Parcel scams: the fake Correos, SEUR and customs text message
The "parcel held" text asking you to pay a fee is smishing. We show you how to spot it, the fake domains and how to verify a real shipment.

If you get a text message saying your parcel is being held and you need to pay a small fee through a link, it's smishing. Correos, SEUR and the courier companies never charge customs duties or "handling fees" via a link in a text message. Those few euros are just the bait: what they're really after is your card details.
Nearly all of us have waited for a parcel at some point. That's exactly the card the scammers play. When you're expecting a delivery, a message about "your shipment" stops looking odd and starts looking urgent. We're not talking about generic smishing here, but about a very specific pattern: the fake delivery notice or customs charge. Let's take it apart piece by piece.
What does the fake parcel text actually look like?
The message almost always follows the same script. It doesn't need to be perfect; it just needs to sound plausible during the ten seconds it takes you to tap the link.
These are the three formats that crop up most often:
- Parcel held over an unpaid fee. "Your parcel is being held at our warehouse. Pay €1.99 to release it." The amount is small on purpose: nobody argues over two euros.
- Reschedule the delivery. "We were unable to deliver your shipment. Confirm the address and time slot here." It takes you to a form that asks for personal and payment details.
- Customs charge on an international parcel. "Your parcel from abroad requires payment of customs duties." It exploits the fact that many of us buy from Asian shops and don't really know how customs works.
They all share the same structure: a believable excuse, a small amount and a link. The link is the heart of the trap. It takes you to a cloned website that mimics Correos, SEUR, DHL or the tax agency, with their logo and their colours. There you enter your card details "to pay the fee" and, without realising it, hand them straight to the scammer.
The serious part isn't the fee. It's what comes next. With your card details they'll attempt much larger charges, or they'll call you days later pretending to be your bank to "cancel a suspicious charge" (that's vishing, which we explain in how to check whether a call or text from your bank is real). The parcel text is often just the front door to a bigger fraud.
Why is the link always the clue that gives the fraud away?
Scammers can copy a logo in seconds. What they can't copy is the official domain. That's your best detection tool.
A real company uses its own domain. Correos uses correos.es. SEUR uses seur.com. The Spanish tax agency uses agenciatributaria.gob.es. An official domain always ends in that root, right before the first slash.
Fake domains play at looking similar. These are the most common tricks they use:
| Scammer's trick | Example of what it looks like | Why it fools you |
|---|---|---|
| Misleading subdomain | correos.envio-pago.com | The real name ("correos") comes first; the actual domain is envio-pago.com |
| Extra word stuck on | correos-aduanas.com | It sounds official but it isn't the real Correos domain |
| Changed extension | correos.es.net or correos.top | The brand appears, but the ending isn't the real one |
| Swapped letter | corrreos.es, seurr.com | At a glance it slips by unnoticed |
| Link shortener | bit.ly/..., odd links | It hides the real destination until you tap |
The practical rule: read the domain from right to left. What matters is the part right before the first /. If the company's exact official domain doesn't appear there, it's fake. It doesn't matter how many times the name "Correos" appears in the rest of the address.
And one more detail: the "https" padlock means nothing. Anyone can put a padlock on their fake site. The padlock only says the connection is encrypted, not that the site is legitimate.
How do I check whether a real parcel is waiting for me?
This is the part that really protects you. Instead of trusting the text, check the shipment yourself. Never use the link in the message.
Follow these steps:
- Don't tap the link. Not even to "see what it is". The site may try to install something on your device or log your visit.
- Get the tracking number from your purchase. Look for it in the confirmation email from the shop where you bought, or inside your account on that shop. That number is the only reliable reference.
- Go to the official website yourself. Type the address by hand: correos.es, seur.com, the relevant company's website. Don't get to it by tapping the text.
- Paste the tracking number into its official tracker. If you have a genuine shipment, it'll show up there, with its status updated.
- If you're not expecting any parcel, ignore it. No shipment, no fee, nothing to pay. Delete the message.
The golden rule on customs: when an international parcel really does owe duties, the charge is handled through official channels, not through a text with an instant payment link. Correos notifies you through its official channels and lets you handle it on its website or at a branch, not by asking for your card on an external page that arrived by message. If you have doubts about an international shipment, always handle it from correos.es or at a physical branch.
