The USPS scam is a smishing (SMS phishing) and phishing operation that impersonates the United States Postal Service to steal card details, personal information, and money from victims. In the USPS scam, criminals send fake delivery notification texts or emails claiming a problem with a package — an undeliverable address, a customs hold, a small redelivery fee — and include a link to a phishing site that harvests whatever the victim enters.

The USPS scam is structurally identical to the US toll smishing wave — a trivially small claimed amount, a look-alike domain, and a payment form that captures card details for far larger fraudulent use. The difference is branding: while toll smishing impersonates FedEx or state toll authorities, the USPS scam impersonates the federal postal service. The playbook behind both is the same criminal infrastructure, rotated across whichever brand is currently most effective.

The USPS brand is one of the most effective impersonation targets in the US for two compounding reasons: almost everyone receives USPS deliveries regularly, and the USPS serves as the delivery channel for countless federal government communications — tax notices, jury summons, benefit letters — giving USPS-branded messages an inherent authority weight beyond just package tracking. The USPS scam exploits both dimensions.

The USPS scam targets victims by phone number and email rather than by actual delivery history. The criminals buy US mobile number lists in bulk, then bombard them with the USPS scam messages regardless of whether the recipient is expecting a delivery. Most recipients have no package in transit whatsoever — but because the message is ambiguous (it implies rather than names a specific package), many cannot immediately rule it out.

The USPS scam is part of a broader delivery and courier impersonation wave covered across several guides on this site. The nearest equivalent is the FedEx scam call, which uses vishing rather than smishing. Our phishing scam pillar covers the underlying technique in depth. The toll-smishing cluster starting with the RiverLink scam documents the same infrastructure applied to highway toll collection.

The USPS scam follows a consistent six-stage pattern. Recognising the structure at any stage is enough to terminate the fraud before any data or money is surrendered.

Step 1: The Bulk SMS or Email Blast

The USPS scam begins with bulk contact. The criminals purchase US mobile number lists or email address lists from data brokers or dark-web markets and send the USPS scam message to millions of recipients simultaneously. The lists are not filtered by delivery history — anyone with a US phone number or email address is a potential target.

Because the USPS scam message is deliberately vague about which package is affected, even recipients with no outstanding deliveries cannot immediately dismiss it. “Your package could not be delivered” is designed to be ambiguous enough to create uncertainty in anyone who has ordered anything online recently.

Step 2: The Smishing or Phishing Message

The smishing message arrives looking convincingly official. A typical text reads: “USPS: Your package has been held. A delivery attempt was made but we were unable to complete delivery. Please update your address or pay the $3.30 redelivery fee at usps-tracking-update.com/[random-string] to reschedule.” The sender name is “USPS,” “US Postal Service,” or a numeric short code.

The message is calibrated for low friction: a small amount, a credible reason (wrong address, missed delivery), and a sense of urgency (the package will be returned if not resolved today). The USPS scam message is typically short, professional, and free of the grammar errors associated with older phishing campaigns — AI-generated content has raised the baseline quality of these messages significantly.

Step 3: The Look-Alike Domain

The link in the USPS scam message never points to the real usps.com. It points to a look-alike domain — usps-tracking-update.com, usps-delivery-hold.net, usps-parcel-delivery.com, us-postalservice.online, or hundreds of similar variations. These domains are registered in bulk, rotated every few days as they get reported and blocked, and hosted on infrastructure designed to evade takedown.

The look-alike domain is the most reliable single verification check for the USPS scam. The real USPS uses exactly usps.com — one domain, the .com TLD, no hyphens. Any other domain claiming to be USPS is criminal infrastructure, regardless of how professional the landing page looks.

Step 4: The Phishing Form

When the victim clicks the USPS scam link, the landing page renders a near-perfect clone of the real USPS website. The victim is asked to enter their name, address, and full card details including CVV to pay the small claimed redelivery fee. The form processes the claimed amount, thanks the victim, and confirms “delivery has been rescheduled.” In reality, the card details have been captured and the larger fraud is just beginning.

Step 5: Card Monetisation

Once the criminals have card details from the USPS scam, the card is tested with a small transaction and then used for high-value purchases, or sold in bulk on dark-web markets. Victims of the USPS scam typically see fraudulent charges appear within hours or days — far larger than the small redelivery fee that was the stated reason for the original payment.

Step 6: Identity Layer-On

Beyond the card fraud, the USPS scam often harvests enough data for downstream identity theft. Name, address, and card details provide the foundation for new-account fraud and synthetic identity attacks. This overlap is covered in our identity theft scams guide.

The USPS scam runs in several specific variants that each use a slightly different cover story to justify the link and the payment or data request. Each exploits a different aspect of how people actually interact with the postal service.

The Denver Teacher and the $2.95 Redelivery Fee

A 48-year-old teacher in Denver received a USPS scam text claiming a $2.95 redelivery fee was needed before a package could be released. Because she had ordered several items online the previous week and could not immediately account for all of them, the message seemed plausible. She clicked the link, which went to usps-deliveryhold.com — a near-perfect USPS clone — and entered her Chase Visa details to pay the $2.95.

Four days later she discovered $1,844 in charges at electronics retailers in Arizona and Illinois. Her bank reversed all fraudulent charges and issued a new card. She had never had any actual USPS delivery issue — the package the USPS scam claimed was held never existed. The $2.95 was a card-live test; the real fraud followed immediately.

The lesson: the USPS scam amount is designed specifically to be small enough that the victim does not pause to verify. The rule is not “verify large payments” — it is “verify any payment requested via text link.” A $2.95 card entry on a look-alike domain is identically dangerous to a $295 one.

