Your phone pings with an incoming text. You swipe it open to find a message from the USPS. They’re texting to let you know that the scheduled delivery time for your package has been changed. Unfortunately, though, the message is not from the USPS and you’ve just been targeted by a scam.
Here’s what you need to know about the USPS smishing text scam.
How the scam plays out
In the USPS smishing text ruse, a target will receive a text like the one described above. The message prompts the victim to click on a link to reschedule the delivery. However, if the victim follows the instructions, they’ll be falling victim to a smishing text scam.
The United States Postal Inspection Service (USPIS) is warning of an uptick in smishing scams that use the USPS as a cover, conning unsuspecting victims into downloading malware onto their phones or sharing personal information with scammers they assume is the USPS. The scammer will then go on to empty the victim’s accounts or steal their identity.
Individuals who’ve recently made online purchases and are expecting a package delivery within the next few days are especially vulnerable to this scam. To the uninformed, the text looks legitimate, and with just one careless click, the scammer has access to the victim’s device and personal information.
However, with one crucial bit of information, you can protect yourself from falling victim to the USPS smishing scam: The USPS never sends out unsolicited text messages about a package. The company will only send a message when a consumer has signed up for alerts about a package’s delivery. If you have not signed up for messages from the USPS, and you receive a text like the one described above, you know you’re being targeted by a scam.
What to do if you’re targeted
If you’re targeted by a smishing text scam, the USPIS recommends taking the following steps:
- Verify the sender. Confirm the identity of the message sender by checking with the USPS if you actually have a delivery schedule change. Don’t call the number on the text. Instead, reach out to your local USPS office directly.
- Don’t reply or click on links. Replying to the message or downloading an embedded link can install malware onto your phone.
- Delete. Save a screenshot of the text to share with law enforcement agencies and then delete the message.
Block the number and update the security on your device. Prevent a recurrence of the scam by putting the number on your “Do Not Call” list and beefing up the security settings on your phone.
- Keep personal information personal. Never share sensitive information, like your Social Security number or financial account details, with an unverified contact.
Report the scam
Do your part to stop the scammers by reporting it to the proper authorities.
First, you can report smishing scams that impersonate the USPS to the Inspection Service Cybercrime Team at the USPIS by email. Take a screenshot of the text and send it to firstname.lastname@example.org. Make sure your screenshot shows the number of the sender as well as the date it was sent. You’ll also need to include your name in the email so the team can reach you, along with any other relevant details about the scam, such as money you may have lost, links you may have downloaded, and personal information you may have shared. The USPIS will contact you if it needs any additional information to help nab the scammers.
You can also report the scam to the Federal Trade Commission at FTC.gov and let your friends and family know about the circulating scam.
Stay alert and stay safe!