The FBI is warning the public to watch out for unexpected packages featuring QR codes.
On Friday, the FBI published an alert about packages that arrive without any sender information but include QR codes used to facilitate “financial fraud activities.” The agency says the codes can trick a user into providing their personal or financial information. In other cases, they can dupe the victim into downloading “malicious software that steals data from their phone.”
This Tweet is currently unavailable. It might be loading or has been removed.
“To encourage the victim to scan the QR code, the criminals often ship the packages without sender information to entice the victim to scan the QR code. While this scam is not as widespread as other fraud schemes, the public should be aware of this criminal activity,” the FBI says.
A QR code is essentially a barcode that stores a URL your phone’s browser can easily open. Scanning one won’t automatically infect your device or expose personal data, despite common misconceptions. Instead, malicious QR codes redirect users to dangerous websites—often disguised as legitimate brands—where further user interaction is typically required to trigger a scam or malware download.
As a result, it’s never a good idea to scan a random QR code, since you’re essentially causing your phone to visit a website you know nothing about. Last year, cyber authorities in Switzerland warned about a similar scheme involving letters that pretended to be a federal meteorology office. The letters contained a QR code to download a weather app, but in reality it was a ruse to spread malware.
Since then, the FTC and United States Postal Inspection Service has also warned about scammers using QR codes on unsolicited packages. “The recipient is asked to scan the QR code under the guise of registering the gift and to get more information about the sender. If you scan the code, you are sent to a spoof website where you are asked for personal or financial information,” the agency said in February.
Recommended by Our Editors
The scheme also builds off another fraud activity known as “brushing,” or a way shady vendors can write fake reviews for their products. To pull this off, a vendor will uncover a consumer’s mailing address and make an order in their name, resulting in an unexpected package.
“The intention is to give the impression that the recipient is a verified buyer who has written positive online reviews of the merchandise, meaning: they write a fake review in your name,” USPIS added. “These fake reviews help to fraudulently boost or inflate the products’ ratings and sales numbers, which they hope results in an increase of actual sales in the long-run. Since the merchandise is usually cheap and low-cost to ship, the scammers perceive this as a profitable pay-off.”
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Michael Kan
Senior Reporter
