Photo by Markus Winkler on Unsplash
Someone knocks on your door. There is a package with your name on it, a real tracking label, and a "Cash on Delivery" tag. You did not order anything. You tell the delivery person you want to refuse it, and they say no problem, just enter the code that was sent to your phone to cancel the order.
That code is not a cancellation code. It is a one-time password from your bank. If you enter it, the person at your door will have authorization to withdraw money from your account.
This is a real scam. It has been spreading on a major e-commerce platform in some countries, where delivery drivers show up with packages addressed to real people for orders that those people never placed. The package looks legitimate because it came through a legitimate platform. The delivery person looks legitimate because they are, technically, making a real delivery. Everything about the interaction feels routine, except for the part where you hand over access to your bank account.
The reason this works is the same as most fraud works: it does not look like a scam. It looks like a regular Tuesday.
What makes this particular scam so effective
The delivery trick is what the SEC and fraud researchers would call a brand imposter scam (SEC, 2024). The package does not arrive from some random website nobody has heard of. It arrives from a platform the recipient already knows, already uses, and already trusts. That familiarity is the whole point. You are not suspicious of it because you have no reason to be.
And the mechanics are not specific to any one country or delivery service. The underlying playbook, fake deliveries combined with social engineering for authentication codes, can show up anywhere, through any platform. A version of this has been spreading through a major domestic e-commerce company in India, but the playbook travels. The same structure would work just as easily with a US carrier or a food delivery app.
The numbers behind the problem
If that story still feels like something that only happens far away, the data says otherwise.
In 2024, Americans reported losing $12.5 billion to fraud, according to the Federal Trade Commission (FTC, 2025a). That is a 25% jump from 2023, and the increase did not come from more people filing reports. The FTC received roughly the same number of fraud complaints as the year before, about 2.6 million (FTC, 2025a). What changed is that a higher share of those people actually lost money: 38% in 2024, up from 27% in 2023 (FTC, 2025a). Scams got better at finishing the job.
The FBI's numbers are even larger. The Internet Crime Complaint Center received over 859,000 complaints in 2024 and tracked more than $16.6 billion in reported losses, a 33% increase from the prior year (FBI, 2025). Investment fraud, especially schemes involving cryptocurrency, accounted for the biggest share of those losses at over $6.5 billion (FBI, 2025).
Across both datasets, the same categories keep showing up at the top. Imposter scams, where someone pretends to be your bank, a government agency, or a company you already use, were the most commonly reported fraud type in the FTC data, accounting for $2.95 billion in losses (FTC, 2025a). The SEC and FBI have both flagged a rise in impersonation schemes, specifically, including scammers posing as registered investment professionals or even SEC employees (SEC, 2024). The problem with imposter scams is that the standard advice to "check credentials" does not always help, because the scammers are using real names, real titles, and cloned websites that look identical to the originals.
Investment scams had the highest total dollar losses in the FTC data at $5.7 billion (FTC, 2025a). Bank transfers and cryptocurrency payments together accounted for more losses than all other payment methods combined (FTC, 2025a).
And then there is the age question.
Who actually gets scammed
If you are a college student reading this and thinking this is mostly an older person's problem, the FTC data tells a different story. People aged 20 to 29 reported losing money to fraud 44% of the time, a higher rate than any other age group (FTC, 2025a). Compare that to 24% for people aged 70 to 79.
The per-incident losses were smaller for younger adults: a median of $417 for the 20 to 29 group versus $1,000 for people in their 70s and $1,650 for those 80 and over (FTC, 2025a). But the frequency was higher. Being young and constantly online does not make you harder to scam. It makes it easier to reach.
The Illinois data shows the same pattern at the state level. In 2025, 41.5% of Illinois consumers aged 19 and under who filed a fraud report said they lost money. For the 20 to 29 group, 28.0%. For people 80 and over, 16.0%. The median losses run in the opposite direction: $129 for the youngest group, $210 for people in their 20s, $1,000 for those 70 to 79, and $1,500 for those 80 and over. Older adults get scammed less frequently, but when they do, the per-person damage is 5 to 12 times larger.
There is another layer to this that does not always get discussed. The 20 to 29-year-old age group may also be more willing to report that they were scammed. Older and middle-aged adults may feel more shame around admitting to a loss, and that reluctance may be even stronger when the scam involves a personal relationship, such as a romance scam. The FTC numbers reflect what people chose to tell someone about. The real numbers, for every age group, are almost certainly higher.
