Is it safe to click a link in a delivery text message?
Delivery text scams are among the most common phishing methods in use today. Unless you initiated a tracked delivery and the link matches the carrier's official domain, do not click it.
Last reviewed: 10 June 2026
Explanation
Fake delivery notifications — sometimes called 'smishing' — impersonate parcel carriers such as national postal services or major couriers. The message typically claims a package could not be delivered and directs you to a link to reschedule or pay a small customs fee. The link leads to a convincing fake website that harvests card details, personal information, or login credentials.
The small fee element is psychologically effective because it seems trivial. Victims enter their card details to pay a pound or a dollar and unknowingly hand over their full card number, expiry, CVV, and billing address to criminals who then charge large amounts or sell the data.
To check whether a delivery notification is genuine, open a fresh browser tab and type the carrier's official website address directly, or use the tracking number in the message by entering it yourself on the official site. Avoid clicking any link in an unexpected text, even if the sender's name looks familiar — SMS sender names can be easily spoofed.
If you have children or elderly relatives who receive parcels regularly, explain this specific scam to them. The format is highly convincing and the fake sites are often near-pixel-perfect copies of real carrier websites.
Common red flags
- You were not expecting a delivery or have no outstanding orders
- The link goes to an unusual domain rather than the carrier's official address
- Message asks for a small customs or redelivery fee before showing any tracking information
- Spelling or grammar errors in the message body
- The sender number is a regular mobile number rather than a short code or verified business sender
- The website reached via the link requests card details immediately
What to do now
- Do not click the link — instead, go directly to the official carrier website and enter the tracking number manually
- If you already clicked and entered card details, contact your bank immediately to freeze the card
- Report the smishing message to your national spam SMS reporting service
- Forward the suspicious text to 7726 (SPAM) in the US and UK as a quick report
- Delete the message and block the sender number
- Check your bank statements over the following weeks for unauthorised charges
Frequently asked questions
What if I clicked the link but did not enter any information?
Simply loading a malicious page can sometimes trigger drive-by downloads, but this is less common than credential harvesting. Run a reputable malware scan on your device, ensure your browser is up to date, and monitor your accounts for unusual activity.
How can I tell if a delivery text is real?
Check whether you are genuinely expecting a delivery. If so, copy the tracking number (not the link) and paste it into the official carrier website. Legitimate carriers never require payment through a link sent in an SMS.