Don’t Fall for Fake USPS “Invalid Recipient Address” Scam Stealing Money
Written by: Thomas Orsolya
Published on:
The USPS “Invalid Recipient Address” scam is a new phishing technique aiming to steal sensitive personal information from unsuspecting victims. Scammers are sending fraudulent text messages and emails pretending to be from the United States Postal Service. The messages claim that a package cannot be delivered due to an invalid recipient address. They urge recipients to click on a link to correct their address and pay a small redelivery fee. However, the link directs users to a fake USPS website designed to steal personal and financial information.
This article will take an in-depth look at how the “Invalid Recipient Address” phishing scam operates, how to protect yourself if targeted, and ways to avoid falling for similar frauds in the future.
This Article Contains:
Overview of the USPS “Invalid Recipient Address” Scam
This scam starts with potential victims receiving a text message or email supposedly from the USPS. The message claims a package cannot be delivered due to an invalid recipient address. Scammers pretend to be from the USPS and typically say something like:
“Your package is on hold for an invalid recipient address. Fill in the correct address info by the link below.”
The message urges victims to click on a link redirecting them to a fake USPS site. The fraudulent site mimics a real USPS page and asks victims to enter updated address information. It also requests a small redelivery fee, typically $0.20 to $0.30.
However, unsuspecting users who enter personal data and payment info are at risk of identity theft and financial fraud. The scammers steal sensitive information like names, addresses, credit card numbers, security codes, and more. Data is then used to commit other crimes like opening fraudulent accounts, taking over existing accounts, or selling info on the dark web.
This scam is essentially a phishing attack targeting innocent victims expecting package deliveries. Phishing uses urgent-sounding messages with links to fake sites impersonating trusted brands. The USPS name and logos are used to make the scam appear legitimate. But real USPS communications would not ask for personal info or payments over text or email.
How the USPS “Invalid Recipient Address” Scam Works
Scammers orchestrating this scam are quite strategic in how they target potential victims. Here is a step-by-step overview of how this scam typically works:
1. Scammers Obtain Victims’ Contact Info
The first step is scammers obtaining a database of names, phone numbers, and email addresses. Info like this is easily found online or purchased on the dark web. Scammers may also use botnets to harvest data from public sites and social networks. Accounts with e-commerce sites can be compromised to steal customer contact info too.
2. Scam Texts and Emails Are Sent En Masse
Once scammers compile a list of target contacts, they send out scam USPS messages en masse. Text messages come from a local number pretending to be a postal office. Emails spoof the real USPS domain in the sender address. Both contain urgent wording about an undelivered package and a link to the fake site.
3. Fake USPS Site Requests Updated Address and Redelivery Fee
If recipients click the link, they are taken to a deceiving site mimicking a real USPS page. The site asks users to enter updated address info since the original was “invalid”. A redelivery fee around $0.20 to $0.30 is also requested, making the page appear like a legit USPS payment portal.
4. Users Input Sensitive Personal and Payment Information
Tricked into thinking the site is real, many victims start filling in details like:
Full name
Home address
Phone number
Credit card number
Security code
Expiration date
Some even input their Social Security Number, date of birth, or other info requested. Entering any kind of personal data poses serious risks.
5. Scammers Steal Information for Financial Fraud and Identity Theft
Once submitted, all user data gets stolen by scammers to commit identity theft and financial fraud. Info like names, addresses, and Social Security Numbers can be used to open fake accounts or take over existing accounts.
Stolen credit card details are used to make fraudulent purchases online, resell on the dark web, or create cloned cards. Phone numbers may be targeted with additional smishing attacks or sold to shady telemarketers. The more info obtained, the more ways scammers can financially exploit victims.
How to Identify Fake USPS Emails Related to the “Invalid Recipient Address” Scam
It’s important to be able to recognize fraudulent USPS emails used in the “invalid recipient address” phishing scam. There are several indicators to help discern fake emails from real USPS communications. Learning these email phishing techniques can prevent you from getting scammed.
Analyze the Sender’s Email Address
Carefully inspect the email address in the “From” field of any USPS email. Legitimate messages will only come from an official usps.com email address:
usps.com
USPS.com
notifications@usps.com
no-reply@usps.com
Scam USPS emails often spoof or mimic real addresses. Look closely at the sender’s full email address and domain name:
Fake domains with misspellings or extra words should signal a phishing attempt.