What it looks like closer to home
Those are the national numbers. Here is what the picture looks like in Illinois.
In 2025, Illinois consumers filed 213,686 fraud, identity theft, and related reports with the FTC. Of those, 92,431 were classified as fraud, and the total reported dollar losses reached $362.8 million (FTC, 2025a). The median loss per person who reported losing money was $324.
Four years earlier, in 2021, that total loss figure was $130.5 million. It has nearly tripled since. The number of fraud reports fluctuated year to year, but the trend in dollar losses went in one direction the entire time. More money is lost every single year.
On a per capita basis, Illinois ranked 6th in the country for identity theft reports per 100,000 residents in 2024, at 467 per 100K (FTC, 2025a). For total fraud, identity theft, and other reports combined, Illinois ranked 11th at 1,217 per 100K. Both are above the national average.
The inflated total report count in 2021 is largely driven by identity theft. Illinois consumers filed 117,058 identity theft reports that year, or 922 per 100,000 residents (FTC, 2025a). This spike aligns with widespread fraud tied to pandemic-era relief programs. Government documents and benefits fraud alone accounted for over 76,000 of those. Unemployment fraud, stimulus check scams, data breaches, all of it landed at once. By 2022, identity theft reports had dropped to 42,555 (335 per 100K). They settled into the 39,000 to 43,000 range for 2023 and 2024, then climbed back to 59,249 in 2025 (467 per 100K, ranking Illinois 6th in the nation for identity theft per capita). The pandemic compressed several years of growth into one spike, and even after identity theft counts came down, the dollar losses kept climbing on a separate track entirely.
Back to that doorstep
Remember the delivery scam from the opening? One thing worth paying attention to: many banks and payment apps now include a message with their authentication codes that says something like "never share this code with anyone." That warning is there for exactly this reason. But in the moment, when a person is standing at your door, and you are scanning a text message for a string of numbers, it is easy to skip right past the fine print and focus on the digits.
That gap between knowing a rule and following it under pressure is where most fraud actually happens. Which brings us to the question of why any of these tactics work at all.
Why these tactics work
Photo by Mikhail Pushkarev on Unsplash
The delivery scam works for the same reasons most fraud works. None of it requires hacking into anyone's system. It requires getting a person to hand over the key voluntarily. Social engineering (HBS) is the technical term for this, and researchers have been studying it from multiple angles: psychology, information technology, and business operations, because it does not fit neatly into any one field.
Washo (2021) argues that social engineering needs to be understood as an interdisciplinary problem, not just a technical one. The human element, including how people process trust, authority, and urgency, is consistently identified as the weakest link in information security. System protections help, but they cannot fully guard against people using those systems.
A few specific mechanisms are at work in scams like the delivery trick.
The first is trust in familiar names. The scam uses a brand the recipient already recognizes. People lower their guard when something comes from a source they have used before. Cialdini's work on influence (2001) documents this as an authority and familiarity effect: we are much less likely to question something that appears to come from a source we already trust. The SEC has flagged this same dynamic in investment fraud, where scammers impersonate registered brokers using real names and cloned firm profiles, making the standard "verify their credentials" advice less reliable than it used to be (SEC, 2024).
Then there is urgency. A person standing at your door creates real-time social pressure. There is no "let me think about this" pause built into the interaction. Kahneman (2011) describes this as System 1 thinking: fast, automatic, reactive. Scammers design their approaches to trigger exactly this kind of response. The situation feels like it needs to be resolved right now, and that sense of immediacy overrides the slower, more careful thinking that would catch the red flags.
The third piece is how the scam reframes a high-stakes action as something low-stakes. Sharing a "cancellation code" feels like nothing. The scam disguises a bank authorization as a routine step in a mundane interaction. The FTC data on text scams shows this same pattern at scale: the $470 million in reported losses to text scams in 2024 often started with messages that looked like a routine notification, a package update, a toll fee, a bank alert, and then escalated into a financial transaction before the person realized what had happened (FTC, 2025b).
And underneath all of it is the fact that none of this requires breaking into anyone's account. It requires convincing a person to hand over the key. As Washo (2021) and others in the social engineering literature note, the weakest point in any security system is not the technology. It is the person using it. The Washo paper reviews research showing that traits like trust, the desire to be liked, and the tendency to comply with authority figures all make people more susceptible, and these are not character flaws. They are normal human qualities that scammers have learned to exploit.
It is not just deliveries
The delivery scam is one example. The FTC and FBI data show the full range of what is out there.
