Smishing Investigation

How to Trace a Fake Delivery-Text Scammer

That text claiming a USPS, FedEx, or UPS package is “on hold” until you pay a small redelivery fee is not a billing glitch. It is the front end of an organized smishing operation built to harvest your card number and personal details, then move the proceeds through phishing sites, digital wallets, and reshipping mules. This guide explains exactly how the scam works, where to report it so it actually lands, and how the people behind the spoofed sender and the lookalike website get traced lawfully through public-records research.

Report It Right Trace the Operator Since 2004
Most-ReportedText Scam in the US
Forward 7726Report to Your Carrier
No Fee TextsReal Carriers Do Not Charge
Since 2004Lawful Skip Tracing

The Short Version

If you got a “package held, pay a small redelivery fee” text, do not tap the link, and never enter a card. Legitimate carriers do not text you for a redelivery fee, and any unsolicited tracking text you did not sign up for is fake. Forward the message to 7726, which spells SPAM, so your phone carrier sees it; report it to the FTC and the FBI; and if you already entered card or login details, call your bank to lock and reissue the card, then change any password you reused. The link goes to a lookalike phishing site that captures your data in real time, so speed matters. Once the immediate damage is contained, the people running the operation are not invisible: the spoofed sender, the lookalike domain, the payment rails, and the reshipping addresses all leave footprints. Our investigators trace those footprints lawfully through public records to help put a real name and location behind the scam. We never promise recovery, and we never collect anything you are not entitled to.

Watch: The Fake Delivery-Text Scam

How the smishing message works, and how the trail is followed.

▶ Video Overview

What the Fake Delivery Text Actually Is

One short message, engineered to make you act before you think.

The message is short on purpose. It claims a parcel could not be delivered, that an address needs confirming, that a customs charge is owed, or that a tiny redelivery fee is due before your package is released. There is just enough friction to feel real and just enough urgency to make you move fast: act now or the package goes back. This is “smishing,” short for SMS phishing, and package-delivery texts are now the most-reported text scam in the country. The whole thing is designed to skip the part of your brain that would otherwise notice the wrong sender, the odd link, or the simple fact that real carriers do not text strangers for money.

Here is the detail that cuts through all of it: legitimate carriers like USPS, FedEx, and UPS do not charge a redelivery fee by text, and they do not send tracking texts for packages you never signed up to track. So any “pay to release your package” text is fake by definition, no matter how polished it looks. The fee they ask for is deliberately small, often just a couple of dollars, because a tiny charge lowers your guard. The few dollars are not the prize. Your card number and personal details are. The same lawful research our investigators use to help people find someone who scammed them applies squarely to the crews running these texts, because the message is the bait, not the business.

How to Know It Is a Scam

The pattern is consistent. If several of these fit, treat it as fraud.

A Fee to Release It

Any text asking you to pay a redelivery, customs, or “small handling” fee is fake. Real carriers do not bill you this way by text.

A Package You Never Tracked

You did not order anything, or you never signed up for alerts on this shipment, yet a tracking text appeared anyway.

A Lookalike Web Address

The link is not the real carrier domain. It is a near-copy, such as a usps-delivery or fedex-tracking style address with extra words.

Manufactured Urgency

The text warns the package will be returned, held, or destroyed within hours unless you act. Pressure is the tell.

An Odd or Foreign Sender

The number is a long international string, an email-to-text gateway, or a generic short code that has nothing to do with the carrier.

It Wants Your Card

The site asks for your name, address, and full card number to “pay the fee.” That request alone confirms the scam.

The Operation Behind the Text

The message is one link in a longer, deliberate chain.

It is tempting to picture a lone person typing texts. The reality is an assembly line, and understanding it is what makes the scammers traceable rather than mysterious. It starts with sender spoofing. Faking the displayed sender or routing through an email-to-text gateway is technically illegal but trivially easy, which is why the message can look like it came from a carrier even though it did not. Spoofing hides the surface, not the infrastructure underneath.

Next comes the phishing domain. The link points to a lookalike website built to mimic the carrier’s tracking page. These domains are registered in bulk, spun up fast, and burned just as fast, but registration, hosting, and the kits used to build them leave records and reuse patterns. When you submit the form, the site captures your card and personal details in real time. Researchers have documented operations that immediately load the stolen card into a mobile wallet, and that quietly tell victims the first card “did not go through” so they will enter a second one, harvesting more than one payment method per person.

From there the value has to be turned into goods or cash. The crews use the stolen cards to buy high-demand electronics and luxury items, then ship them to reshipping mules, sometimes unwitting people recruited through fake work-from-home jobs, who forward the goods for resale. Each of those steps, the registrant behind the domain, the email or phone tied to the account, the wallet or payment processor, and the mule address that received the parcel, is a real-world identifier. That is precisely the layer our team works when we investigate fraud: not the spoofed front, but the people and accounts the operation cannot run without.

What to Do Right Now

Whether or not you tapped the link, work through these in order.

Two situations, one calm response. If you only received the text and did nothing, you are reporting to protect the next person. If you entered card or login details, the priority is containment first, then reporting. Report fraud and identity-theft exposure to the FTC at reportfraud.ftc.gov, which also generates a recovery plan if your information was exposed, and file the incident with the FBI Internet Crime Complaint Center at ic3.gov, the central federal intake that aggregates these complaints into investigations.

1

Do Not Tap, Do Not Pay

Do not open the link or enter anything. If you already did, stop, and move straight to locking your card. The link feeds a live harvesting page.

2

Screenshot, Then Forward to 7726

Capture the full message and the sender first. Then forward the text to 7726, which spells SPAM, so your carrier can act on it.

3

Lock the Card, Change Passwords

If you entered a card, call your bank to freeze and reissue it and dispute any charge. Change any password you reused on the fake site.

4

Report to the Agencies and the Carrier

File with the FTC and the FBI, and email the carrier’s fraud or abuse inbox. Block the number after you have saved the evidence.

What to Save Before You Block

The evidence you keep is what makes a report, or a trace, possible.

Most people delete the text the moment they realize it is a scam. Resist that. The few minutes you spend preserving it are what give an investigator or an agency something to act on. On the message side, screenshot the full text showing the sender number or short code, the exact wording, and the timestamp, and copy the link without tapping it, since the domain itself is a lead. On the site side, if you reached the page, note its full web address and anything it asked for. On the loss side, save the card you entered, any charge that appeared, and the date and amount, plus any confirmation or follow-up message. If goods were ordered in your name or shipped somewhere odd, capture the order details and the delivery address. Keep all of it in one dated folder. You will reuse the same package for the FTC, the FBI, your bank, the carrier, and, if you choose to pursue identification, for us. A clean record of the sender, the domain, the payment trail, and any reshipping address is exactly the raw material lawful research turns into a name.

Where to Report Every Channel

File with all of these. Each one does something the others cannot.

WhereWhat It DoesHow to Reach
7726 (SPAM)Forwards the message to your mobile carrier so it can investigate and block the source network.Forward the text to 7726
FTCLogs the fraud for enforcement and builds an identity-theft recovery plan if your data was exposed.reportfraud.ftc.gov
FBI IC3The central federal intake for internet crime. Aggregates complaints into investigations and seizures.ic3.gov
Postal InspectorsHandles USPS-branded smishing and parcel fraud. Forward the email or text evidence to them.U.S. Postal Inspection Service
The CarrierConfirms the message is fake and feeds the domain to its abuse and takedown teams.The carrier’s fraud or abuse inbox
Your Bank or Card IssuerFreezes and reissues a compromised card, disputes charges, and watches for follow-on fraud.Fraud department, by phone

Do not skip a channel because you assume one report changes nothing. These cases are built from volume: many small, detailed complaints that let analysts connect one phishing domain or payment account to thousands of victims. Your report, with the exact sender and link preserved, may be the one that ties a cluster together.

How the People Behind It Get Traced

Spoofing hides the message. It does not erase the operators.

“They spoofed the number, so they are untraceable” is the assumption the crews rely on, and it is wrong. The spoof only disguises what shows on your screen. The operation still has to register a domain, host a phishing page, accept payment data somewhere, and route goods to a real address. Each of those is a thread, and lawful public-records research pulls on the threads, not the spoof. A phishing domain has a registration, hosting, and reuse history that can connect it to a wider campaign. A phone number or email used to set up an account is exactly the kind of identifier our team resolves when we help people identify a scammer by phone number or work from an email address back to a real person.

The further into the cash-out chain you go, the more the operation depends on people who used real identities. The reshipping mule gave a real delivery address. The person who opened the bank account, payment account, or mobile wallet to cash out had to verify real details. A handle, a username, or a name the scammer used while talking to you is a starting point too. Even when the front of the scam was a throwaway sender, those downstream identifiers can be researched lawfully through public records to surface a real name, address, and associates. That is the same investigative path behind our work helping people who searched for the person who scammed them, and a named, located individual is what turns a complaint number into something a prosecutor or a civil attorney can use.

What Sets Our Approach Apart

Most advice stops at “do not click.” We work the next step.

There is no shortage of pages telling you how to spot a fake delivery text. They are useful, and prevention genuinely matters. But almost none of them answer the question people actually arrive with once it has already happened: who did this, and can they be identified. That is the gap our investigators fill. We do not touch your bank account, we do not promise to claw money back, and we do not take custody of anything. We work the human and infrastructure trail, the spoofed sender, the phishing domain, the payment rails, and the mule addresses, using lawful public-records and skip-tracing methods to help put real identities behind the operation. We work strictly for lawful, permissible purposes, and we tell you plainly what the records can and cannot show before you commit to anything.

Don’t Get Hit Twice

After the first scam, a second wave targets people who already lost something.

A Second Card Request

If the page said your first card “failed” and asked for another, that is the harvest, not a glitch. Treat every card you entered as exposed.

