Normal view

Is That Delivery Text Real? How to Spot Package Smishing and Delivery Scams

23 June 2026 at 12:00

You’re expecting a package. 

Maybe it’s a birthday gift. Maybe it’s a purchase from a major shopping event. Maybe it’s something you forgot you ordered three days ago. 

Then your phone buzzes. 

Your package couldn’t be delivered.  There’s a problem with your shipping address. 

A small fee is required before delivery can continue. 

“Click here immediately.”

The message feels plausible because so many of us are constantly waiting for packages. And scammers know it. 

According to McAfee’s State of the Scamiverse report, fake delivery and shipping notices are the single most commonly reported scam consumers encounter today, with 31% of people saying they’ve received one. Americans also receive an average of 14 scam messages every day across texts, email, social media, phone calls, and other channels.  

Delivery scams have become one of the internet’s most successful forms of phishing because they exploit something simple: people are already expecting the message. 

Here’s how to spot and stop these scams:

What Is a Delivery Scam? 

A delivery scam is a fraudulent message that pretends to come from a shipping company, retailer, postal service, or delivery provider. 

The goal is usually one of three things: 

  • Steal personal information  
  • Steal financial information  
  • Trick victims into downloading malware or visiting malicious websites  

These scams often impersonate organizations such as: 

  • USPS  
  • UPS  
  • FedEx  
  • DHL  
  • Amazon  
  • Royal Mail  
  • Australia Post  
  • Other local or regional delivery services  

Most delivery scams arrive through text messages, which is why they’re often called package smishing scams. 

What Is Smishing? 

Smishing is a type of phishing attack delivered through SMS text messages. 

The term combines: 

  • SMS (Short Message Service)  
  • Phishing 

Instead of arriving through email, the scam arrives directly on your phone and attempts to create a sense of urgency that encourages immediate action. 

Common examples include: 

  • “Your package could not be delivered.”  
  • “Delivery attempt failed.”  
  • “Update your shipping address.”  
  • “Pay a small customs fee.”  
  • “Confirm delivery information.” 
McAfee's Scam Detector lets you know when delivery messages are scams.
McAfee’s Scam Detector lets you know when delivery messages are scams.

Delivery Scam Red Flags and What to Do 

If You See This Red Flag  Why It’s Suspicious  What To Do 
A package alert when you’re not expecting a delivery  Scammers send messages in bulk hoping someone is waiting for a package  Ignore the message and do not click links 
A request to pay a small fee before delivery  Legitimate carriers rarely collect delivery fees through text messages  Visit the carrier’s official website directly 
A message claiming your address needs verification  Common tactic used to steal personal information  Check shipment status through your retailer or carrier account 
A shortened or unusual link  Scammers often disguise malicious websites  Avoid clicking and manually type the carrier’s website address 
Pressure to act immediately  Urgency is designed to override caution  Pause and verify independently 
Requests for passwords, payment information, or verification codes  Legitimate carriers will not ask for this through text messages  Delete the message and report it as spam 
A delivery app or file download request  May install malware on your device  Never download software from a text message 

Accidentally Clicked a Delivery Scam? Do This Immediately 

What Happened  What To Do 
You only clicked the link  Close the page and do not enter any information 
You entered login credentials  Change your password immediately and enable two-factor authentication 
You entered payment information  Contact your bank or credit card provider right away 
You downloaded a file or app  Delete it and run a security scan 
You’re unsure what information was exposed  Monitor accounts closely for unusual activity 

How McAfee Can Help  

With McAfee+, multiple layers work together before any damage is done:  

  • Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage 
  • Secure VPN keeps your data private, especially on public Wi-Fi  
  • Web Protection helps block risky sites, even if you do accidentally click  helps block risky sites, even if you do accidentally click   
  • Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
  • Device Security helps detect malicious apps or downloads   
  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast   
  • Personal Data Cleanup helps remove your information from sites selling it. 
  • Online Account Cleanup assists in taking down your old, forgotten accounts across the web 
  • Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks 

Together, these protections are designed to address the broader range of online risks people face every day. 

The post Is That Delivery Text Real? How to Spot Package Smishing and Delivery Scams appeared first on McAfee Blog.

7 Shopping Scams Americans Report Seeing Most: This Week in Scams

18 June 2026 at 19:35

Last week, McAfee warned that economic pressure and AI are creating ideal conditions for online shopping scams. 

This week, that warning got another real-world example. 

New reporting revealed that cloned shopping websites have appeared in AI-generated search results, potentially directing consumers to convincing fake storefronts designed to steal payment information and personal data.  