Imposter scams, where someone pretends to be your bank, the government, or a company you use, accounted for $2.95 billion in reported losses to the FTC in 2024 (FTC, 2025a). The FBI's IC3 data adds another layer: business email compromise schemes, which are a corporate version of impersonation, resulted in nearly $2.8 billion in losses in 2024 alone (FBI, 2025).
Text scams hit $470 million in the FTC data, with the most common being fake bank alerts, fake delivery notifications, and fake toll fees (FTC, 2025b). The share of text scam reports where people actually lost money has been climbing steadily: 5% in 2020, up to 11% in 2024 (FTC, 2025b). That toll fee scam alone generated more than 59,000 complaints to the FBI (FBI, 2025).
Social media scams led to $1.9 billion in losses in the FTC data (FTC, 2025a). 70% of people who reported being contacted by a scammer through social media said they lost money, the highest conversion rate of any contact method.
Job scams nearly tripled between 2020 and 2024 in the FTC data. Losses went from $90 million to $501 million, and these scams specifically target people looking for remote or flexible work (FTC, 2025a). If you are a student searching for part-time remote gigs, this one is directly relevant to you.
The playbook is the same every time: look familiar, create pressure, get the person to hand over something small that turns out to be the whole game.
The Illinois subcategory data puts dollar figures on this. In 2025, the "Miscellaneous Investments and Investment Advice" subcategory had just 2,929 reports from Illinois consumers but accounted for $175.9 million in losses. That is a single subcategory producing nearly half of all reported fraud losses in the state for the year. The per-report average works out to roughly $60,000. Government impostors generated 15,782 reports and $30.2 million, business impostors added 12,018 reports and $28.5 million, and romance scams, with only 1,551 reports, totaled $30.7 million, roughly $19,800 per report. Compare any of those to the 12,336 online shopping fraud reports that totaled $9.7 million, or about $784 each. The categories that generate the most reports are not the categories that cause the most financial damage.
How to protect yourself
Photo by FlyD on Unsplash
The most effective thing you can do is also the simplest: slow down. If a situation feels unexpected or pressured, allow yourself to stop. Tell the delivery person to come back. Hang up the call. Close the text. Scammers need you to act fast. Refusing to rush is your best defense.
Never share codes sent to your phone. No legitimate company, bank, or delivery service will ask you to share a one-time password, verification code, or authentication code to cancel or verify anything. If someone asks for a code, that is the red flag.
If something feels off, verify it through your own channels. Do not use any contact information provided by the suspicious message or person. Open the company's app or website yourself and reach out through their official support. If someone claims to be from the SEC or your bank, look up the real phone number independently and call that number.
If you think you may have shared a code or clicked a bad link, check your bank and email accounts right away. Change your passwords and call your bank's fraud line. Speed matters here.
Report what happened. File at ReportFraud.ftc.gov and with the FBI's Internet Crime Complaint Center at ic3.gov. You can also report to the Illinois Attorney General's office. These reports feed directly into the datasets that agencies use to track patterns and warn other people. Reporting matters even if you did not lose money, because it helps map how scammers are operating.
And tell the people around you. Share what you know with roommates, family, and friends. The FTC's own research staff has noted publicly that when people know about a scam, they are more likely to recognize it and avoid it.
If you have already been scammed
This part is harder to write and harder to read. But it matters.
If you have already fallen for a scam, you are not stupid, and you are not alone. Social engineering works because it is designed to work. These are not random attempts. They are built to exploit trust, urgency, familiarity, and the normal human instinct to be helpful or compliant. The fact that a scam succeeded does not mean you failed at something. It means someone deliberately manipulated a situation to take advantage of how people naturally think and respond.
Here is what to do:
Contact your bank or financial institution immediately. The faster you act, the better the chance of recovering funds or stopping further transactions. The FBI's IC3 reported a 66% success rate in freezing fraudulent wire transfers through their Recovery Asset Team, but speed matters (FBI, 2025).
Change your passwords for any accounts that may have been compromised. If you reused a password across multiple accounts, change all of them.
File reports with the FTC (ReportFraud.ftc.gov), the FBI IC3 (ic3.gov), and your local law enforcement. If the scam involved investment fraud, you can also file with the SEC at sec.gov/tcr.
Monitor your credit. You can place a fraud alert or credit freeze through the three major credit bureaus (Equifax, Experian, TransUnion). A credit freeze is free and prevents new accounts from being opened in your name.
