Have you ever received a text indicating that a package sent via the U.S. Postal Service or other mail carrier was unable to be delivered or is sitting in a warehouse waiting to be claimed? It’s a common scam, and one that too often succeeds.

The sender seems to emulate official correspondence from a legitimate carrier, like UPS, FedEx and the USPS, but the goal is to steal your money and identity. If you click the link, you might unwittingly download malware onto your device and/or be asked to supply sensitive personal as well as financial information.

Rachel McNealey is an assistant professor in the School of Criminal Justice at Michigan State University’s College of Social Science. She is also a center associate with the MSU Center for Cybercrime Investigation and Training.

McNealey recently answered questions about “smishing” — fake mobile text messages that trick users into downloading malware and sharing personal and financial information — and how to avoid falling victim.

What is smishing, also known as SMS phishing?

These fraudulent texts are part of a wave of socially engineered smishing (SMS + phishing) campaigns designed to collect recipients’ sensitive information by impersonating legitimate agencies.

Phone numbers and emails are concerningly easy for scammers to collect. There are techniques such as buying large quantities of stolen personal data online, which can be done both on the dark web and the everyday web. However, scammers can also simply web scrape sites that contain and/or show individuals’ contact information or obtain unauthorized access to businesses’ mailing lists. The only thing left for them to do is automate an urgent-sounding message to those emails or phone numbers and wait for their recipients to click a link or enter their information in response to the persuasive alert.

Why is it easy to fall victim to smishing?

For many, these texts are made all the more convincing by the fact that they pop up when one is, in fact, expecting a package. This happy coincidence (for the scammers) is a result of their widespread distribution strategy involving thousands of phone numbers. While some people receive a text when they are indeed awaiting a package, there are many others for whom the text is out of context and clearly a scam. However, this is part of the scammers’ strategy: The fact is, if you send thousands of people a text regarding an in-transit package, there is a good chance that at least a few of those people will actually have a package on the way. Of those individuals, some may be concerned by the new status update and follow the false instructions.

The interconnected nature of sensitive information means that bad actors only need a few individuals to heed the text and enter their information to make for a lucrative day of scamming. From there, the collected information can be sold, used fraudulently or used to obtain more of the individual’s information by attempting access to other accounts. There is also the payout from unsuspecting customers who pay the alleged processing fee.

What other organizations or companies are often named?

The U.S. Postal Service is not the only organization whose name has been co-opted for these types of scams. Recently, U.S. residents have also received scam text messages claiming that they have an unpaid road toll debt; the text also includes a phone number — typically an overseas line — to call and settle the balance. As general good practice, you should always check and verify the number requesting money or information.

What should you do if you receive a text like this?

When in doubt: delete it! However, in a chaotic digital world, it is easy to overlook details that may seem obvious in hindsight. If you are using any form of payment for online transactions, you should also keep an eye out for unauthorized transactions and suspicious bank statements.

How can you protect yourself and verify the validity of a text message?

The best way to protect against this type of scam is to be aware of how organizations like the U.S. Postal Service actually contact their customers. The U.S. Postal Service only sends text updates to those who have registered for the service using a tracking number and, most importantly, emphasize that they do not charge for these services and will never send a link. Additionally, the Postal Service urges that, if a customer is concerned about the status of a package, they should go directly to USPS.com and follow the tracking process on its official website.