, take these steps immediately:

  • Contact banks/credit cards used on the site and alert them to possible fraudulent charges
  • Place a fraud alert and get a copy of your credit reports to check for misuse
  • Reset all account passwords to prevent access in case of a breach
  • Watch out for additional phishing attempts using your details

You may also want to sign up for identity theft monitoring services to protect against additional fraud. Be wary of any unsolicited communications going forward.

5. Can legitimate USPS notifications request sensitive information?

No, real USPS communications will never ask for personal details like account numbers, social security numbers, or login credentials via text, email, or links. If something seems suspicious, contact USPS directly through their official website or verified phone number to confirm it’s valid.

6. How can I help stop this USPS phishing scam?

Here are some tips:

  • Don’t click on links in suspicious texts/emails. Go directly to instead.
  • Report scam texts you receive to USPS Postal Inspectors.
  • Warn friends and family about this phishing technique.
  • Use antivirus/phishing filters to block scam messages.
  • Keep software updated to reduce vulnerability.
  • Contact providers to block reported scam phone numbers/links.

Staying vigilant is key to protecting yourself and preventing these scams from duping additional victims.

The Bottom Line

The USPS “package delivery on hold” scam shows how a simple text can lead to damaging identity theft. Law enforcement agencies are working to shut down fake domains and shortcode numbers involved.

But new ones keep popping up to snare victims. The best protection is being aware of the scam and exercising caution with any text messages or websites asking for personal/financial data.

Legitimate delivery notices will never ask for sensitive information over SMS or links. If in doubt, contact USPS customer service directly to confirm before clicking on anything.

With identity theft and online scams proliferating, it’s essential we all remain vigilant against schemes like this USPS text scam. Don’t let a random text message open the door to your valuable personal and financial details.

How to Stay Safe Online

Here are 10 basic security tips to help you avoid malware and protect your device:

  1. Use a good antivirus and keep it up-to-date.

    Shield Guide

    It's essential to use a good quality antivirus and keep it up-to-date to stay ahead of the latest cyber threats. We are huge fans of Malwarebytes Premium and use it on all of our devices, including Windows and Mac computers as well as our mobile devices. Malwarebytes sits beside your traditional antivirus, filling in any gaps in its defenses, and providing extra protection against sneakier security threats.

  2. Keep software and operating systems up-to-date.


    Keep your operating system and apps up to date. Whenever an update is released for your device, download and install it right away. These updates often include security fixes, vulnerability patches, and other necessary maintenance.

  3. Be careful when installing programs and apps.

    install guide

    Pay close attention to installation screens and license agreements when installing software. Custom or advanced installation options will often disclose any third-party software that is also being installed. Take great care in every stage of the process and make sure you know what it is you're agreeing to before you click "Next."

  4. Install an ad blocker.

    Ad Blocker

    Use a browser-based content blocker, like AdGuard. Content blockers help stop malicious ads, Trojans, phishing, and other undesirable content that an antivirus product alone may not stop.

  5. Be careful what you download.

    Trojan Horse

    A top goal of cybercriminals is to trick you into downloading malware—programs or apps that carry malware or try to steal information. This malware can be disguised as an app: anything from a popular game to something that checks traffic or the weather.

  6. Be alert for people trying to trick you.

    warning sign

    Whether it's your email, phone, messenger, or other applications, always be alert and on guard for someone trying to trick you into clicking on links or replying to messages. Remember that it's easy to spoof phone numbers, so a familiar name or number doesn't make messages more trustworthy.

  7. Back up your data.

    backup sign

    Back up your data frequently and check that your backup data can be restored. You can do this manually on an external HDD/USB stick, or automatically using backup software. This is also the best way to counter ransomware. Never connect the backup drive to a computer if you suspect that the computer is infected with malware.

  8. Choose strong passwords.

    lock sign

    Use strong and unique passwords for each of your accounts. Avoid using personal information or easily guessable words in your passwords. Enable two-factor authentication (2FA) on your accounts whenever possible.

  9. Be careful where you click.

    cursor sign

    Be cautious when clicking on links or downloading attachments from unknown sources. These could potentially contain malware or phishing scams.

  10. Don't use pirated software.

    Shady Guide

    Avoid using Peer-to-Peer (P2P) file-sharing programs, keygens, cracks, and other pirated software that can often compromise your data, privacy, or both.

To avoid potential dangers on the internet, it's important to follow these 10 basic safety rules. By doing so, you can protect yourself from many of the unpleasant surprises that can arise when using the web.

Leave a Comment