If a delivery message says your package is held, delayed, missing an address, waiting on customs, or needs a redelivery fee, do not use the link or number in the message to check it.
Open the retailer account, carrier app, or carrier website yourself. The risk depends on what happened next: ignored message, clicked link, entered card details, shared a code, downloaded something, or called a number.
Scroll sideways to see all columns.
| What happened | Do first | Check next |
|---|---|---|
| You only received the message | Do not click, reply, or call from it. | Check the retailer order or carrier tracking separately. |
| You clicked but entered nothing | Close the page and do not test it again. | Check for downloads, app/profile prompts, browser permissions, or account alerts. |
| It asked for a redelivery fee | Do not pay through the message link. | USPS redelivery is not charged; for other carriers, verify only through the official site, app, or account. |
| It asked for an address update | Do not submit the form from the message. | Check whether the order or tracking page you opened yourself shows an address issue. |
| It asked for customs, duties, taxes, or postage | Do not assume it is fake or real from the text alone. | Verify through the carrier, retailer, marketplace order, or customs process you reached yourself. |
| You entered card, bank, login, or code details | Contact the relevant provider through official channels. | Replace the card, change exposed passwords, review sign-ins, and watch pending charges. |
| You downloaded an app, file, profile, or extension | Stop using it and remove anything unfamiliar. | Review device permissions, browser downloads, account sign-ins, and payment activity. |
| You called the number | End the call and do not share another code or payment. | Write down what was requested and act based on what you shared. |
Use the closest match. If more than one applies, handle payment, login, code, download, or account-change issues first.
Verify the delivery without using the message
- Open the retailer account, marketplace order, or carrier app yourself.
- Type the carrier website directly or use a saved bookmark.
- Compare the tracking number, sender, destination, delivery status, and order history.
- If the message has no matching order or tracking record, treat it as suspicious.
- If you are expecting a package, still do not use the message link as proof.
Redelivery, address, customs, and postage requests
USPS says it does not charge a fee for redelivery. USPIS also says USPS text tracking is tied to a customer-initiated tracking request and suspicious package texts with unfamiliar links should not be clicked.
Other delivery payments need more nuance. UPS says only some packages require money for delivery, such as collect-on-delivery, duties, or taxes, and that tracking is the safest way to see whether a fee is due. DHL says email or SMS payment requests are only for customs duties and taxes, with safety measures in its process.
The practical rule is the same: do not pay from an unexpected message link. Check the fee through the official carrier, retailer, marketplace order, or customs process you reached yourself.
If you clicked the delivery link
A click is not the same as submitting a card number, password, one-time code, or ID. The useful question is what loaded and what you approved.
- If the page did not load, close it and do not try again.
- If the page loaded but you entered nothing, check for downloads, permission prompts, calendar/profile prompts, or account alerts.
- If you typed financial details, even without finishing the form, contact the card issuer or bank.
- If the page asked you to install an app, profile, file, or extension, remove it and review device and account activity.
- If the page sent you to a phone number, do not call back through that number.
For phone, app, browser, or account changes after a click, use the phone and account compromise page.
If you entered card, login, code, or personal information
Act based on what was exposed.
- Card number or CVV: call the card issuer using the number on the card, official app, or official website. Ask about card replacement, pending charges, disputes, and monitoring.
- Bank login or payment account: change the password from the real site, turn on multi-factor authentication, and review sign-ins or transfers.
- Retailer, carrier, or Amazon login: open the real account yourself, change the password, review orders and messages, and report suspicious communication through the official support path.
- One-time code: treat it as possible approval of a login, payment, account change, or password reset.
- Name, address, phone, or email: expect more targeted follow-up messages. If SSN, ID images, or financial documents were exposed, use the personal-information exposure page.
Do not pay another fee to cancel, refund, release, or recover the first payment.
Fake tracking numbers and real-looking package timing
A tracking number, logo, carrier name, or delivery deadline does not prove the message is real. A number can be fake, copied, expired, unrelated, or attached to a shipment that is not yours.
Check whether the tracking record matches the order, sender, destination, and carrier you expect. If the message says there is a delivery problem but the real order page does not show one, trust the account you opened yourself over the message.
What to save
- Screenshot the text, email, QR notice, voicemail, door notice, or call log.
- Save the sender number, short code, email address, caller ID, or visible URL.