This logic of "verify it yourself, never through the link they send you" applies to more things. It's the same one we use with a supposed notice from the tax office or Social Security: official bodies have their own electronic portals and don't ask you for payments by text.
What signs give the text away even when you're in a hurry?
Sometimes the message arrives just when you're expecting a parcel and your guard is down. Memorise these signs and they'll be your automatic alarm:
- Artificial urgency. "Last chance", "your parcel will be returned today", "expires in 24 hours". Hurry is the scammer's favourite tool: they want you to act before you think.
- A small fee upfront. €1.99, €2.50, "handling fees". Courier companies don't charge you one-off fees through a text with a link.
- They ask for card details on an external site. Confirming a parcel delivery never requires your full card number.
- The sender is just some mobile number. Many come from an ordinary
+34, or even from an international number. Legitimate parcel notifications don't usually ask you for payments this way. - Spelling errors, odd translations or generic greetings. "Dear customer" without your name, badly constructed sentences. They're not always there, but when they appear, they confirm the fraud.
- The link doesn't go to the official domain. You saw it above: this is the decisive clue.
No single sign is absolute proof on its own, but as soon as you see two or three together, treat it as fraud without hesitation.
It's also worth knowing that the number the text comes from may be spoofed. Just as happens with calls, a message's sender ID can be manipulated so it looks as though it comes from a known sender. That's why it isn't enough to look at who sent it: what counts is the content and the link, not the name shown at the top.
What if I've already tapped the link or entered my details?
Don't panic, but act fast. Time matters.
- Call your bank now. Use the number on the back of your card or in the official app, never one you've been given over the phone. Block the card and explain that you've been the victim of fraud.
- Watch your transactions. Check for charges over the following days. Scammers sometimes wait before acting.
- Be wary of the "call from your bank" that comes afterwards. It's very common that, after falling for the text, you get a call from someone claiming to be your bank to "help you get your money back". This is the second phase of the fraud. Hang up and call the bank yourself.
- Change your passwords if you entered them on the fake site, especially if you reuse the same one across several places.
- Report the case to INCIBE on 017 (also via WhatsApp on 900 116 117), their free cybersecurity helpline. They'll guide you on the next steps.
We have a full guide with a step-by-step action plan in case you've already given out your details; check our guides for the detailed procedure.
Why is parcel delivery the perfect bait?
There's a simple reason behind how persistent this type of fraud is: it works because it fits with people's ordinary lives. We buy online constantly. We wait for parcels often. And when you're expecting something, a message about "your shipment" lowers your defences.
From our data at NoCall, impersonation of well-known brands and logistics companies is one of the patterns that turns up most in the fraudulent text campaigns we track. It's no accident: the scammer doesn't need to know you. They just need to send the same message to thousands of numbers at once. Some of the recipients will be waiting for a parcel at exactly that moment, and that's where the hook bites.
That's why the defence isn't only individual, it's also collective. When someone reports a fraudulent number or domain, it helps others recognise it sooner. You can look up and report numbers in our directory of spam numbers, check which mobile prefixes are the most reported in Spain and see the overall picture in our trends section.
In short: the rule that never fails
If you had to keep just one idea, let it be this: no serious parcel company charges you a fee through a link that arrives by text. Full stop.
When you receive one of these messages:
- Don't tap the link.
- Check the shipment yourself, by typing the official website by hand and using your tracking number.
- If you're not expecting anything, delete it.
- If you fell for it, call your bank straight away and report it on 017.
Parcel smishing will keep coming because it's cheap to send and, every so often, someone bites. Your best defence is knowing the pattern. Once you spot it, it stops working on you.
If you've received a suspicious text or call about a shipment, report it in our directory of spam numbers. Every report helps the community recognise the fraud before falling for it. And if you want to understand better how the identity of whoever messages or calls you can be manipulated, take a look at how to read the risk signals of a number.
Received a suspicious call?
Look up the number in NoCall before sharing data, calling back, or clicking any link.
Search a phone number or a company name (DBS, Singtel and StarHub...) to check if it has been reported as spam.
