I’m an Idiot. Don’t Fall for the Phishing Scam I Just Fell for

Q: What is a mail delivery scam?

A mail delivery scam is a phishing tactic where fraudsters send texts or emails claiming an issue with a package to trick recipients into giving personal or payment information.

Q: How can I tell if a delivery message is fraudulent?

Look for misspelled URLs, unusual domain endings, urgent demands for payment, unsolicited links, poor grammar, and requests for card details—official carriers rarely ask for payment via text links.

Q: What should I do if I entered my card details on a phishing site?

Immediately contact your bank to cancel the card, monitor accounts for unauthorized charges, change passwords, and report the incident to local police and relevant fraud agencies.

Q: Can scammers know I mailed a package or do they send messages randomly?

Both are possible: attackers may harvest information via bots or third-party data, but many campaigns are broad “blast” attempts that target large numbers of phone numbers hoping for victims.

Q: How can I protect myself from future mail delivery scams?

Do not click links in unsolicited messages, verify tracking directly with the carrier’s official site or app, scrutinize URLs, enable two-factor authentication, and keep payment and account information private.

Published by

Clara

Jan 23

Mail Delivery Scam: Avoid Parcel Phishing Traps

Don’t be like me. Don’t be foolish.

I feel embarrassed. After years of occasionally writing pieces about fraud and scams, I fell victim to a straightforward phishing scheme on my mobile phone. I handed over my debit card details to a fraudster — possibly located in the small European country of Montenegro.

Here’s how it unfolded: Two days after I sent a parcel, I received a text saying the delivery was undeliverable. A link led me to a site that looked like an official Postal Service page, asking me to enter card information to “re-mail” the package.

I entered my personal financial details, even though in hindsight I clearly should have known better.

This episode left me with two pressing questions:

How did these con artists know I had mailed a package?
Should others be concerned? What steps should they take?

So I consulted several online security specialists. They didn’t all agree on whether the scammers truly knew I had sent a parcel.

But they did concur on one point: This sort of text-based scam is on the rise. People need to be alert, the experts said, because the issue likely will only worsen.

How the Scam Operated

This was a textbook phishing scheme.

Phishing occurs when someone impersonates a trusted company or organization to obtain your private information. They may pose as your bank, a government agency, or a service you’ve used before. They often request bank account numbers, Social Security numbers, passwords and other details that legitimate organizations would not ask for.

Here’s how the scam targeted me:

I had recently mailed a parcel through the U.S. Postal Service. The key detail is that I hardly ever send packages — this was a rare instance.

Two days later I received this text: “[.USPS.] Your package is undeliverable, the address on file did not match the zip code, please update the address.”

Foolishly, I clicked the link, which took me to a website that genuinely resembled an official U.S. Postal Service site. To “re-mail” my parcel, I entered my debit card number, expiration date and three-digit security code.

To be fair, I was a bit tired and distracted at the moment, so I didn’t think it through. And I had been somewhat anxious about the package because it mattered to me.

That’s why I missed several obvious warning signs — like the fact that the supposed “U.S. Postal Service” site I visited had an IP ending in “.me,” which is Montenegro’s internet domain. Montenegro is a small European nation bordering Serbia and Kosovo, north of Greece.

Once I realized what I’d done, I immediately phoned my bank and canceled the debit card before a scammer in the Balkans could siphon money from my account.

Right now I’m without a debit card, which is a hassle. But the persistent question that nags me is: How did the scammers know I’d sent a package? I turned to a range of online security experts — engineers, banking officials and attorneys who deal with these incidents — to find out.

What the Experts Say

“Mail delivery scams begin with an apparently official email or text about a package you’ve sent or one that’s being ‘sent’ to you,” said Washington, D.C., attorney Allan M. Siegel. “These messages often push you to click a link to update personal information or payment methods.”

Siegel thinks a scammer may have obtained my phone number via “bots” crawling millions of websites, then cross-referenced it with shipping records.

Martin Gasparian, an attorney at Maison Law in central California, concurred:

“Your information was likely grabbed by bots scouring millions of sites on the internet,” he said. “In this scenario, your email or phone number was probably used on an official shipping site but was harvested and exploited by crooks.”

How does that happen?

“There are several avenues for someone to gain access to your USPS package details,” said network security engineer Andreas Grant, founder of security firm Networks Hardware. “The most typical approach is obtaining your package tracking information. A parcel travels through many hands before reaching its destination, so a lot of people could be suspect here.”

However, other security professionals think the text I received was likely a numbers game — a random cast of a wide net by the scammer rather than the result of insider knowledge.

“It’s probable they had no way of knowing you were expecting a package. Instead, they sent the identical message to perhaps millions of recipients,” said Colin Palfrey, chief marketing officer at personal finance management company Crediful.

Chris Drake, a telecom security specialist and chief technology officer at communications firm iconectiv, agreed:

“It’s far more plausible they didn’t specifically know you were awaiting a package and simply blasted out a million of these messages waiting for replies.”

One thing all these experts share: These scams are growing increasingly common.

“People who manage online shipping accounts must stay alert, as these schemes are becoming more refined and harder to spot,” warned Ben Michael, an attorney with Michael & Associates in Austin, Texas.

How to Protect Yourself

Again, don’t follow my example. Read every word in a text carefully before you react.

Below are recommendations from the experts and the Federal Trade Commission on avoiding scams:

Don’t click links in unsolicited messages; they may redirect you to phishing sites.
Look for warning signs like poor grammar, misspellings, and unfamiliar domain names.
“Whenever you receive a text or email asking you to reconfirm or reenter your credit card data, scrutinize the message,” said Grant, the network engineer. “Be alert for typos in the URL, as scammers often use subtly misspelled versions of legitimate domain names.”
Remember that scammers want you to act immediately. That urgency is a major red flag. Why the rush? Because they’re trying to trick you into sending money before you can verify who’s on the other end. Resist pressure to respond right away.

If You’ve Sent Money to a Scammer

Here’s Savinly’s step-by-step advice for what to do if you’ve been conned. The essentials are:

Secure your bank accounts and credit cards immediately.
Contact the three major credit bureaus. You can also use a service like Credit Sesame, which helps spot issues on your credit report — free of charge. If you discover problems, Credit Sesame can assist with disputes.
Change your passwords.
Report the fraud to your local police department, state consumer regulators and the FBI.

Again, don’t repeat my error. Stay alert. Don’t be deceived.

Scammers are more active than ever, and they’re not going away. Use common sense, remain vigilant, and protect yourself.

Michael Bransfield ( [email protected] ) is a senior writer at Savinly.