The incident reinforces what McAfee’s latest research found ahead of Prime Day: shoppers are moving faster, trusting deals more readily, and encountering increasingly sophisticated scams. 

Before the summer’s biggest shopping events kick into high gear, let’s get into the sales and Prime Day scams to be aware of and other cybersecurity news making headlines This Week in Scams. 

The Top 7 Shopping Scams to Watch for This Prime Day 

McAfee’s latest research found consumers most frequently encounter the following scams during major sales events: 

  1. Fake shipping confirmations and order updates (34%)  
  2. Delivery company impersonation scams (32%)  
  3. Requests for payment or account information (27%)  
  4. Suspicious account verification alerts (26%)  
  5. Retailer impersonation scams (25%)  
  6. Fake urgency and expiring deal messages (24%)  
  7. Suspicious discount codes and flash-sale offers (22%)  

These scams work because they exploit moments when consumers are already expecting packages, tracking orders, comparing prices, and making quick purchasing decisions. 

McAfee's latest research found consumers most frequently encounter the following scams during major sales events:  Fake shipping confirmations and order updates (34%)   Delivery company impersonation scams (32%)   Requests for payment or account information (27%)   Suspicious account verification alerts (26%)   Retailer impersonation scams (25%)   Fake urgency and expiring deal messages (24%)   Suspicious discount codes and flash-sale offers (22%)  

Prime Day Shopping Safety Checklist 

In McAfee’s new consumer research40% of Americans surveyed said they would trust a lower priced deal without verifying it. That means as costs are climbing, shoppers are less likely to second guess a too-good-to-be-true deal that could be a scam.   

“What the data reflects is that economic pressure has effectively done some of the scammer’s work for them,” says McAfee’s Head of Threat Research Abhishek Karnik.  

“When consumers are already primed to move quickly and prioritize price over authenticity, it takes far less effort to push them toward a bad click or a fraudulent purchase.”  

And reporting that fake shopping sites have appeared in ChatGPT results shows that scammers are adapting to ensure they show up wherever consumers search for products, including AI-powered search experiences. 

That means it’s more important than ever for shoppers to know the red flags, common scams, and protection measures to find deals safely. 

Safety Checklist 

Before making a purchase: 

✓ Verify the website URL 

✓ Compare prices across multiple retailers 

✓ Research unfamiliar sellers 

✓ Be skeptical of discounts exceeding 50-70% 

✓ Never trust a shopping link sent by text 

✓ Use a credit card instead of bank transfer, crypto, or gift cards 

✓ Check independent reviews 

✓ Verify shipping alerts directly through the retailer 

Other Scam and Security News This Week 

Nintendo Investigates Third-Party Employee Data Incident 

According to Kotaku, Nintendo is investigating an alleged data exposure involving TinyPulse, a third-party employee survey platform. An extortion group claiming responsibility for the incident says it possesses employee information and internal communications and demanded a $2 million ransom. Nintendo said its own systems were not compromised and that no customer financial or payment information was accessed. 

Madison Square Garden Data Allegedly Posted Online 

According to 404 Media, hackers linked to the ShinyHunters group have allegedly published data stolen from Madison Square Garden after an extortion attempt. Sample files reviewed by the outlet reportedly contained personal information, talent records, and contact details connected to sports personalities and business operations. 

Novo Nordisk Reports Clinical Trial Data Breach 

According to Yahoo Finance, Novo Nordisk disclosed a data breach involving individuals participating in clinical trials. The company is currently assessing the scope of the exposure while also managing ongoing supply constraints affecting its GLP-1 medications, including Wegovy. 

How McAfee Can Help  

With McAfee+ Premium, multiple layers work together before any damage is done:  

  • Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage 
  • Secure VPN keeps your data private, especially on public Wi-Fi  
  • Web Protection helps block risky sites, even if you do accidentally click  helps block risky sites, even if you do accidentally click   
  • Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
  • Device Security helps detect malicious apps or downloads   
  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast   
  • Personal Data Cleanup helps remove your information from sites selling it. 
  • Online Account Cleanup assists in taking down your old, forgotten accounts across the web 
  • Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks 

Together, these protections are designed to address the broader range of online risks people face every day. 

Plus, click here to get McAfee’s limited-time deals on real-time protection this Amazon Prime Day, from June 23 to June 26.

The post 7 Shopping Scams Americans Report Seeing Most: This Week in Scams appeared first on McAfee Blog.

How to Protect Yourself from Doxxing and Lock Down Your Data

By: McAfee
5 May 2026 at 17:30
Woman gamer confused at computer

You post an opinion about a contentious issue on social media. Within hours, strangers have shared your home address, your employer’s phone number, and photos of your children’s school. Your inbox floods with threats. Someone calls your workplace demanding that you be fired. A crowd shows up outside your house. What started as online speech has become a safety crisis that follows you everywhere. You’ve been doxed.

