Wednesday, July 9, 2025
Latest:
ZDNet | Security

Got a suspicious UPS text? Don’t reply – it might be a scam. Here’s how to tell

TH Author
I received a text message from UPS -- here's how I knew it was a scam

Elyse Betters Picaro / ZDNET

I’ve been anxiously expecting a package from UPS. That’s why a text I received the other day caught my eye. Claiming to be from UPS, the message said that the carrier attempted to deliver the package on June 27, but the delivery couldn’t be completed. The date was one when my wife and I were away, so this seemed legitimate at first glance.

Also: Got a suspicious E-ZPass text? Don’t click the link (and what to do if you already did)

However, I’ve written plenty of cybersecurity stories, and I keep abreast of the latest news in the world of cybercrime. I know that UPS scam messages have been making the rounds, especially at this time of year. Naturally, my spider sense started tingling even before I read the text itself. But after reviewing the message and checking out all the details, I realized this was clearly a scam.

Scammers like to schedule specific types of scams for certain times of the year. During tax season, you’ll see a lot of scams that spoof the IRS. During the holiday season, gift card scams ramp up. And during the summer, missed-delivery scams are popular since the crooks know that people are often away on vacation.

Delivery scams are also popular now because big shopping events like Amazon Prime Day (July 8 to July 11) and Walmart’s competing sales (July 7 to July 13) are creating massive numbers of packages, J Stephen Kowski, field CTO at SlashNext Email Security, told ZDNET.

“Scammers know people are expecting more packages than usual during these promotional periods, so their fake delivery alerts are more likely to fool someone who’s actually waiting for multiple orders,” Kowski explained. “These classic phishing campaigns have been running for years, targeting UPS, USPS, FedEx, and international services like Royal Mail in the UK and the South African Post Office, but they come in waves, and summer sales season is prime time for package-related deception.”

How the UPS scam works

This particular UPS scam is a savvy one, at least in some ways. I received the message on my iPhone, with the sender labeled as unknown. By default, links in a text message from an unknown sender are disabled, so you can’t click on them to open them. But the scammer used a sneaky trick to get around this obstacle.

Also: Clicked on a phishing link? 7 steps to take immediately to protect your accounts

You’re instructed to reply to the message by typing Y. Doing so turns the scammer into a known sender. Open the message again, and now the link is clickable. If that doesn’t work, another option is to copy and paste the link into Safari, where it takes you directly to the malicious website.

From there, the website prompts you to confirm your contact information if you want to get your package. That means your name, address, phone number, and sometimes a credit card or Social Security number. If you take the bait, the criminals now have all those sensitive details that they can use to steal your money or your identity.

“Scammers want to harvest personal information like names, addresses, Social Security numbers, and credit card details through fake websites that mimic UPS pages,” Kowski said. “They often start with small ‘delivery fees’ of under a dollar to get your payment information, then use those card details for much larger unauthorized purchases. Some malicious links also install software that can monitor your device activity, steal login credentials for banking apps, and even access your camera and microphone for ongoing surveillance.”

How I can tell it’s a scam

Beyond a general awareness of these types of scams, what other clues tipped me off?

First was the sender’s email address. Rather than adopt an official UPS name or address, the scammer used a random handle and domain name that had no relation to UPS. The email address is easy enough to review. Always scrutinize it to see if it seems legitimate or related to the company.

Also: I clicked on four sneaky online scams on purpose – to show you how they work

Second, the message conveyed a sense of urgency — always a sign of malicious intent. In this case, the text told me that my package would be held by UPS for a mere three days before being sent back to the original sender. That’s a short timeframe without even an attempted redelivery, which UPS usually tries before sending the package back.

Third, emails or messages from UPS generally include a tracking number or other means of identifying the package. This message contained no specific details and was instead generic and vague, another sign of a scam.

“Scammers create urgency by claiming your package will be returned if you don’t act immediately, playing on people’s fear of losing something they’re expecting,” Kowski said. “They deliberately keep messages vague without specific tracking numbers or personal details, casting a wide net to catch anyone expecting a delivery. The most clever trick is asking victims to reply with ‘Y’ to activate links that are initially disabled by phone security features, essentially making people bypass their own protection systems.”

How to protect yourself

Combine all those clues with an awareness of current trends in cyber scams, and I knew this was clearly fraudulent. Aside from deducing the clues, how can you protect yourself from these types of scams?

  1. Never respond to a text message directly. Instead, launch a browser and open the website in question — in this case, the UPS site. Sign in with your account if you have one, and check for any recent messages or notifications. If you’re expecting a delivery, you should find the information about it on the site. You can also always call the company directly to investigate further.
  2. Never click on a link or attachment. Apple wisely disables links from unknown senders. But if you do ever receive a text or email with a link or attachment, never engage with it. Again, check the related website separately.
  3. Proofread the message. The text I received was well-written, but many spam and scam messages contain typos and grammatical errors. Look for any misspellings or other mistakes.
  4. Check the company’s website for help. Many companies like UPS offer online advice on how to detect and avoid scams. The UPS page on “Protect Yourself From Fraud and Scams” looks at different types of fraud and how to combat them.
  5. Look for missing specifics. Legitimate messages from UPS include your name, actual tracking numbers, and delivery addresses, Kowski said. Be wary if such details are missing.

Also: That weird CAPTCHA could be a malware trap — here’s how to protect yourself

Get the morning’s top stories in your inbox each day with our Tech Today newsletter.

READ MORE HERE