The New York Family and the Address Update

A family in Brooklyn received a USPS scam email claiming their delivery address was missing an apartment number and needed to be updated before the package could be delivered. The email linked to a convincing USPS clone at us-postal-service.net. The husband entered his name, full home address, date of birth, and phone number — but noticed the site was also asking for card details “to confirm identity” and stopped before entering card information.

He had not entered card details, but the personal data he provided — name, address, date of birth, phone — was sufficient. Two months later, a credit card was opened in his name at a retailer he had never patronised. The card issuer’s fraud detection flagged it before any charges were made, but the family spent eight hours resolving the subsequent credit file inquiry.

The lesson: the USPS scam does not require card entry to cause serious damage. Personal data alone — name, address, date of birth — is enough to seed downstream identity theft. The address-update variant is primarily a data harvest, not a payment harvest. Any form asking for personal details in connection with a delivery is fraudulent.

The Senior Who Received Five USPS Scam Texts in One Week

A 74-year-old retiree in Phoenix received five different USPS scam texts over seven days, each from a slightly different sender number, each claiming a different package problem with a slightly different amount. He did not click any of them but was confused enough to call the real USPS at 1-800-275-8777, who confirmed he had no outstanding packages and that all five texts were the USPS scam.

He forwarded all five to 7726 and reported them to the FTC. The wave pattern — multiple similar messages across a short period — is characteristic of the A/B testing phase that criminal operations run when they acquire a new number list. His number had clearly appeared in a recently purchased bulk contact list.

The lesson: receiving multiple USPS scam texts in a short period confirms your number is on a criminal list. Reporting all of them to 7726 and the FTC is more effective than simply blocking them — it feeds carrier and federal-level blocking that helps protect the millions of other numbers on the same list.

The USPS Postal Inspection Service and multiple US consumer protection agencies have issued consistent public warnings about the USPS scam and its variants.

The US Postal Inspection Service (USPIS) — the federal law enforcement arm of USPS — has issued multiple public alerts about the USPS scam and maintains a dedicated fraud reporting channel at spam@uspis.gov. The USPIS confirms that USPS does not send unsolicited texts or emails with links requesting payment or personal information, and that any such message is fraudulent. The USPIS also confirms that the real USPS text tracking service (short code 28777) sends only status updates — never links or payment requests.

The Federal Trade Commission (FTC) has identified delivery and postal impersonation as one of its top-reported consumer fraud categories. The FTC notes that the USPS scam follows the same pattern as all delivery-impersonation fraud: a small urgent amount, a look-alike domain, and a payment form capturing card details for far larger fraudulent use. Report at reportfraud.ftc.gov.

The FBI’s Internet Crime Complaint Center (IC3) categorises USPS scam reports under non-payment/non-delivery fraud and phishing. The IC3 notes that delivery impersonation frauds increased sharply in 2023 and 2024, tracking the growth of e-commerce and the corresponding increase in consumers expecting regular package deliveries. Report at ic3.gov.

The FCC regulates the smishing infrastructure the USPS scam uses — illegal robocalls and bulk SMS. Reporting to the FCC at consumercomplaints.fcc.gov gives regulators the data they need to pursue enforcement action against the telecom providers enabling the bulk messaging operations.

Never Click a Link in a Delivery Notification Text or Email

The most effective single protection against the USPS scam: do not click any link in any unsolicited text or email about a delivery problem. Type usps.com directly into your browser and use your actual tracking number to check package status. If you do not have a tracking number, you have no package in USPS custody that could be held.

This one rule defeats every smishing variant of the USPS scam — the redelivery fee variant, the address update variant, the customs hold variant, and the Informed Delivery clone. All of them depend on the victim clicking the link; remove that click and the USPS scam cannot proceed.

Check the Domain Character by Character

If you do click a link before reading this guide, the next check is the domain. USPS uses exactly usps.com — one domain, the .com TLD, no hyphens, no additional words. Any link destination that is not exactly usps.com is the USPS scam, regardless of how professional the landing page looks. Type the domain into your browser manually if you need to verify rather than following the link.

Beware of domains that add legitimate-sounding words — usps-tracking.com, usps-delivery-center.com, us-postal-service.net. These are all criminal infrastructure. The pattern “usps + anything except .com” or “anything except usps + .com” identifies the fraud immediately.

Sign Up for the Real USPS Text Tracking Service

The real USPS text tracking service operates on short code 28777 (2USPS). To use it legitimately: enter your tracking number at usps.com and opt in to text updates. The real service sends only status updates — no links, no payment requests, no action items. Once you know what a real USPS text looks like, USPS scam texts are immediately distinguishable from legitimate ones.

Also sign up for USPS Informed Delivery at usps.com — the legitimate service that sends daily digest emails previewing your incoming mail. Knowing which deliveries are genuinely in transit eliminates the ambiguity the USPS scam exploits: when you know exactly what packages you have en route, any text about a different package is immediately suspicious.

Forward Every Suspicious Text to 7726

Every major US mobile carrier supports the 7726 (SPAM) short code. Forward the USPS scam text to 7726 before deleting it. This feeds the carrier’s spam-filtering system and the USPIS’s intelligence database. The same sender number and domain are used in millions of messages — your report contributes to blocking them at the infrastructure level.

Report to spam@uspis.gov for Email Variants

For USPS scam phishing emails, forward the complete email (including headers if possible) to spam@uspis.gov. Do not click any links or download any attachments in the email before forwarding. The USPIS fraud team uses these reports to identify and pursue the criminal networks running the USPS scam operation.

If you have already clicked a USPS scam link and entered card details or personal information, act quickly. Speed is the most important variable in limiting damage.