If you’re looking for real answers about how to prevent doxxing before it happens or how to respond if you’re already facing harassment, this guide provides actionable strategies to lock down your digital footprint and protect your personal information. 

Key Takeaways

  • Protect yourself from doxxing by reducing exposed data on social media, data broker sites, and public records
  • Secure your accounts with strong passwords, multi-factor authentication, and privacy-focused security tools like a VPN or antivirus protection
  • Platform-specific strategies help prevent doxxing on Discord, Twitter, and other high-risk spaces
  • If you’ve been doxxed, act immediately to document everything, remove content, and involve authorities when threats escalate

What Is Doxing?

Doxxing (sometimes spelled doxing) is the act of publicly exposing someone’s personal information online without their consent. Doxxing is often intended to harass, intimidate, or cause real‑world harm. This information can include a home address, phone number, workplace, family details, or other identifying data.

For a foundational understanding of what doxxing is, why it’s escalating, real‑world examples, and how the law treats doxxing, see our full guide on what is doxxing.

How Do People Get Doxxed? 

Your digital footprint is a jigsaw puzzle spread across the internet, with each piece alone being harmless: a tagged photo here, a WHOIS domain record there, a mention of your hometown in an old forum post. Doxers piece together these fragments using open-source intelligence techniques like reverse image searches, username lookups, and metadata analysis.

Much of the information used in doxing also comes from data brokers, which aggregate public records and purchased data sets. Plus, there are information leaks from data breaches: billions of stolen email addresses, passwords, and personal details circulating on dark web forums.

That data can be cross-referenced with your online purchases, domain registrations, avatars, usernames, and even your writing style. Then there’s what you share and what others share about you on social media. In effect, you are leaving a trail of breadcrumbs every time you interact online. 

Taken together, all these pieces create a detailed profile that doxers weaponize. Once they have your information, they post it on social media, anonymous forums, or dedicated harassment sites along with inflammatory language urging others to contact you.

Campaigns are coordinated across platforms, escalating from online harassment to email and text message threats, and sometimes physical confrontations or swatting attempts that put you in immediate danger.

How to Protect Yourself From Doxing

You shouldn’t have to make yourself invisible online, but you can significantly reduce the information available to potential doxers and make yourself a harder target. Here’s what to do:

Lock Down Your Social Media Accounts

Starting with your social media accounts, go through your privacy settings on every platform you use and maximize protection:

Immediate actions:

  • Set all accounts to private or restrict visibility to friends/followers only
  • Hide your friend lists, location data, and tagged photos from public view
  • Remove personal details like phone numbers, email addresses, birth dates, and hometown from your profile
  • Disable location services and strip metadata from photos before posting
  • Turn off check-ins and location tagging features

Audit Your Digital History:

  • Search your own name and review what appears publicly
  • Delete or edit old posts that mention your home address, children’s schools, or exact workplace
  • Ask family and friends not to tag you in posts that reveal your location or personal details
  • Review and untag yourself from photos that expose identifying information

Platform-Specific Settings:

  • Facebook: Restrict who can see your friends list, past posts, and profile information; disable facial recognition; review tags before they appear on your profile
  • Instagram: Make your account private, disable activity status, restrict comments, and carefully review follower requests before accepting
  • Twitter/X: Protect your tweets, disable photo tagging, hide sensitive content behind warnings, and enable two-factor authentication on a separate device
  • Discord: Use a unique username not tied to other accounts, disable DMs from non-friends, never share your Discord tag publicly, and avoid voice chat in public servers where your voice can be recorded

Remove Your Data from People-Finder Data Broker Sites

Data brokers are companies that mine the internet and public records for financial and credit reports, social media accounts, and more. They then sell that data to advertisers, companies, or individuals who may use it to doxx you.

You might be surprised by how much sensitive information is available to anyone who wants it. Data brokers often have contact information including real names, current and former addresses, birth dates, phone numbers, social media profiles, political affiliations, and other information most consider private.

There are two ways you can remove your personal information from data brokers or people-finder sites: manually or with an automated solution

The Manual Approach:

While you can remove your private information from many data broker sites, they tend to make the process tedious and frustrating. You’ll need to:

  • Identify which sites have your information (search for yourself on sites like Whitepages, Spokeo, BeenVerified, PeopleFinder)
  • Submit individual opt-out requests to each site
  • Follow unique removal processes for each broker (some require email verification, others need physical mail)
  • Re-check periodically as your information may reappear

The Automated Solution:

McAfee Personal Data Cleanup makes this process dramatically easier. Enter your name, date of birth, and home address, and we’ll scan it across high-risk data broker sites and help you remove it automatically.