Watch for Poor Spelling and Grammatical Errors
Real USPS emails are professionally written with no spelling, grammar, or punctuation errors. Phishing emails often contain issues like:
Typpos and mispellings
Missing or misused words
Wrong postal terms like “postal code” instead of ZIP CodeTM
Awkward phrasing and formatting
Messages with multiple issues should be considered highly suspicious. Fraudsters lack the mastery of language real USPS emails have.
Inspect Hyperlinked Text Carefully
Never click links in unsolicited emails. But hovering over hyperlinked text can reveal phishing tricks. Fake USPS links often use deceptive text that differs from the actual URL destination.
Hyperlinks saying “USPS Delivery Update” may actually link to “freepostalreport.com” – a big red flag. Only click links back to usps.com resources.
Check for Requests for Personal Information
The USPS would never ask customers for sensitive information like account numbers, Social Security numbers, or login credentials over email.
Phishing emails try to urgently scare victims into providing personal or financial details. Requests for account updates, package tracking numbers, or payment info signal a scam.
Verify Any Threats or Warnings
Scare tactics are meant to panic recipients into immediate action without thinking. Phishing emails make dubious claims your account is suspended, a package seized, or that you owe postage.
But USPS would not threaten delivery holds or legal action over email. Verify any warnings directly with USPS customer service before taking action.
Stay vigilant analyzing USPS emails for these common phishing indicators. Report scam messages to usps.gov and delete them immediately. Use caution providing personal data when contacted out of the blue online or over email. Protect yourself from fraud with awareness of phishing techniques.
How to Spot Fake USPS Text Messages Related to the “Invalid Recipient Address” Scam
Scammers also use fraudulent USPS text messages, known as smishing, to conduct the “invalid recipient address” phishing scam. Be wary of suspicious texts and know how to recognize real USPS communications.
Verify the Sender’s Phone Number
Carefully inspect the phone number or short code a text is sent from. Legitimate USPS messages will come from an official short code like:
28777 (USPS Tracking)
69797 (USPS Notifications)
Scam USPS texts often spoof local area codes or use arbitrary short codes:
❌ 888-555-1234 ❌ 75309 ❌ 39284
Unknown numbers should signal a smishing attempt. Search online to confirm if a short code is truly affiliated with USPS.
Watch for Odd Links and Website Addresses
Real USPS texts would never contain links to outside websites. Phishing texts provide links to shady sites engineered to steal your data when entered.
Hover over any links to inspect the web address. Fake domains with “usps” misspellings like “uspss” should reveal a scam.
Verify Any Threats and Warnings
Smishing texts make dubious claims of unpaid postage, seized packages, or delivery cancellations. But USPS would not threaten holds on shipments or legal action over text.
Inspect texts carefully and confirm any warnings through official USPS customer service before taking action.
Check for Requests for Personal Information
Much like phishing emails, smishing texts try to trick users into inputting sensitive information like account numbers, Social Security numbers, or login credentials.
The USPS would never ask customers for personal or financial details over text. Requests for address updates, package tracking numbers, or payment info signal a scam.
Watch for Poor Spelling and Grammar
Typos, spelling and grammar errors are common in smishing texts from foreign numbers. Real USPS messages are professionally written with no language issues.
Stay vigilant against USPS smishing scams by analyzing texts closely for these red flags. Report scam messages to SPAM (7726) and avoid clicking links or providing personal information requested. Use caution with communications from unknown numbers.
What to Do If You Are Targeted by This Scam
If you receive a suspicious text or email claiming to be from USPS about an undelivered package, here are important steps to take:
Do Not Click Links or Provide Any Information
First and foremost, do not click on any links in the message or enter any personal or financial information on linked sites. The links are a trap to a fake portal used to steal data. Remember – USPS would never request info or payments via text or email.
Report the Scam Message
Report the scam text or email to USPS by forwarding it to spam@uspis.gov. You can also file a complaint with the Federal Trade Commission at ReportFraud.ftc.gov. Reporting scams helps authorities track down and stop fraudsters.
Contact Your Bank
If you did provide credit card information, immediately contact your bank and report the fraudulent charges. Your bank may be able to freeze the card, dispute the charges, and prevent further fraudulent use.