A “Bank Security” Call

Soon after, a caller claiming to be your bank’s fraud team may ask you to confirm a code or move money to a “safe account.” Hang up and call the number on your card.

A One-Time Code Prompt

No real carrier or bank needs the verification code texted to you. Anyone who asks you to read one aloud is taking over an account.

A Paid “Recovery” Offer

Anyone who finds you first and wants an upfront payment to recover your loss is running the second scam. Legitimate help is not pay-to-unlock.

Repeat Texts to the Same Number

Once a number responds or taps a link, it gets flagged as live and sold. Expect more attempts, and keep blocking and reporting them.

A Fake Refund Form

A follow-up message offering a refund for the “fee” you paid is just another form designed to harvest fresh details. Ignore it.

Who We Help

We trace the people behind the spoofed sender, lawfully, so a case has teeth.

Scam Victims

Identify who was behind the text

Attorneys

Locate an identified mule or operator

Families

Help a relative who paid the fee

Small Businesses

Trace a brand-spoofing campaign

Fraud Teams

Tie a domain to a real account-holder

Anyone Owed

Find a person before pursuing them

Fake delivery texts run on the same rails as a dozen other scams, so the people behind them surface through the same lawful research that powers full-spectrum skip tracing. Send us what you saved, even if it feels like almost nothing: the sender number, the phishing link, an email, a username, a charge, or the address goods were shipped to. We work only for lawful, permissible purposes, we never promise a recovery we cannot control, and we are honest about what the records will and will not show. For a legitimate matter, an initial locate typically comes back within 24 hours.

Our Commitment

We do not sell false hope or “guaranteed recovery,” and we never collect anything you are not entitled to. We do the lawful research most advice skips: tracing the real people behind the spoofed sender, the phishing domain, and the payment trail, so your reports and any civil action carry weight. Honest, permissible-purpose skip tracing since 2004.

People Locator Skip Tracing Investigation Team — investigators conducting skip tracing and public-records research since 2004, working lawful, investigative-grade sources for legitimate purposes only. Last reviewed 2026. This page is general information, not legal or financial advice.

Frequently Asked Questions

Is the “package held, pay a redelivery fee” text always a scam?

Yes. Legitimate carriers like USPS, FedEx, and UPS do not text you to collect a redelivery fee, and they do not send tracking texts for shipments you never signed up to track. Any message asking you to pay a fee or confirm card details to release a package is fraudulent, no matter how authentic the wording or the logo looks.

I tapped the link but did not enter anything. Am I at risk?

Your exposure is much lower than if you submitted details, but treat the number as confirmed live, which means more attempts may follow. Do not enter anything if the page is still open, close it, and avoid tapping further links. Forward the original text to 7726, report it, and watch for follow-up messages. If the page prompted any download, run a security scan.

I entered my card and paid the fee. What should I do first?

Containment comes first. Call your bank or card issuer to freeze and reissue the card and dispute any charge, then change any password you reused on the fake site and enable two-factor authentication. After that, report the fraud to the FTC and the FBI and forward the text to 7726. Save every screenshot before you block the sender.

What does forwarding to 7726 actually do?

7726 spells SPAM on a phone keypad, and forwarding a suspicious text to it reports the message to your mobile carrier. Carriers use those reports to identify and block the networks sending scam texts. It is free, fast, and worth doing for every fake delivery text you receive, even ones you immediately recognize as bogus.

Where should I report a fake delivery text?

Forward it to 7726, then file with the FTC and the FBI Internet Crime Complaint Center, and notify the U.S. Postal Inspection Service for USPS-branded messages or the carrier’s abuse inbox for others. If a card was used, also call your bank. Each channel does something different, and detailed reports are what let investigators connect one operation to many victims.

The number was spoofed. Can the scammer still be identified?

Often, yes. Spoofing only disguises what appears on your screen. The operation still has to register a phishing domain, accept payment data, and route goods to a real address, and those steps leave records. Phone numbers, emails, usernames, domain registration trails, and reshipping addresses can be researched lawfully through public records to help surface a real name and location.

What does the investigation team actually do on a case like this?

We work the human and infrastructure trail, not your bank account. Using lawful public-records research and skip tracing, our investigators help identify and locate the real people behind the spoofed sender, the phishing site, and the payment and reshipping chain, producing a named, located individual that strengthens your report or a civil claim. We do not take custody of funds or promise recovery.

A service offered to recover my money for an upfront fee. Is that real?

Treat it as a second scam. Operations that contact you out of the blue, guarantee a full recovery, ask for your card or one-time codes, or demand payment before returning anything are preying on people who already lost money. Legitimate help is not pay-to-unlock, and no honest firm can guarantee that funds will come back.

Got a Fake Delivery Text? Start Tracing.

Our investigators trace the real people behind the spoofed sender and the phishing site, lawfully, so your reports and any civil case carry weight. Contact us to get started.

Start Your Request →