The Mac Security Blog

Security & Privacy

Beware of fake package delivery texts and e-mails! Here’s what to look for

Posted on by

Cybercriminals have a bag of tricks that they use to deceive victims. One of the most common scams is fake package delivery notifications. They may come as text messages—via SMS or even iMessage—or as e-mails.

Such scam messages often claim that there’s something wrong with a package delivery. The goal is to trick recipients into clicking on a link, or calling a phone number, in the message. This may be a phishing link, trying to obtain additional information from the recipient, potentially including their e-mail address and a password they commonly use. (This is one reason why you should never reuse passwords, and always enable two-factor authentication.)

An example package delivery scam text (sent via iMessage)

Let’s take a look at a recent example of such a scam message sent to an Intego team member:

The message claims that “Your package cannot be delivered due to incorrect address information.” It provides a URL (Web address) that starts out with “https://usps.com”—but note the next character in the address. If it ended with .com or .com/ that would be one thing. But the domain portion continues.

What’s really going on here is that the domain isn’t usps.com, but rather com-track[redacted]fu.top; the “usps.” part is really just a subdomain, designed to trick you into seeing usps.com and ignoring everything after that. But details matter, and that stray “-” is the clue that something is amiss. In this case, the domain actually ends in .top (not .com); .top domains are frequently used by scammers.

Thankfully, Apple didn’t turn this into a clickable link on the recipient’s iPhone, so it would have taken a little effort to copy and paste (or retype) the scam URL into a browser. But the Messages app on macOS typically does treat URLs as links—so be careful.

Note that although some scam messages may come via a standard old SMS text message, this one actually came via Apple’s iMessage service. Don’t assume that iMessages are more trustworthy than SMS or RCS texts when receiving something unsolicited; scams can come via any of these services into the Messages app.

And, of course, scams can masquerade as any package delivery service. In this case, the scammer claimed to be USPS; you may also see scams related to UPS, FedEx, DHL, OnTrac, ShipBob, Royal Mail, or other shipping services.

What should you do if you receive a text message that’s a scam?

If you get a package-related text message and you’re confident that it’s a scam like the one above, tap on “Report Junk.” You’ll be asked to confirm; “Report this conversation as junk by sending it to Verizon [or your carrier] and Apple from your phone number.” Tap the “Delete and Report Junk” button to proceed.

What does a legitimate package delivery text message look like?

Here’s an example of a legitimate message I received recently from FedEx:

Pay close attention to the domain part of the URL; it’s fedex.com followed immediately by a slash. This is, in fact, the legitimate FedEx site.

If you’re ever unsure, ask a trusted family member or friend who’s good at discerning whether something may be a scam or not.

What about if I receive a fraudulent package alert e-mail?

Phishing e-mails that claim to be from package delivery services may, in some cases, be a little more difficult to identify. Scammers have more options for message formatting, and may choose to hide the URL behind a clickable link. See our recent article on how to safely check whether a link is safe without clicking on it.

Is this link safe? How to check safely—without clicking on it

If you’re confident that it’s a scam e-mail, forward it to [email protected] — the Anti-Phishing Working Group. They won’t reply, but their experts will analyze the e-mail. If applicable, APWG will follow up with law enforcement or domain name registrars to take action against the scammer.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on X/Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on LinkedIn Follow Intego on Pinterest Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →