A new text message scam has emerged that’s deceiving thousands into handing over personal information and payment card details, all under the familiar guise of a United States Postal Service delivery notification. But what appears to be a routine update about an “on hold” package is actually a cleverly designed phishing attempt aimed at stealing identities and money.
This scam starts with an urgent-sounding SMS about verifying your address so USPS can deliver a package that’s been processed but is mysteriously stuck in transit. The message includes a link to fix the problem, but clicking sends victims to a fake website impersonating the postal service and angling to steal highly sensitive information.
Once hooked, unsuspecting targets are reeled in further as the fraudulent site convinces them to enter credit card numbers to pay a small “redelivery” fee. But behind the convincing USPS branding and website lies an intricate identity theft racket enriching cybercriminals.
This article provides an in-depth investigation of how this devious multi-step scam works, how to protect yourself, and what to do if you took the bait on this “package held hostage” ruse.
This Article Contains:
An Overview of the USPS “Shipment On Hold” Scam
The “USPS shipment on hold” scam is a worrisome new phishing technique that uses text messages to trick users into visiting fake USPS websites. These sophisticated counterfeit sites are designed to harvest personal information and even payment card details from unsuspecting victims under the guise of resolving delivery issues.
This scam has been increasingly reported over the past few months, with many receiving out-of-the-blue SMS messages claiming USPS needs them to “verify their address” so that a package awaiting delivery can be released and shipped. The messages include a link to what appears to be the official USPS website, but is in reality a convincing replica operated by scammers to steal data.
Once users visit these fraudulent sites, they are prompted to enter details like their name, physical address, phone number, and sometimes additional information such as date of birth or social security number. The sites also display fake package tracking details to add legitimacy to the supposed shipping snafu. In some reported cases, victims were further tricked into entering payment card numbers to pay a small “redelivery fee”.
By gathering this sensitive personal and financial information, the scammers behind these fake postal sites can steal identities, commit payment fraud using victims’ card details, or sell the data to other cybercriminals on the dark web.
For example, names, addresses, and birth dates can allow criminals to open fraudulent accounts and lines of credit in the victims’ names via identity theft. Payment card information is either used to make direct purchases or sold in bulk “card dumps” to shady sites and individual thieves online.
Additionally, phone numbers and emails harvested through this scam are often added to lists for future smishing and phishing campaigns, allowing scammers to target victims repeatedly. Or they are sold to shady “marketing” firms who may resell the data or use it to bombard people with spam calls and messages.
In summary, this USPS text phishing scam is on the rise and highly effective due to its sophisticated social engineering. By studying legitimate USPS communications and mimicking their look and wording in the SMS messages and fake sites, scammers are able to trick many people into handing over information of value.
How the USPS “Shipment on Hold” Scam Works
The USPS text scam is worryingly simple yet cleverly effective. Here’s a step-by-step look at how it ensnares victims:
Step 1: Receiving the Fake USPS Text
The scam starts with an SMS text message sent to the target’s mobile device. The message is made to look like an official notice from USPS.
Here’s an example of the text people receive:
USPS SMS: Your shipment has been processed at our facility but is currently on hold due to incomplete address information. To facilitate timely delivery, we request you verify your address through the link below:
https://tinyurl.com/2c33vz78?efn=76TR3dsBbgThe text appears to come from a USPS shortcode number and mentions USPS in the body. The goal is making it seem like a legit message from the post office regarding an actual package.
Step 2: Visiting the Fake USPS Website
If the recipient clicks the link, they’re taken to a website designed to mimic an official USPS domain. The site has USPS branding and web pages mimicking ones on the real USPS site.
The fake site will display information about a package using a made-up tracking number. It will claim that the delivery address for the package is incomplete, preventing final delivery.
The scam page will have an online form, asking the victim to enter their name, address, phone number, and other details to “correct” the bad address and schedule redelivery.
Step 3: Entering Personal Information
If the victim falls for the scam and enters their info, they have already put their identity and security at risk. But the scam goes further to extract money too.
After submitting their details, the victim is taken to another page asking for payment to reschedule delivery. The page claims there is a small shipping/handling fee that must be paid, usually $1-$3.
If the user enters card information, the scammers can use it to make fraudulent purchases or withdrawals. Even if no payment is made, the user’s details have still been harvested by the scammers.
Step 4: Stealing the Victim’s Identity & Money
The scammers now have the victim’s full name, cell number, home address, email address, and potentially credit card details. This is a goldmine of information for committing identity fraud.
They can open bank accounts or credit cards in the victim’s name or sell the info on the dark web. The credit card can also be charged monthly for unwanted services by shady companies, generating fraudulent revenue for the scammers.
