Your phone buzzes: “Your package could not be delivered. Confirm your address: [link].” You are not even expecting a parcel, but your thumb hovers anyway. That hesitation is the whole business model of smishing — phishing by SMS — and fake delivery texts are its most common form in 2026.
nWhat smishing actually is
nSmishing is phishing that arrives by text instead of email. The goal is identical to its email cousin: get you to tap a link and hand over a password, a card number, or a small “redelivery fee.” Text feels more personal and urgent than email, and phones show shortened links that hide where they really go, which is exactly why it works. The same instincts that beat email phishing apply here.
nThe tells in a fake delivery text
nYou are not expecting a parcel. Or you are, but the sender does not match the courier you actually used.
nThe link is odd. Real couriers use their own domain. Smishing uses shorteners, lookalikes (dhl-redelivery.info), or random strings. On a phone, long-press the link to preview the true destination before tapping.
It wants a fee or a login. A genuine carrier does not collect “customs” or “redelivery” charges by text link, and never needs your full card details to drop a box.
nIt manufactures urgency. “Within 12 hours or your parcel is returned.” Pressure is meant to stop you thinking.
nWhat to do instead
nNever tap the link. If you are genuinely expecting something, open the courier or retailer site yourself, or use the tracking number from your original order confirmation. Verifying out of band — going to the source directly rather than through the message — defeats nearly every smishing attempt.
nIf you already tapped
nDo not panic, act fast. If you entered card details, call your bank and freeze the card. If you entered a password you use elsewhere, change it everywhere — this is exactly the password-reuse risk that turns one slip into many, and a good moment to turn on two-factor authentication. Then treat it like a breach and work through the first-24-hours plan.
nCut down how often it reaches you
nSmishing needs your number. The fewer sites that hold it, the fewer lists it lands on, so be as stingy with your phone number as with your real email — and when a site demands an email just to proceed, hand it a temporary email instead of fuel for the next data broker. You can report scam texts to the FTC.
nThe one habit that beats it
nYou will never stop fake delivery texts from arriving. You can make them harmless with a single rule: never act on a link inside an unexpected message. Go to the source yourself, every time. The scam only works on the tap you make before you think.
nFrequently asked questions
What is the difference between phishing and smishing?
Only the channel. Phishing arrives by email, smishing by SMS; both try to get you to tap a link and hand over credentials or money. Text feels more urgent and hides link destinations more easily, which is why smishing is so effective.
Should I reply “STOP” to a scam text?
No. With a genuine marketer, STOP works; with a scammer, it simply confirms your number is live and read by a person, which makes you a more valuable target. Do not reply at all — just delete and report it.
Can clicking a link in a text infect my phone?
Usually the link leads to a fake login or payment page rather than malware, but malicious pages and drive-by downloads do exist. The safe rule is the same either way: never tap a link inside an unexpected message, and go to the source yourself.