If you plan to employ other automated data broker removal services, verify that they are reputable before handling over your information. 

Secure WHOIS Records and Domain Privacy

If you own a website, your WHOIS record publicly lists your name, address, phone number, and email unless you take action. Use WHOIS privacy protection (also called domain privacy) through your registrar to replace your personal details with the registrar’s contact information, keeping your personal data out of public domain records. Most registrars offer this service for free or a nominal fee.

Fortify Your Account Security

Anyone who gains access to your email or social media accounts through phishing or a data breach could expose your private conversations, documents, and personal details. Protect yourself with robust security measures: 

Use Strong, Unique Passwords:

  • Use passwords with at least 12-16 characters. Avoid personal information like pet names, birthdates, or family members
  • Never reuse passwords across accounts
  • Use a password manager to generate and store complex passwords securely
  • Change passwords immediately if a service you use reports a data breach

Use Multi-Factor Authentication (MFA):

  • Enable MFA on all critical accounts (email, social media, banking, work accounts)
  • Use app-based authenticators (Google Authenticator, Authy) rather than SMS when possible
  • Store backup codes in a secure location separate from your primary device

Be Vigilant against Phishing:

  • Be suspicious of unexpected emails, texts, or messages requesting login credentials
  • Always verify the sender before clicking links or providing information
  • Check URLs carefully. Phishing sites often use slight misspellings
  • Never enter credentials on a site you reached via a link in an email

Secure Your Document Storage

Keep sensitive documents, such as tax records, passport scans, and financial statements, out of easily searchable email folders or cloud storage that might be compromised. If you store them digitally, use encrypted storage with strong access controls.

Use Privacy and Security Tools

No single tool can prevent all doxing, but layered protection makes a big difference. 

Identity Monitoring Services:

Consider using identity monitoring services that alert you when your personal information appears in new data breaches, on the dark web, or elsewhere it shouldn’t be. Early detection will allow you to act before the information is weaponized.

Comprehensive security suite:

A comprehensive security suite such as McAfee+ helps protect your devices from phishing attacks, malicious websites, and malware that could compromise your accounts. 

Virtual Private Network (VPN):

When browsing on public Wi-Fi networks, your data is at greater risk of being intercepted. A virtual private network gives you an additional layer of protection by hiding your IP address and browsing activities when you’re on an unsecured network.

Encrypted Messaging:

For sensitive conversations, use end-to-end encrypted messaging apps like Signal or WhatsApp rather than standard SMS or unencrypted email.

Educate Your Family, Friends, and Colleagues

You might take every precaution, but if your partner posts a photo of your new house with the address or your colleague tags you in a work event with the location, your efforts are undermined. 

Have honest conversations:

  • Explain why you’re cautious about personal information online
  • Share specific examples of what information should stay private
  • Encourage those close to you to adopt similar privacy practices

Set Family Guidelines:

For the digitally active, younger adults and teens in your family who may not fully understand the risks of oversharing, set family guidelines about what can be posted publicly and what should remain offline. 

Workplace Training:

If you work in education, government, or a high-visibility field, suggest brief safety training sessions for staff to recognize and respond to doxing threats.

What to Do if You’ve Already Been Doxxed

If your information is already out there and you’re facing harassment, here’s how to respond quickly and effectively.

1. Assess the immediate situation

If you’re receiving threats, someone is showing up at your home with the intent to harm, or you believe you’re at risk of swatting, contact local law enforcement immediately. Your physical safety comes first. 

2. Document Everything Thoroughly

Create comprehensive evidence:

  • Take screenshots of every post, message, and webpage that shares your information or threatens you. 
  • Take note of URLs, usernames, timestamps, and platform names 
  • Save original messages and emails. Don’t just screenshot; save the actual files.
  • Record any phone calls if legally permitted in your jurisdiction
  • Keep a detailed timeline of events

These pieces of evidence are essential for pursuing legal action, getting content removed from platforms, and demonstrating the severity of the harassment to law enforcement. 

3. Get Your Content Removed

Platform Reporting:

Use the reporting tools on every platform where your private information has been illegally shared. Platforms can be slow to act, but be persistent and keep submitting reports and escalating through support channels. Clearly cite violations of the platform’s terms of service (most prohibit doxxing), and invoke your legal right to have your personal details removed. 

Remove Data from Website Operators:

If your personal information appears on websites or forums, contact the site administrators directly and request removal. Many will comply, especially if the information was posted without your consent.