The user won’t even realize these things are happening until they spot unauthorized charges or accounts appear on their credit report. By then, the damage is already done.
This simple but effective scam allows fraudsters to make big money from victims who fall for the fake USPS messages and websites. Losses can be financial, emotional, and require legal action to undo identity theft.
What to do if You Have Fallen Victim to the USPS Text Scam
If you entered any personal data, handed over credit card details, or paid money to the scammers, here are important steps to take right away:
- Contact your bank and credit card companies: Alert them to possible fraudulent charges or accounts opened in your name. Cancel any cards used on the fake sites.
- Place fraud alerts: Notify credit bureaus to flag your credit report for suspicious activity. This helps prevent scammers taking out new lines of credit.
- Monitor your credit reports: Check your reports frequently for any signs of misuse of your identity, such as new credit cards or loan applications.
- File an FTC complaint: Reporting the scam to the Federal Trade Commission helps warn others and aids investigations.
- Change online account passwords: Reset passwords on your email, banking, and other sensitive accounts to prevent access.
- Watch for additional spam/phishing: Scammers may target you with more scams or sell your details to shady marketers. Ignore unsolicited contacts.
- Consider an identity theft protection service: A credit monitoring service can provide additional layers of protection against identity theft.
The quicker you act, the less damage the scammers can inflict on your finances and identity. It also limits the ability for them to profit off your details. If the identity theft is severe, you may need to work with attorneys to restore your credit status.
Frequently Asked Questions About the USPS “Shipment on Hold” Scam
1. How does the USPS “Shipment on Hold” scam work?
The scam typically begins with a text message claiming to be from USPS, stating that they need you to “verify your address” or provide additional information before a package can be delivered. The message contains a link that leads to a fake USPS website designed to steal your personal and financial information.
On the phony site, you’ll be prompted to enter details like your name, address, phone number, and sometimes credit card information under the guise of completing delivery or paying a small “redelivery fee.” Armed with this data, scammers can then commit identity theft or sell your details online.
2. What are some examples of the phishing texts sent in this scam?
The texts are made to look like real USPS tracking updates. Here are some examples:
“USPS: Your package arrived at the transit center but was halted due to incomplete address information. Please click below to verify your delivery address: http://www.uspsverify.com”
“USPS SMS Alert: We cannot deliver your package because of an incorrect shipping address. Please tap the link below to edit and verify your information: https://usps-update.com”
“USPS Delivery Update: Your package is on hold with a label created due to missing address details. Please tap link to provide complete info: http://usps-info.com/awaiting”
3. How can I recognize these USPS scam texts?
Watch for these red flags:
- Generic greetings like “Dear customer” instead of your name
- Suspicious or invalid looking links (tinyurl, bitly links)
- Requests for sensitive personal information
- Typos, bad grammar
- Threatening urgent language
- Requests to pay a fee or provide payment info
4. I entered my information on the fake USPS site – what now?
If you provided any personal or financial details, take these steps immediately:
- Contact banks/credit cards used on the site and alert them to possible fraudulent charges
- Place a fraud alert and get a copy of your credit reports to check for misuse
- Reset all account passwords to prevent access in case of a breach
- Watch out for additional phishing attempts using your details
You may also want to sign up for identity theft monitoring services to protect against additional fraud. Be wary of any unsolicited communications going forward.
5. Can legitimate USPS notifications request sensitive information?
No, real USPS communications will never ask for personal details like account numbers, social security numbers, or login credentials via text, email, or links. If something seems suspicious, contact USPS directly through their official website or verified phone number to confirm it’s valid.
6. How can I help stop this USPS phishing scam?
Here are some tips:
- Don’t click on links in suspicious texts/emails. Go directly to USPS.com instead.
- Report scam texts you receive to USPS Postal Inspectors.
- Warn friends and family about this phishing technique.
- Use antivirus/phishing filters to block scam messages.
- Keep software updated to reduce vulnerability.
- Contact providers to block reported scam phone numbers/links.
Staying vigilant is key to protecting yourself and preventing these scams from duping additional victims.
The Bottom Line
The USPS “package delivery on hold” scam shows how a simple text can lead to damaging identity theft. Law enforcement agencies are working to shut down fake domains and shortcode numbers involved.
But new ones keep popping up to snare victims. The best protection is being aware of the scam and exercising caution with any text messages or websites asking for personal/financial data.
Legitimate delivery notices will never ask for sensitive information over SMS or links. If in doubt, contact USPS customer service directly to confirm before clicking on anything.
With identity theft and online scams proliferating, it’s essential we all remain vigilant against schemes like this USPS text scam. Don’t let a random text message open the door to your valuable personal and financial details.