Reset Online Account Passwords
Also change passwords for any online accounts that use the same username and password combination entered on the fake site. Scammers may leverage credentials to gain access to other accounts. Use strong, unique passwords for every account.
Monitor Accounts and Credit Reports
Carefully monitor bank and financial accounts for any suspicious activity, as well as your credit reports for any unauthorized activity. Placing a fraud alert or credit freeze can help protect against identity theft.
Beware of Recovery Scams
Be cautious of any call, email, or text claiming they can recover lost money or compromised information. This is likely another scam attempt. Only work directly with your bank or legitimate law enforcement.
How to Avoid Falling Victim to Similar Scams
While scams are getting more sophisticated, there are ways to avoid falling victim to phishing attacks like the USPS invalid recipient address scam:
Never click links or call numbers in unsolicited messages – Be skeptical of texts, social media messages, emails, or calls claiming there is a problem with an account or requesting personal information. Calling a number or clicking a link verifies to scammers that they reached a real, active person. Legitimate companies won’t ask for info this way.
Set up multi-factor authentication – Turn on multi-factor authentication for banking, email, social media, and other online accounts. This adds an extra layer of security beyond just usernames and passwords.
Create strong, unique passwords – Avoid password reuse by generating complex, unique passwords for each online account using a password manager. Weak, duplicated credentials allow scammers to infiltrate multiple accounts.
Keep software updated – Maintain the latest security updates for all devices and software. Updates patch vulnerabilities that scammers exploit to steal data and spread malware.
Be wary of unsolicited calls and texts – Don’t answer or return calls from unknown numbers. Let unknown numbers go to voicemail. Scammers use robocalls and smishing to find live targets.
Consult legitimate websites or apps – If you get an urgent request regarding an account, consult the official website or app first. Don’t rely on texts or emails alone. Search for the company’s official contact info to verify legitimacy.
Monitor your accounts and credit reports – Routinely check all financial accounts statements and credit reports for any unusual activity. It’s easier to spot fraudulent activity early by monitoring closely.
Is Your Device Infected? Check for Malware
If your device is running slowly or acting suspicious, it may be infected with malware. Malwarebytes Anti-Malware Free is a great option for scanning your device and detecting potential malware or viruses. The free version can efficiently check for and remove many common infections.
Malwarebytes can run on Windows, Mac, and Android devices. Depending on which operating system is installed on the device you’re trying to run a Malwarebytes scan, please click on the tab below and follow the displayed steps.
Malwarebytes For WindowsMalwarebytes For MacMalwarebytes For Android
Scan your computer with Malwarebytes for Windows to remove malware
Malwarebytes stands out as one of the leading and widely-used anti-malware solutions for Windows, and for good reason. It effectively eradicates various types of malware that other programs often overlook, all at no cost to you. When it comes to disinfecting an infected device, Malwarebytes has consistently been a free and indispensable tool in the battle against malware. We highly recommend it for maintaining a clean and secure system.
Download Malwarebytes for Windows
You can download Malwarebytes by clicking the link below.
After the download is complete, locate the MBSetup file, typically found in your Downloads folder. Double-click on the MBSetup file to begin the installation of Malwarebytes on your computer. If a User Account Control pop-up appears, click “Yes” to continue the Malwarebytes installation.
Follow the On-Screen Prompts to Install Malwarebytes
When the Malwarebytes installation begins, the setup wizard will guide you through the process.
You’ll first be prompted to choose the type of computer you’re installing the program on—select either “Personal Computer” or “Work Computer” as appropriate, then click on Next.
Malwarebytes will now begin the installation process on your device.
When the Malwarebytes installation is complete, the program will automatically open to the “Welcome to Malwarebytes” screen.
On the final screen, simply click on the Open Malwarebytes option to start the program.
Enable “Rootkit scanning”.
Malwarebytes Anti-Malware will now start, and you will see the main screen as shown below. To maximize Malwarebytes’ ability to detect malware and unwanted programs, we need to enable rootkit scanning. Click on the “Settings” gear icon located on the left of the screen to access the general settings section.
In the settings menu, enable the “Scan for rootkits” option by clicking the toggle switch until it turns blue.
Now that you have enabled rootkit scanning, click on the “Dashboard” button in the left pane to get back to the main screen.
Perform a Scan with Malwarebytes.
To start a scan, click the Scan button. Malwarebytes will automatically update its antivirus database and begin scanning your computer for malicious programs.
Wait for the Malwarebytes scan to complete.
Malwarebytes will now scan your computer for browser hijackers and other malicious programs. This process can take a few minutes, so we suggest you do something else and periodically check the status of the scan to see when it is finished.
Quarantine detected malware
Once the Malwarebytes scan is complete, it will display a list of detected malware, adware, and potentially unwanted programs. To effectively remove these threats, click the “Quarantine” button.
Malwarebytes will now delete all of the files and registry keys and add them to the program’s quarantine.
Restart your computer.
When removing files, Malwarebytes may require a reboot to fully eliminate some threats. If you see a message indicating that a reboot is needed, please allow it. Once your computer has restarted and you are logged back in, you can continue with the remaining steps.
Your computer should now be free of trojans, adware, browser hijackers, and other malware.
If your current antivirus allowed this malicious program on your computer, you may want to consider purchasing Malwarebytes Premium to protect against these types of threats in the future. If you are still having problems with your computer after completing these instructions, then please follow one of the steps:
Scan your computer with Malwarebytes for Mac to remove malware
Malwarebytes for Mac is an on-demand scanner that can destroy many types of malware that other software tends to miss without costing you absolutely anything. When it comes to cleaning up an infected device, Malwarebytes has always been free, and we recommend it as an essential tool in the fight against malware.
Download Malwarebytes for Mac.
You can download Malwarebytes for Mac by clicking the link below.
When Malwarebytes has finished downloading, double-click on the setup file to install Malwarebytes on your computer. In most cases, downloaded files are saved to the Downloads folder.
Follow the on-screen prompts to install Malwarebytes.
When the Malwarebytes installation begins, you will see the Malwarebytes for Mac Installer which will guide you through the installation process. Click “Continue“, then keep following the prompts to continue with the installation process.
When your Malwarebytes installation completes, the program opens to the Welcome to Malwarebytes screen. Click the “Get started” button.
Select “Personal Computer” or “Work Computer”.
The Malwarebytes Welcome screen will first ask you what type of computer are you installing this program, click either Personal Computer or Work Computer.
Click on “Scan”.
To scan your computer with Malwarebytes, click on the “Scan” button. Malwarebytes for Mac will automatically update the antivirus database and start scanning your computer for malware.
Wait for the Malwarebytes scan to complete.
Malwarebytes will scan your computer for adware, browser hijackers, and other malicious programs. This process can take a few minutes, so we suggest you do something else and periodically check on the status of the scan to see when it is finished.
Click on “Quarantine”.
When the scan has been completed, you will be presented with a screen showing the malware infections that Malwarebytes has detected. To remove the malware that Malwarebytes has found, click on the “Quarantine” button.
Restart computer.
Malwarebytes will now remove all the malicious files that it has found. To complete the malware removal process, Malwarebytes may ask you to restart your computer.
Your Mac should now be free of adware, browser hijackers, and other malware.
If your current antivirus allowed a malicious program on your computer, you might want to consider purchasing the full-featured version of Malwarebytes Anti-Malware to protect against these types of threats in the future. If you are still experiencing problems while trying to remove a malicious program from your computer, please ask for help in our Mac Malware Removal Help & Support forum.
Scan your phone with Malwarebytes for Android to remove malware
Malwarebytes for Android automatically detects and removes dangerous threats like malware and ransomware so you don’t have to worry about your most-used device being compromised. Aggressive detection of adware and potentially unwanted programs keeps your Android phone or tablet running smooth.
Download Malwarebytes for Android.
You can download Malwarebytes for Android by clicking the link below.
In the Google Play Store, tap “Install” to install Malwarebytes for Android on your device.
When the installation process has finished, tap “Open” to begin using Malwarebytes for Android. You can also open Malwarebytes by tapping on its icon in your phone menu or home screen.
