← All resources
Guide

Holiday delivery scams: the December parcel playbook

When everyone has parcels in transit, a fake courier text stops looking fake. The held-parcel fees, cloned tracking pages and QR-code tricks of December — and how to handle any delivery message safely.

Guide · 6 min read · By SafeToOpen Research · July 2026

Between late November and Christmas, one message finally matches everyone’s reality: "your parcel is on its way — there’s a problem." When you genuinely have four deliveries in transit, a fake courier text stops being obviously fake. That’s why delivery scams spike harder in December than any other lure, across every carrier and every country.

2.7 million
Emails carrying QR codes observed per day in late 2024–early 2025 — fake "delivery fee" QR codes ride the holiday parcel wave. Source: Mimecast, in APWG Q1 2025.

The December delivery playbook

How to handle any delivery message in December

Sent money or details already?

Call your bank to block the card and dispute the charge, change any password you entered, and report the message — forward scam texts to your carrier’s reporting number (7726 in many countries) and the site to our report page. Expect a follow-up attempt; being on a "paid once" list is why the calls keep coming.

faq

Frequently asked questions

Don't judge the text — verify in the courier's official app or website (typed, not tapped) using your tracking number. Real couriers rarely request payment by text link, and a genuine issue will show in the app.

Because the lure finally matches reality: most people have multiple parcels in transit, so a 'problem with your delivery' message earns instant plausibility. Scammers time campaigns to shopping peaks for exactly this reason.

The fee was bait; your card is the target. Have your bank block the card and dispute the charge, change any password you entered, report the text (7726 in many countries), and ignore follow-up 'refund' calls — that's the same gang.

See it for yourself

SafeToOpen adds real-time, zero-day protection in your browser and inbox — free to start.

See plans →

Sources

  1. BlackBerry, Global Threat Intelligence Report 2025, cited in Bolster, “Real-Time Brand Protection Alerts.” bolster.ai
  2. Verizon, 2025 Data Breach Investigations Report (DBIR) — median time to click a phishing link. verizon.com
  3. Interisle Consulting Group, Phishing Landscape 2025, cited in Bolster and NetDiligence. netdiligence.com
  4. Check Point Research / industry analysis on HTTPS use in phishing, cited in ControlD, “Phishing Statistics & Industry Trends.” controld.com

External statistics are attributed to their original publishers and were accurate at the time of writing. Figures from industry reports vary by methodology and period; we link to primary sources so you can verify them.

test yourself

Could you spot the fake?

Put this into practice: 12 real-world scams and genuine messages, two minutes, no sign-up.