It’s 7:42 p.m., the kitchen smells like oranges and roasted chicken, and a phone buzzes on the table between a pile of receipts and a half-wrapped gift. The message reads: “Il tuo pacco è in giacenza. Aggiorna la consegna qui: [link].” December is a blur of couriers, one-euro fees, and tracking codes that blink past like car lights in the rain. You’re tired, you tap, and a slick page opens with a familiar yellow-and-blue logo, the promise of a parcel, and a tiny surcharge that feels easier than thinking.
Two minutes later, notifications flicker from the bank like moths to a lamp, or nothing happens at all, which is worse because it lulls you into sleep. Morning brings silence, then panic, then the cold thud of balance minus. The trap is quiet.
The December SMS that plays on timing
Scammers don’t just guess; they wait for the month when everyone is ordering, returning, and juggling tracking numbers from three different couriers and a cousin’s surprise gift from Bari. The “pacco in giacenza” script is simple, using the urgency of delivery limbo to get you to act before you think, and the request for a micro-fee to make your guard drop with a sigh. What lands on your screen looks almost boring: a bland line of text, a short link, a nudge to “update payment,” and a promise that your package, finally, will move.
Consider Martina, a 34-year-old in Bologna, who clicked at 10:56 p.m. between putting the laundry on and messaging her brother about trains. The page mirrored a well-known courier to the pixel, asked for €2.49, and then for a code “to confirm the transaction,” which felt normal in a world of endless alerts. By morning, she had two missed calls from a “bank” number and a balance shorn by several withdrawals in quick succession, each one just under the threshold that would trigger alarms. She said it was like watching a magician shuffle, then realizing your ring had vanished.
This scam has variants. Some links lead to perfect copies of sites claiming to be Poste Italiane, SDA, GLS, or BRT, and they collect card numbers and one-time codes to replay instantly. Others push an Android app download outside the Play Store, dressed up as a tracking tool, that grants criminals remote control and steals banking logins as you type, especially if Accessibility permissions are coaxed on. On iPhones, the phishing leans on forms and fast social engineering; on Android, it can escalate to malware. The goal across all paths is the same: get you to do the work of your own undoing.
How to spot the fake and break the spell
Make a ten-second ritual for every delivery text: read the sender, press the link with your eyes not your thumb, and scan the domain like you’d check a bar tab, letter by letter. If the URL uses odd endings, dashes, or a courier name buried inside a longer string, stop and open the official courier app instead, or type the known site yourself. No genuine courier will block delivery behind a random extra fee via SMS, and tracking numbers never need your card to “reactivate.” A password manager can help too, because it won’t auto-fill on impostor domains, giving you a quiet, honest nudge.
Common traps thrive on late nights, small screens, and the need to tick a task off a list before bed, which makes all of us sitting ducks in December. We’ve all had that moment when a delivery ping feels like a lifeline, not a risk, especially with gifts on a deadline and neighbors sharing doorway hubs of cardboard. Let’s be honest: nobody actually does this every day. You might plan to check the link later on a laptop, then forget, then click when your guard is at its thinnest, which is exactly when the scam leans in with a smile.
Before you tap, pull one thread: does the text mention a real tracking code you already have, or does it use vague phrasing and a shortener? Real couriers rarely text from random mobile numbers, and banks never ask for codes inside a delivery flow, which is the biggest giveaway dressed as routine. If a page asks for card details to “release” a parcel, that’s a red flag waving above a trapdoor.
“A legitimate delivery issue can always be resolved inside the official courier app or through a known account,” says a security analyst who tracks smishing waves each winter. “Urgency is staged, and the fee is bait.”
- Don’t type any codes from calls or texts that follow a suspicious link.
- Close the page, open the official courier or bank app, and verify from there.
- Freeze your card in your banking app at the first whiff of weirdness.
- If you clicked and installed an app, disconnect mobile data and Wi‑Fi, then seek help from your bank and a trusted technician.
- Report the number and link to your carrier and to the Polizia Postale or your national cybercrime portal.
If you already clicked: fast steps that limit the damage
Panic tastes metallic, yet the next two minutes matter more than the last two hours, so turn that energy into movement and keep it simple. Open your banking app from your own shortcut, not from any link, and use the card freeze or lock feature immediately, then change your password from a second, clean device if you can. If you typed a one-time code after following a delivery link, call your bank using the number on the back of your card and ask for an urgent fraud block; those codes can be replayed in seconds while you hesitate.
Android users who installed a “tracking” app outside the Play Store should flip to airplane mode, then power off, to stop any live session or screen overlay that thieves could use to shepherd you into more approvals. From a different phone or computer, contact your bank, then your carrier, and ask to report a smishing incident; your bank might advise a clean reset of the device before you log in again. iPhone users rarely face malicious app installs from smishing, yet the phishing page can still grab credentials and trick you into authorizing transfers, so treat any code request after a delivery link as radioactive.
Filing a report with the Polizia Postale gives you paperwork for potential disputes and helps investigators track clusters that hit your area, and it’s easier to do that while details are fresh. Keep screenshots of the text, the URL, and any page you saw, then write down the time you clicked and any code you entered, because those timestamps help reconstruct the path of the withdrawals. **Freeze first, explain later**, and remember that real bank staff won’t scold you for being human in December; they get the surge too.
| Point clé | Détail | Intérêt pour le lecteur |
|---|---|---|
| Red flags in the SMS | Vague wording, short links, fake courier domains, requests for micro-fees | Spot the trap before tapping |
| Immediate actions | Freeze card, call bank via official number, change password from a clean device | Cut losses in the first minutes |
| Android vs. iPhone risk | Android may push sideloaded “tracking” apps; iPhone scams rely on phishing and codes | Tailor your response to your phone |
FAQ :
- What does the “pacco in giacenza” SMS usually look like?Short text in Italian claiming your parcel is “in storage,” plus a link to “update delivery” or pay a tiny fee; the domain is often odd or shortened.
- Are banks liable if my account is emptied after I enter a code?It depends on the bank and whether the transaction was strongly authenticated; report fast, document everything, and ask for a dispute review.
- I installed a “tracking” APK on Android. What now?Airplane mode, power off, contact your bank from another device, and plan a clean reset; change banking passwords only after the device is clean.
- How do scammers bypass one-time codes?They prompt you for the code under a fake pretext or keep a live session open to approve transfers while you think you’re confirming a delivery.
- Where can I report in Italy?Use the Polizia Postale channels, your bank’s fraud line, and your carrier’s spam reporting; sharing the link and number helps block new waves.