Remove Data from Search Results:

Google offers a removal request process for certain types of content:

  • Doxing content (name, address, phone number)
  • Non-consensual intimate images
  • Financial information like bank account numbers
  • Government identification numbers

Submit removal requests through Google’s removal request page.

4. File a Police Report

Consider involving authorities in cases involving:

  • Explicit threats of violence
  • Stalking (repeated, unwanted contact that causes fear)
  • Swatting attempts
  • Targeted campaigns that severely disrupt your life
  • Hacking or unauthorized access to your accounts

Prepare for law enforcement:

  • Bring all your documentation (screenshots, timelines, messages)
  • Be prepared to explain what doxxing is and how it’s affecting you
  • If local police aren’t responsive, reach out to specialized cybercrime units at the state or federal level
  • Consider consulting a lawyer familiar with online harassment cases who can advocate on your behalf

5. Seek Support and Expert Guidance

Don’t face this alone. Seek support from your family, trusted friends, and professionals. Crisis communications organizations or reputation management professionals should be able to offer guidance or connect you with legal resources.

Platform-Specific Protection: Discord, X (Twitter), and Beyond

Different platforms present unique doxxing risks. Here’s how to protect yourself on high-risk spaces:

How to Avoid Getting Doxxed on Discord

Discord’s voice chat and community-focused structure create specific vulnerabilities:

Account Security:

  • Use a unique username not connected to other social media accounts or your real name
  • Enable two-factor authentication
  • Never share your email address, phone number, or Discord tag publicly
  • Use Discord’s privacy settings to limit who can DM you (friends only)

Voice Chat Precautions:

  • Be aware that voice chat can be recorded without your knowledge in public servers
  • Avoid discussing personal details, location information, or identifiable stories
  • Consider using voice modulation software for high-risk conversations

Server Safety:

  • Only join servers from trusted communities
  • Be cautious about clicking links in Discord (they can lead to IP-grabbing sites)
  • Report suspicious users immediately to server moderators

How to Prevent Doxxing on Twitter

Twitter’s public nature and engagement-driven algorithm make it a prime target for harassment campaigns:

Profile Protection:

  • Protect your tweets (make account private) if you’re at high risk
  • Remove location information from your profile and tweets
  • Don’t use your full legal name as your display name
  • Disable photo tagging to prevent being tagged in revealing photos

Engagement Strategies:

  • Be cautious about what you share publicly, especially during controversial discussions
  • Don’t share photos that reveal your location, workplace, or home
  • Block aggressive users immediately—don’t engage
  • Report coordinated harassment to Twitter’s support team

Advanced Privacy:

  • Use a separate email address for your Twitter account that doesn’t contain your real name
  • Turn on login verification (two-factor authentication)
  • Regularly review connected apps and revoke access to any you don’t recognize or use

How to Avoid Getting Doxxed as a Creator or Public Profile (TikTok, YouTube, Twitch)

Creators and public‑facing accounts face unique risks because content, schedules, and personal details are often shared at scale:

Account & Identity Separation:

  • Use creator accounts that are completely separate from personal email addresses and phone numbers
  • Never link personal social media accounts in public bios or “about” sections
  • Use business contact emails that don’t contain your real name
  • Enable two‑factor authentication on all creator platforms and connected email accounts

Content & Filming Precautions:

  • Be mindful of what appears in the background of photos and videos (windows, street signs, landmarks)
  • Avoid showing mail, packages, or documents with identifying information
  • Delay posting content shot in real‑time to prevent location tracking
  • Disable automatic location tagging and metadata whenever possible

Livestream & Interaction Safety:

  • Avoid sharing schedules, routines, or future travel plans publicly
  • Use chat moderation tools and trusted moderators during live streams
  • Immediately ban users who ask probing personal questions
  • Be cautious with donation messages or alerts that may reveal personal information

Take Control of Your Digital Footprint Today

Doxxing has become an escalating threat in our increasingly connected digital world. But you’re not powerless. By taking proactive steps to reduce your exposed data, secure your accounts, and understand how to respond if targeted, you significantly reduce your risk and increase your ability to protect yourself and your loved ones.

Start with the basics: tighten your social media settings, remove your information from data broker sites, and secure your accounts with strong passwords and multi-factor authentication. Consider installing identity monitoring services, security software, and privacy features to detect threats early and give you time to respond. McAfee+ can help you stay one step ahead of anyone trying to weaponize your information.

If you’ve been doxxed, document everything, report to platforms persistently, and involve law enforcement when threats escalate. You don’t have to face this alone; support resources and professionals are available to help you through the process.

The post How to Protect Yourself from Doxxing and Lock Down Your Data appeared first on McAfee Blog.

❌