Bogus post office texts deliver a ‘shocking’ amount of traffic to scam websites

“The USPS package has arrived at the warehouse and cannot be delivered.” It’s a message we’ve all received, probably dozens of times. 

Given their ubiquity, it might be hard to believe that text scams impersonating the United States Postal Service actually work. But based on web traffic to domains connected to these texts, the scammers are still reeling in victims. 

Researchers at the cybersecurity company Akamai decided to look into USPS-related smishing campaigns — when texts are used to trick people into, say, downloading malware or sharing information — after a noticeable upsurge in activity around the 2023 Christmas holiday season.

Using a smishing text sent to one Akamai employee as a reference, the researchers compiled internet domains they determined to be connected to the scams. 

“Our harsh parameters meant that we were exceedingly conservative with our analysis,” they wrote. “We could have definitely collected appreciably more malicious domains that impersonate the USPS, but it was critical that we avoided including false positives in this dataset.”

The results?  “Shocking.” 

Traffic to the malicious sites was typically on par with traffic to the actual USPS website — a popular service since it includes tracking information — and even exceeded legitimate traffic around the holidays, when the scams ramp up to take advantage of a surge in package deliveries.

“We saw an extraordinary amount of malicious traffic, which makes the true impact of these impersonations astonishing,” they said. 

The top malicious domain, usps-post[.]world, received more than 169,000 queries over a five month period, with the next most popular seeing about 150,000. 

Typically, the texts include a link that takes people to a spoof site for the postal service. Often the site will ask people to pay a “redelivery” fee for their purported packages, requiring them to enter their payment information. 

The USPS and the U.S. Postal Inspection Services have pages on their websites about smishing scams, where the latter encourages recipients to report them to [email protected].

Despite public awareness announcements, the texts clearly are still having an impact. 

“It’s not surprising that USPS phishing campaigns have been, and continue to be, so popular for scammers,” Akamai wrote. “Unfortunately, there are tons of people visiting these websites, which means they’re lucrative for the attackers running them.”