Follow the on-screen prompts to complete the setup process
When Malwarebytes will open, you will see the Malwarebytes Setup Wizard which will guide you through a series of permissions and other setup options. This is the first of two screens that explain the difference between the Premium and Free versions. Swipe this screen to continue. Tap on “Got it” to proceed to the next step. Malwarebytes for Android will now ask for a set of permissions that are required to scan your device and protect it from malware. Tap on “Give permission” to continue. Tap on “Allow” to permit Malwarebytes to access the files on your phone.
Update database and run a scan with Malwarebytes for Android
You will now be prompted to update the Malwarebytes database and run a full system scan.
Click on “Update database” to update the Malwarebytes for Android definitions to the latest version, then click on “Run full scan” to perform a system scan.
Wait for the Malwarebytes scan to complete.
Malwarebytes will now start scanning your phone for adware and other malicious apps. This process can take a few minutes, so we suggest you do something else and periodically check on the status of the scan to see when it is finished.
Click on “Remove Selected”.
When the scan has been completed, you will be presented with a screen showing the malware infections that Malwarebytes for Android has detected. To remove the malicious apps that Malwarebytes has found, tap on the “Remove Selected” button.
Restart your phone.
Malwarebytes for Android will now remove all the malicious apps that it has found. To complete the malware removal process, Malwarebytes may ask you to restart your device.
Your phone should now be free of adware, browser hijackers, and other malware.
If your current antivirus allowed a malicious app on your phone, you may want to consider purchasing the full-featured version of Malwarebytes to protect against these types of threats in the future. If you are still having problems with your phone after completing these instructions, then please follow one of the steps:
Restore your phone to factory settings by going to Settings > General management > Reset > Factory data reset.
Frequently Asked Questions About the USPS “Invalid Recipient Address” Scam
This FAQ section provides key information about the USPS “Invalid Recipient Address” phishing scam targeting unsuspecting victims. Learn how to spot this scam and protect yourself from fraud.
What is the USPS “Invalid Recipient Address” scam?
The USPS “Invalid Recipient Address” scam involves fraudulent text messages or emails pretending to be from USPS. The messages state a package can’t be delivered due to an invalid recipient address. They provide a link to correct your address and pay a small redelivery fee. However, the link goes to a fake USPS site designed to steal personal and financial information for identity theft and credit card fraud.
How does the USPS invalid address scam work?
Scammers send text messages or emails with USPS branding claiming a package can’t be delivered to you due to an invalid address. The message urges you to click a link to correct your address and schedule redelivery by paying a small fee, usually $0.20 to $0.30. But the link goes to a fake website impersonating an official USPS portal to steal your data.
What are examples of the fake USPS messages for this scam?
Examples of fake messages used in this scam include:
“USPS: Your package is on hold for an invalid recipient address. To reschedule delivery please click here.”
“Attention: We were unable to deliver your package due to an incorrect address. Please verify your information here.”
“USPS Delivery Failed – The address entered for your package delivery is invalid. Please update your address here.”
What happens if you click the link in the fake USPS messages?
The link in the fake USPS messages directs victims to a phishing website pretending to be a real USPS portal. The site requests users enter personal info like your name, address, phone number, credit card details and more under the guise of collecting updated address data and a redelivery fee payment. In reality, all data entered is stolen.
How can you tell if a USPS text or email is fake?
To identify fake USPS communications:
Inspect the sender’s address – Real USPS emails come from usps.com addresses only.
Check for typos & grammatical errors – USPS messages are professional with no mistakes.
Do not click links – USPS never sends texts/emails with links to account pages.
Hover over links to inspect the URL – Fake links often have misspelled or forged domains.
Call USPS directly if concerned about a message.
What should you do if you get a fake USPS message?
If you receive a suspicious USPS text or email:
Do not click any links or provide personal or payment information.
Report the scam message by forwarding it to spam@uspis.gov.
If you entered payment info, call your bank immediately to freeze your card and dispute the charges.
Change passwords on any accounts that may have been compromised.
Watch for signs of identity theft or account breaches.
How can you protect yourself from the invalid recipient address scam?
To avoid falling for this scam:
Never click links or call numbers in suspicious texts or emails.
Use multi-factor authentication for online accounts.
Create strong, unique passwords for all accounts.
Keep software updated to patch vulnerabilities.
Consult official sites if contacted about your account.
Carefully monitor financial accounts and credit reports.
What is phishing and smishing?
