Fake Delivery Texts via SMS
How smishing messages impersonating parcel carriers reach millions of phones and harvest card details through lookalike payment pages — why SMS makes these harder to verify, and how to protect yourself.
Part of: Fake Delivery Texts
Last reviewed: 1 June 2026
SMS is a uniquely effective phishing channel because it bypasses many of the signals that alert email recipients: there is no sender domain to check, no spam filter trained on message patterns, and the small-screen format makes full URL inspection difficult. Fake delivery texts exploit all three of these properties, arriving as short, urgent messages that look plausible and link to pages designed to capture card details.
This guide focuses on the SMS-specific mechanics of delivery text fraud — the sender ID spoofing techniques that make texts appear to come from real carriers, the URL obfuscation tactics, and the exact steps to take before and after receiving a suspicious delivery text.
How this scam works on SMS/text
Smishing campaigns are sent to large lists of mobile numbers with no targeting — the assumption is that most recipients are expecting at least one parcel at any given time, making the claim plausible for a significant fraction of recipients. Texts typically display a sender name matching a real carrier ('Royal Mail,' 'UPS,' 'FedEx') using alphanumeric sender ID, which anyone with access to an SMS aggregator can set.
The link in the text leads to a page that copies the carrier's branding. On a mobile browser, the address bar is partially hidden and users are less likely to scrutinise the full URL. The page requests an address confirmation or a small payment (often £1.99 or $3.99) for redelivery. Card details entered are captured in real time.
A more sophisticated variant runs a real-time relay attack: when you enter your card number, the attacker simultaneously tries to use it on a real payment site, triggering a one-time passcode to your phone. The fake site then asks you to enter that code — handing over both your card details and the authentication token in a single session.
Common red flags
- Unexpected text from a carrier name asking for a fee or address update via a link
- Link in the text that does not match the carrier's known official domain
- Request for full card details on a page reached via a text link
- A one-time passcode arriving on your phone while you're on a delivery payment page — do not enter it there
- Text arrives from a mobile number rather than the carrier's official alphanumeric sender ID
- Extreme urgency: 'parcel returned in 24 hours' if you do not act
How to protect yourself
- Never follow links in unexpected delivery texts — go directly to the carrier's official app or website to track your parcel
- On mobile, tap and hold any link to see the full URL before opening
- If you are expecting a parcel, track it using a reference number you received at purchase — not via unsolicited texts
- Forward suspicious texts to 7726 (SPAM) — this works in the US, UK, Australia, and many other countries
- A one-time passcode arriving while you are on an unfamiliar payment page is a sign of a relay attack — close the page immediately
How to report it
- Forward the text to 7726 (SPAM) to report to your mobile carrier
- Report to the FTC at reportfraud.ftc.gov (US), Action Fraud (UK), Scamwatch (Australia)
- In the UK, report the phishing site to the NCSC at [email protected]
- If card details were entered, contact your card issuer immediately to cancel the card and dispute any charges
Frequently asked questions
Why does the text appear to come from the carrier's real name?
SMS alphanumeric sender IDs — the name displayed instead of a number — are set by whoever sends the message. They are not verified against any registry. An attacker with access to an SMS sending service can display 'Royal Mail,' 'FedEx,' or any other name. The sender name is not proof of origin.
I entered my card number but not the CVV — am I safe?
Partial card data still carries risk. Some fraud can be committed with card number and expiry alone; full data including CVV enables more. Contact your card issuer, explain what was shared, and ask whether you need a replacement card. Monitor your statement closely for the next several weeks.