
Phishing Scam Impersonates USPS Uses Fake Web Page to Steal Payment Cards
Note: We may earn a commission from products or services when you click on a link and make a purchase.
Fraudsters are using fake United States Postal Service (USPS) delivery notifications to steal payment card numbers. The scam notifications are phishing emails sent to victims who may be tricked into entering payment card numbers to ensure their package’s delivery.

The scam impersonates US Postal Service delivery notifications. Fraudsters use malicious phishing emails to lure people into clicking on a link that takes them to a credit card stealing web page. The notification includes a fake tracking number and branding to increase its credibility.
“With holiday delivery deadlines quickly approaching and online orders continuing to pour in, courier services are facing increasing pressure from anxious consumers,” says the report from AbnormalSecurity.
Victims are urged to click on a link in a malicious email. They are told that the tracking link expires in only three days. They are also instructed to pay an additional delivery fee or else their package won’t be delivered.
Spoofed email address
The email appears to originate from USPS, but in reality, it was sent from support .@ xmtservices.com.
USPS Delivery Notification Scam Message
Messaging in the email informs the reader that there is more postage owed. If the victim does not click on the tracking link and pay the additional fee, then the delivery cannot be completed. The text of the email contains a link to a web page where the reader can supposedly pay the additional money owed.

The email includes the USPS logo and a tracking number to help trick the reader into believing the email is legitimate.
Spoofed USPS Web Page
If the reader follows the instructions in the email and clicks on the link to pay the fees, they are redirected to a spoofed USPS web page. Messaging and branding on the web page impersonate the United States Postal Service. The malicious web page has boxes for their reader to enter in their first name, last name, credit card number, expiration date, and security code. Like the email, the malicious webpage impersonates USPS.com and uses the Postal Service logo to help fool the reader into thinking it’s legitimate.
- READ About All Recent Scam Alerts
How to Avoid a USPS Delivery Notification Scam
November 2020 saw a 440% increase globally in shipping phishing emails compared to the previous month says Check Point Software Technologies. Amazon, USPS, UPS, and FedEx are all targets of increasing impersonation attacks.
If the reader enters in their credit card information on the spoofed USPS web page, the information is sent to the fraudsters who can then use it to rack up credit card charges using the stolen credit card numbers.
- Be on the lookout for emails that urge you to take action. Scammers often use a sense of urgency to get victims to act quickly without scrutinizing the contents of an email. In this case, victims were told they only had three days to pay the fees or their package would not be delivered
- The friendly name of an email sender is different than the actual email address. Always look carefully at the sender’s email address and make sure it matches who they say they are
- Really, you should never click on the link in an email or download an attachment. Always go to the company’s official website and contact customer service.