There’s a new form of phishing spam causing trouble lately and it’s coming in the form of text messages about package deliveries. Over the holidays there was a record amount of people shopping online while adhering to pandemic stay-at-home orders. Many companies offered the option of sending updates about packages by text, while big shipping companies such as Amazon, UPS, USPS, and FedEx, also would send texts (if you opted in) to let you know the package status, even providing links to track the package progress.

Unfortunately, as we all got used to receiving texts from legitimate retailers and shipping companies, it’s made it easier for illegal phishing scams to sneak in disguised as package delivery notifications.  According to the Better Business Bureau, the most common text scams are those that pretend to be from a mail carrier like UPS, FedEx, or USPS. The text will inform you that your package has been delivered, or they are holding your package for delivery, then gives you a link to click on to confirm. If you click on the link, it can then send you to a form asking for personal information (like bank account information) in order to receive a non-existent package. This doesn’t just give criminals access to sensitive information, in many cases it can give them the ability to download malware onto the phone, which can lead to their being able to steal personal information on the device or hijacking the phone to send out more spam-type texts to everyone on your contact list.

If you have recently placed an order and are waiting for a package to be delivered, using texts to track them can be useful, as long as you take precautions to avoid possible phishing texts.

What to do if you receive a “package delivered” text:

If you receive a text about a package delivery, don’t click on any links until you review the following:

  • Legitimate texts from delivery services like UPS, Amazon Prime, and FedEx will never ask for personal info like your login or banking information.
  • If the text asks you to click on a link or provide personal information such as credit card info, passwords, or your home address, delete it immediately.
  • Keep track of your orders and ask your family members if they have placed any orders recently. If someone in your home is expecting an order, but you are unsure if the text is legitimate, check your email receipt or log in to your retail account online. Most stores will provide information about who the shipping carrier is and when the package is expected to be shipped.
  • If the text message addresses you with a generic “dear customer,” or anything is misspelled, with typos, or filled with bad grammar, it’s a red flag and you should delete.

What to do if a package is missing

If you receive a message that your package was delivered, you’ve verified it’s legitimate, but your package is not there, try the following:

  • Many services attach photos of where the package was delivered, check the photos to see if they might have placed the package behind a bench, under a bush, or even accidently on your neighbor’s door.
  • Check the order confirmation email or log into your online account with that retailer to check the tracking info. If it also shows delivered, contact the retailer to let them know your package did not arrive as stated.
  • If you believe that someone stole the package, call the non-emergency line of local law enforcement agency.