Talk to someone you trust. Scam victims often feel embarrassed, angry, or ashamed, and those feelings can keep people from seeking help or reporting what happened. If you are a U of I student, SMMC is here to talk through the financial side of recovery without judgment.
Keeping your guard up all the time is not realistic, and nobody should expect that of themselves. Social engineering keeps working because scammers are often sophisticated, and they adapt. They take advantage of emotions and vulnerabilities that every person has. The point is not constant vigilance. It is building a few habits that make it harder for someone to rush you into a decision. And if a scam does get through despite those habits, that does not change what is true: it was not your fault. It was designed to work. What matters now is what you do next.
Closing
The scams that cost people the most money are not the ones that look suspicious. They look completely normal. The delivery scam works because it looks like every other delivery. The text scam works because it looks like every other notification. The investment scam works because it looks like every other opportunity someone shared in a group chat. That is the whole design. If it looked weird, nobody would fall for it.
You do not need to be suspicious of everything. You need one habit: when something unexpected asks you to act fast, slow down. That pause is the thing that makes the difference.
If a package shows up that you did not order, you do not owe anyone a code or an explanation. Close the door. Check on your own terms.
Learn more with SMMC
References
- Cialdini, R. B. (2001). Influence: Science and practice (4th ed.). Allyn & Bacon [Book].
- Federal Bureau of Investigation. (2025, April). 2024 Internet Crime Report. Internet Crime Complaint Center. https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf
- Federal Trade Commission. (2025, March). New FTC data show a big jump in reported losses to fraud to $12.5 billion in 2024 [Press release]. https://www.ftc.gov/news-events/news/press-releases/2025/03/new-ftc-data-show-big-jump-reported-losses-fraud-125-billion-2024
- Federal Trade Commission. (2022, February). Consumer Sentinel Network Data Book 2021. https://www.ftc.gov/reports/consumer-sentinel-network-data-book-2021
- Federal Trade Commission. (2023, February). Consumer Sentinel Network Data Book 2022. https://www.ftc.gov/reports/consumer-sentinel-network-data-book-2022
- Federal Trade Commission. (2024, February). Consumer Sentinel Network Data Book 2023. https://www.ftc.gov/reports/consumer-sentinel-network-data-book-2023
- Federal Trade Commission. (2025, April). Top text scams of 2024 [Data Spotlight]. https://www.ftc.gov/news-events/data-visualizations/data-spotlight/2025/04/top-text-scams-2024
- Federal Trade Commission. (2025, March). Consumer Sentinel Network Data Book 2024. https://www.ftc.gov/reports/consumer-sentinel-network-data-book-2024
- Federal Trade Commission. (n.d.). Explore data: Consumer Sentinel Network [Interactive dashboard]. https://www.ftc.gov/exploredata
- Harvard Business School, Information Technology. (n.d.). Protecting yourself against social engineering. https://www.hbs.edu/information-technology/security-privacy/scams/protecting-yourself-against-social-engineering
- Hindustan Times. (2024, December). 59-year-old Hyderabad man loses ₹2.49 lakh in delivery OTP scam: How the fraud unfolds
- Kahneman, D. (2011). Thinking, fast and slow. Farrar, Straus and Giroux [Book].
- US Securities and Exchange Commission. (2024, December). Beware of fraudsters impersonating investment professionals and firms [Investor Alert]. https://www.investor.gov/protect-your-investments/fraud/types-fraud/impersonation-schemes
- Washo, A. H. (2021). An interdisciplinary view of social engineering: A call to action for research. Computers in Human Behavior Reports, 4, 100126. https://doi.org/10.1016/j.chbr.2021.100126
Data methodology note
The national data in this article come from two primary sources: the Federal Trade Commission's Consumer Sentinel Network Data Book for 2024, published in March 2025, and the FBI's Internet Crime Complaint Center 2024 Annual Report, published in April 2025. The FTC and FBI use different reporting systems and complaint intake processes, which is why their total loss figures differ ($12.5 billion vs. $16.6 billion). Both are based on voluntarily filed consumer reports and do not represent the full scope of fraud activity.
Illinois-specific data was extracted from the downloadable CSV files available on the FTC's reports page. Trend comparisons use data from the 2020, 2021, 2022, 2023, and 2024 editions of the Data Book to capture shifts associated with the pandemic and its aftermath. Interactive dashboards are available at the FTC's Explore Data page (ftc.gov/exploredata). The FBI IC3 report also includes state-level breakdowns.
All figures are based on unverified consumer reports and may understate the actual scope of fraud, particularly for demographics that are less likely to file reports.