- Save the tracking number, carrier name, order number, and delivery claim.
- Write down whether you clicked, scanned, replied, called, typed, submitted, paid, downloaded, or approved a prompt.
- Keep payment records, transaction IDs, card alerts, bank alerts, and account security emails.
- Save follow-up texts, calls, or emails connected to the same package, fee, or address.
Where to report or get help
ScamClarity is not an official reporting destination. Use the path that matches what happened.
- Use your phone or email app's report junk, spam, or block option.
- Forward scam texts to 7726 when your carrier supports it.
- For USPS-related package smishing, follow USPIS reporting steps and include the message, sender, date, screenshot, and what happened.
- Report consumer fraud to FTC ReportFraud.
- Report internet-enabled fraud, losses, or account compromise to IC3.
- Report unwanted calls or texts through the FCC complaint center when appropriate.
- Report impersonated carriers through FedEx, UPS, DHL, Amazon, or the carrier's official fraud-reporting channel.
- Contact the card issuer, bank, payment provider, retailer, marketplace, account provider, or carrier through official channels if payment or account information was entered.
For U.S.-specific reporting context, the United States scam reporting page explains how FTC, IC3, IdentityTheft.gov, local police, and providers fit together.
How this overlaps with smishing and phishing
A delivery scam sent by text is also smishing. A delivery scam sent by email, QR code, fake website, voicemail, or app message can overlap with phishing or vishing.
Use the smishing page when the main issue is a text-message link, reply, 7726 reporting, or phone-specific concern. Use the phishing page when the main issue is a suspicious email, attachment, login page, QR code, or cross-channel link.
FAQ
Can one click on a delivery link hack my phone?
One click is not the same as entering information, approving a prompt, or installing something. Close the page, do not reopen it, and check for downloads, app/profile prompts, browser permissions, or account alerts.
Is a small delivery fee always fake?
No. Some duties, taxes, postage, or collect-on-delivery charges can be real. The unsafe part is paying through an unexpected message link. Verify through the carrier or retailer account you opened yourself.
What if I entered my card number but the payment failed?
Contact the card issuer anyway. A fake form can still collect card details even if the page says the payment failed.
What if the tracking number works?
Check whether it matches your order, sender, destination, and delivery status. A real tracking number can still be unrelated to you.
Is this the same as smishing?
If it came by text, yes. Delivery scams can also arrive by email, QR code, voicemail, fake tracking pages, app messages, or phone calls.
Sources checked
These sources were used to verify carrier-specific delivery-scam guidance, reporting paths, and what to do after payment, login, code, or device exposure.
- USPIS: Smishing package tracking text scams
USPS package smishing patterns, USPS text-tracking context, 7726 reporting, spam@uspis.gov, and financial-institution contact after interaction.
- USPS FAQ: Scams and Scheme Alerts
USPS redelivery fee warning, USPS smishing/vishing context, and USPS-related scam reporting direction.
- FTC: Think that text message is from USPS?
Fake USPS, FedEx, and DHL delivery text patterns, missed delivery claims, unpaid postage, independent verification, 7726, and ReportFraud.
- FTC: How to recognize and avoid phishing scams
Checking through known websites and phone numbers, responding after information exposure, IdentityTheft.gov context, and phishing reporting.
- FTC ReportFraud
Official U.S. consumer fraud reporting.
- FBI IC3
Internet-enabled fraud reporting and evidence retention for online scam complaints.
- FCC: Unwanted calls and texts
FCC unwanted text complaint categories and reporting context for unwanted calls, texts, and spoofing.
- FedEx: How to recognize and help prevent fraud and scams
FedEx impersonation warnings, delivery-notice scams, unauthorized charge guidance, and fraud contact context.
- UPS: Protect yourself from fraud and scams
UPS delivery-payment nuance, unexpected money or information requests, tracking verification, and fake website checks.
- DHL: Fraud awareness
DHL phishing and SMS warnings, shortened URLs, suspicious sender details, customs/duties nuance, and DHL reporting.
- Amazon: Tips to stay safe and avoid scams
Amazon order verification, official Amazon app/site guidance, suspicious-message reporting, and reportascam@amazon.com context.
- CISA: Recognize and report phishing
Phishing recognition across emails, texts, phone calls, and direct messages, including suspicious links and requests for financial information.