Smishing: How to Spot Fake Delivery and Toll Road Texts

You’re expecting a package from Amazon. Your phone buzzes with a text: “Your package could not be delivered. Please confirm your address here.” You almost tap the link without thinking — because why wouldn’t you? You are waiting for something.

That split-second impulse is exactly what scammers are counting on. In 2024, the FTC reported that Americans lost over $470 million to text message scams, and fake package delivery notifications were the single most-reported type. These aren’t random attempts — they’re carefully timed, convincingly written, and designed to catch you in a moment of trust.

But here’s the good news: smishing texts follow predictable patterns, and once you know what to look for, they’re surprisingly easy to spot. Let’s fix that blind spot.

What Is Smishing?

Smishing is phishing delivered by text message — the name combines “SMS” and “phishing.” Instead of a sketchy email, scammers send a text that tries to trick you into tapping a link, sharing personal information, or making a payment.

Why texts instead of email? Because texts work much better for scammers. Text messages have a 98% open rate compared to roughly 20% for email. Most people read a text within three minutes of receiving it, often reacting before they’ve had a chance to think critically.

Scammers get your phone number from data breaches, social media profiles, public records, or by simply generating numbers in bulk and blasting out millions of messages at once. If you have a phone number, you’re a target — it’s not personal, it’s math.

The Most Common Smishing Scams Right Now

Fake Package Delivery Texts

This is the most-reported smishing scam in the country, and it’s easy to see why. At any given time, millions of people are waiting for a package. Scammers impersonate USPS, FedEx, UPS, and Amazon with messages like:

“USPS: Your package has been held due to an incomplete address. Please update your information at: usps-redelivery-update.com”

“FedEx: Delivery attempted — no one home. Schedule a new delivery: fedex-reschedule.info”

“Amazon: Your order cannot be delivered. Confirm your shipping details to avoid return: amzn-delivery.com”

These links lead to fake websites that look convincingly real. They’ll ask for your address, then your credit card to pay a small “redelivery fee” — and now scammers have your payment information.

Key fact you should memorize: Real USPS texts never include links for tracking or payments. Neither do legitimate FedEx or UPS notifications. If a delivery text includes a link, treat it as suspicious by default.

Toll Road Payment Scams

Texts impersonating E-ZPass, SunPass, and other toll authorities have exploded nationwide over the past year. They typically look like this:

“E-ZPass: You have an unpaid toll of $4.15. Pay within 48 hours to avoid a $50 late fee: ezpass-pay.com”

“SunPass Notice: Outstanding balance of $1.87. Failure to pay may result in registration suspension. Pay now: sunpass-billing.net”

These scams are effective because the amounts are small and believable — usually between $1.50 and $12.50 — and the threats of escalating fees or legal action push you to act fast. The fake domains like “ezpass-pay.com” look plausible at a glance. This scam has become so widespread that multiple state governors and attorneys general have issued public warnings about it.

Bank and Payment App Alerts

Scammers send fake fraud alerts pretending to be your bank, Venmo, Zelle, or PayPal:

“Chase Fraud Alert: A charge of $284.97 was attempted on your account. If this wasn’t you, reply YES or tap here to secure your account.”

“Zelle: Someone requested $250.00 from your account. If you did not authorize this, verify your identity immediately.”

These messages prey on fear. You see an unauthorized charge and want to act immediately — which is exactly the wrong instinct. The link takes you to a fake login page that captures your banking credentials.

Government Impersonation Texts

Texts claiming to be from the IRS, Social Security Administration, or state agencies use fear of legal consequences:

“IRS: Your tax refund of $1,247.00 is pending. Verify your identity to receive your deposit: irs-refund-verify.com”

“SSA Alert: Your Social Security number has been suspended due to suspicious activity. Call immediately to avoid arrest.”

No government agency will ever text you a link, threaten arrest, or ask you to verify personal information by text. Ever.

Why Smishing Works So Well

Understanding why these scams succeed helps you resist them:

• Small phone screens hide URL details. On a laptop, you can hover over a link and see the full address. On your phone, the URL is harder to inspect and easier to miss.
• Texts feel personal and trusted. We associate text messages with friends, family, and services we’ve opted into. A text doesn’t trigger the same suspicion as an email from a stranger.
• Low dollar amounts reduce suspicion. A $4.15 toll fee doesn’t seem worth questioning. That’s the point — you pay without thinking.
• Urgency overrides judgment. Deadlines like “within 24 hours” and threats like “your account will be suspended” push you to act before you analyze.
• Timing coincidences are common. With hundreds of millions of packages shipped every week, there’s a strong chance you actually are expecting a delivery. Scammers don’t need to know your schedule — probability is on their side.

How to Spot a Smishing Text

Red Flags Checklist

Run through this checklist when you receive an unexpected text. If any of these apply, proceed with caution:

• The message comes from an unknown number or a suspicious short code
• It contains a link you’re asked to tap
• It creates urgency with deadlines, threats, or consequences
• It asks for personal information, login credentials, or payment details
• It uses a generic greeting like “Dear Customer” instead of your name
• You didn’t initiate the interaction or sign up for alerts from this sender

If two or more of these boxes apply, you’re almost certainly looking at a smishing attempt.

The Link Test

The link in a smishing text is where the danger lives. Here’s how to evaluate it without putting yourself at risk:

• Don’t tap it. Instead, press and hold the link (on most phones) to preview the URL without opening it.
• Check the domain carefully. Scammers register domains that look close to the real thing. Compare these:
  • Real: usps.com vs. Fake: usps-redelivery-update.com
  • Real: ezpassnj.com vs. Fake: ezpass-pay.com
  • Real: chase.com vs. Fake: chase-secure-alert.com
• Look for extra words, hyphens, and unusual extensions. Legitimate companies own short, clean domains. Scam domains add words like “verify,” “secure,” “update,” or “pay” with hyphens.

When in doubt, ignore the link entirely and go to the official website by typing the address into your browser yourself.

What to Do When You Receive a Suspicious Text

Follow these steps in order:

1. Don’t tap the link. This is the single most important step. No link, no danger.
2. Don’t reply — not even “STOP.” Replying confirms to scammers that your number is active and monitored, which puts you on lists for more scams.
3. Verify independently. If the text claims to be from USPS, go to usps.com directly. If it claims to be your bank, open your bank’s official app or call the number on the back of your card.
4. Report it to 7726 (SPAM). Forward the text to 7726 — this is the universal spam-reporting number recognized by all major carriers. It helps your carrier block the number for everyone.
5. Block the sender. On iPhone, tap the number at the top of the message and choose “Block this Caller.” On Android, tap the three dots menu and select “Block.”
6. Delete the message. Remove it so you’re not tempted to revisit it later.

What If You Already Clicked?

If you’ve already tapped a smishing link, don’t panic — but do act quickly:

1. Close the page immediately. If you opened a link but didn’t enter any information, you’re likely fine. Close the browser tab right away.
2. Contact your bank or card issuer. If you entered credit card numbers, bank login details, or made a payment, call your financial institution immediately. They can freeze your card and reverse fraudulent charges.
3. Change any passwords you entered. If you typed a password on a fake site, change that password everywhere you use it. This is also a good reason to use unique passwords for every account.
4. Run a security scan. Use your phone’s built-in security features or a trusted app like Malwarebytes to scan for anything that may have been installed.
5. Monitor your accounts for 30 days. Check your bank statements, credit card activity, and email for signs of unauthorized access. Set up transaction alerts if your bank offers them.
6. Consider a credit freeze. If you shared your Social Security number, date of birth, or other identity information, place a free credit freeze with all three bureaus (Equifax, Experian, TransUnion) to prevent new accounts from being opened in your name.

How to Protect Yourself Going Forward

Prevention is easier than recovery. Build these habits into your daily routine:

• Enable spam filtering on your phone. On iPhone, go to Settings > Messages and turn on “Filter Unknown Senders.” On Android, open the Messages app, tap Settings > Spam Protection, and enable it. This won’t catch everything, but it helps.
• Never tap links in unexpected texts. Make this a personal rule with no exceptions. If a text includes a link, go to the source directly instead.
• Use official apps for package tracking. Download the USPS, FedEx, UPS, and Amazon apps and manage your deliveries there. If a delivery actually has a problem, it’ll show up in the app.
• Pay tolls only through official websites. Bookmark your state’s toll authority website and only pay through that portal. Never trust a payment link sent by text.
• Register for legitimate delivery alerts. Sign up for USPS Informed Delivery and create accounts with your preferred carriers. When you control the notification source, you’ll recognize fakes more easily.

For more on recognizing phishing patterns, see our guide on 5 Signs You’re About to Fall for a Phishing Scam.

The Bottom Line

If a text asks you to tap a link, don’t. Full stop. If the message is real — if you actually owe a toll, if your package truly needs a new address, if your bank genuinely detected fraud — you can find that same information by opening the official app or going directly to the company’s website. It takes about 60 seconds to verify.

Sixty seconds of caution beats months of identity theft recovery. Your first instinct when you get an unexpected text with a link should always be the same: pause, don’t tap, and verify on your own terms.

Stay informed about the latest digital safety threats. Subscribe to the Scute newsletter for weekly tips delivered to your inbox.