Phishing is when scammers use fraudulent emails, sites, or forms to steal personal information. Smishing is phishing conducted over SMS text messaging. The invalid recipient scam uses both tactics to bait victims.
What should you do if you already fell for this scam?
If you provided your information:
Contact banks to freeze/cancel cards.
Place fraud alert on credit reports and review for any suspicious activity.
Reset passwords on compromised accounts and enable two-factor authentication.
Watch out for recovery scams contacting you to prevent more loss.
How can I report this scam or cybercrime?
To report this scam, cybercrime, or identity theft:
File a complaint with the FTC at ReportFraud.ftc.gov.
Report ID theft to the FTC at IdentityTheft.gov.
Contact your state attorney general office to file a complaint.
Notify the major credit bureaus and your banks of any fraud.
File a report with your local law enforcement agency.
Stay vigilant for new variations on the USPS invalid recipient address scam trying to phish for personal data. Perform online safety best practices to avoid exposure.
The Bottom Line
Scammers are constantly evolving their tactics and the USPS invalid recipient address is one of their latest ploys. This scam leverages fake postal service messages to trick unsuspecting targets into providing personal and financial data. This information is then used for identity theft and financial fraud.
The best way to avoid this scam is being aware of the tactics, verifying message legitimacy, and refraining from providing info or clicking links in unsolicited communications. Protect all accounts with strong passwords and multi-factor authentication. Report any scam messages and suspicious activity to stop these fraudsters in their tracks. Stay vigilant against new schemes aiming to steal personal data and assets. Don’t let scammers packages promises lure you into divulging sensitive information.
How to Stay Safe Online
Here are 10 basic security tips to help you avoid malware and protect your device:
Use a good antivirus and keep it up-to-date.
It's essential to use a good quality antivirus and keep it up-to-date to stay ahead of the latest cyber threats. We are huge fans of Malwarebytes Premium and use it on all of our devices, including Windows and Mac computers as well as our mobile devices. Malwarebytes sits beside your traditional antivirus, filling in any gaps in its defenses, and providing extra protection against sneakier security threats.
Keep software and operating systems up-to-date.
Keep your operating system and apps up to date. Whenever an update is released for your device, download and install it right away. These updates often include security fixes, vulnerability patches, and other necessary maintenance.
Be careful when installing programs and apps.
Pay close attention to installation screens and license agreements when installing software. Custom or advanced installation options will often disclose any third-party software that is also being installed. Take great care in every stage of the process and make sure you know what it is you're agreeing to before you click "Next."
Install an ad blocker.
Use a browser-based content blocker, like AdGuard. Content blockers help stop malicious ads, Trojans, phishing, and other undesirable content that an antivirus product alone may not stop.
Be careful what you download.
A top goal of cybercriminals is to trick you into downloading malware—programs or apps that carry malware or try to steal information. This malware can be disguised as an app: anything from a popular game to something that checks traffic or the weather.
Be alert for people trying to trick you.
Whether it's your email, phone, messenger, or other applications, always be alert and on guard for someone trying to trick you into clicking on links or replying to messages. Remember that it's easy to spoof phone numbers, so a familiar name or number doesn't make messages more trustworthy.
Back up your data.
Back up your data frequently and check that your backup data can be restored. You can do this manually on an external HDD/USB stick, or automatically using backup software. This is also the best way to counter ransomware. Never connect the backup drive to a computer if you suspect that the computer is infected with malware.
Choose strong passwords.
Use strong and unique passwords for each of your accounts. Avoid using personal information or easily guessable words in your passwords. Enable two-factor authentication (2FA) on your accounts whenever possible.
Be careful where you click.
Be cautious when clicking on links or downloading attachments from unknown sources. These could potentially contain malware or phishing scams.
Don't use pirated software.
Avoid using Peer-to-Peer (P2P) file-sharing programs, keygens, cracks, and other pirated software that can often compromise your data, privacy, or both.
To avoid potential dangers on the internet, it's important to follow these 10 basic safety rules. By doing so, you can protect yourself from many of the unpleasant surprises that can arise when using the web.
Leave a Comment
Meet Thomas Orsolya
Thomas is an expert at uncovering scams and providing in-depth reporting on cyber threats and online fraud. As an editor, he is dedicated to keeping readers informed on the latest developments in cybersecurity and tech.
