As we head into the last stretch of December (and last-minute gift shopping), your doorstep is probably busier than ever. And if you’re anything like me, you’re probably also juggling shipping updates, tracking numbers, and “out for delivery” alerts from half a dozen retailers.

Unfortunately, scammers know this too, and they’ve likely been preparing for it all year. Like clockwork, I’ve already started seeing the usual wave of fake tracking texts hitting people’s phones. They look legit, they show up right when you’re expecting a package, and they rely on one inescapable truth: during the holiday rush, most of us are too overwhelmed to notice when something feels off.

No need to panic, though. You can still come out ahead of the scammers. I’ll show you what to look out for and how you can prevent being targeted in the first place.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.

THE FAKE REFUND SCAM: WHY SCAMMERS LOVE HOLIDAY SHOPPERS

What fake delivery text messages look like

Most of these fake shipping texts include a “tracking link” that looks close enough to the real thing that you might tap without thinking twice about it. In some cases, like one Maryland woman found out, you may even receive fake deliveries with a QR code that works in a similar way.

These links usually lead to a spoofed tracking page that looks almost identical to the real thing. It’ll ask you to “confirm” your login or enter your delivery details. The moment you type anything in, scammers capture it and use it to access your real accounts.

Even worse, the “tracking link” may contain malware or spyware, triggering silent installs that can steal passwords, monitor keystrokes, or give scammers remote access to your device.

Red flags that reveal fake shipping and tracking messages

So how can you distinguish between a legitimate message for a delivery you’re actually waiting for and one of these scams? Here are the red flags I look for:

• Weird or slightly altered URLs. Scammers use domains that look almost right. Except there’s usually one extra letter, a swapped character, or a completely unfamiliar extension.
• Requests for additional payment. Real carriers don’t ask you to pay a “small fee” to release a package. That’s an instant giveaway.
• A package you’re not expecting. If the text is vague or you can’t match it to a recent order, pause before you tap anything.
• Delivery attempts at odd hours. “Missed delivery at 6:12 AM” or “late-night attempt” messages are usually fake. Carriers don’t normally operate like that.
• Updates that don’t match what you see in the retailer’s app or email. If Amazon says your package is arriving tomorrow, but a random text says it’s delayed or stuck, trust Amazon, not the text.
• Language that is designed to rush you. Anything screaming “immediate action required!” is designed to make you stop thinking and start tapping.

If a text triggers any one of these, I delete it on the spot. When in doubt, always check directly with the delivery service provider first before opening any links.

WHY YOUR HOLIDAY SHOPPING DATA NEEDS A CLEANUP NOW

How scammers know your address, phone number, and shopping habits

Scammers don’t magically know where you live or what you’ve ordered — they buy that information. There’s actually an entire industry of data brokers built on collecting and selling personal data. This can include your:

• Phone number
• Home address
• Email
• Purchase history
• Browsing patterns
• Retailers accounts and apps
• Loyalty programs
• Even preferred delivery times.

These data brokers can sell profiles containing hundreds of data points on you. And they aren’t always discerning about who they sell to. In fact, some of them have been caught intentionally selling data to scammers.

Once scammers have those details, creating a convincing delivery scam is no problem.

But scammers can’t target what they can’t find

I’ve been very vocal about the importance of keeping personal information under lock and key. And this is just one of the reasons why.

Criminals rely on your personal information to target you with these types of scams. They also need at least a phone number or email address to reach you in the first place.

So your best bet to avoid delivery scams (and, honestly, most other scams year-round) is removing your info from data brokers and people search sites. Doing this will keep your details out of circulation online and out of the wrong hands.

FBI WARNS EMAIL USERS AS HOLIDAY SCAMS SURGE

How to remove your personal information from scammers’ reach

You can start by looking yourself up online. Searching for different combinations of your name, address, email, and phone number should bring up a bunch of people search sites. Just visit the “opt-out” page on each site to request removal of your data.

Private-database data brokers are a bit trickier. They sell data in bulk, usually to marketers and other third parties. So you won’t be able to check if they have your information. But if you look into which data brokers operate in your area, you can just send opt-out requests to them all. There’s a good chance they’ll have your information.

You can also turn to a data removal service. They completely remove the headache from this process and just automatically keep your personal info off data broker sites. If, like me, you don’t have the time to keep manually checking data broker sites and sending removal requests every few months (because your data will keep reappearing), a personal data removal service is the way to go.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

Kurt’s key takeaways

Holiday delivery scams work because they blend perfectly into the chaos of December shopping. A well-timed text and a familiar tracking link are often all it takes to lower your guard. By slowing down, checking messages directly with retailers, and reducing how much of your personal data is circulating online, you can take away the advantage scammers rely on. A little caution now can save you a major headache later.

Have you received a suspicious delivery text or tracking message this holiday season? If so, tell us what it looked like and how you handled it by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP 

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.

Copyright 2025 CyberGuy.com.  All rights reserved.

All year on The Vergecast, we’ve been tracking the many bizarre and problematic actions of FCC Chairman Brendan Carr. There has been a lot to discuss! Then, this week, ahead of one of our last episodes of the year, Carr appeared in front of the Senate Commerce Committee and spent three hours explaining how he thinks about his job, the FCC, and the state of online communication and entertainment. It was a lot.

On this episode of The Vergecast, we begin with a dissection of Carr’s testimony, his threats against broadcasters, and the ways in which he’s using old ideas about content delivery to get his political way. Nilay and David walk through some of Carr’s most important quotes, explain the history of broadband regulation, and look ahead to how Carr might bring these same tactics to internet regulation next year.

Also, an important housekeeping note: The Vergecast will be live at CES! We’ll be at the Brooklyn Bowl in Las Vegas, at 3:30PM on Wednesday, January 7th. There will be podcasting, and hanging out, and bowling. It’s going to be great, and if you’re going to be in Vegas we’d love to see you there.

Until then, if you want to know more about everything we discuss in this episode, here are some links to get you started, first on Brendan Carr:

And in the streaming wars:

And in the lightning round: