QR codes are built into the modern internet experience. You point your phone at the square with a strange pattern, and it’ll load a website on your phone, which will offer specific information. But you shouldn’t just point your camera at all the QR codes around you without knowing where they’ll lead you. The FBI issued a warning for Americans in late July 2025, alerting them to a new type of fraud that starts with a mysterious package that features only a QR code. The FBI is warning users not to scan it, as they may be the target of a fraud scheme designed to steal personal information, money, or both.
The Federal Trade Commission (FTC) issued a similar warning in January 2025 about unexpected packages containing notes with QR codes inviting recipients to scan them for more information. A month later, the U.S. Postal Service (USPS) issued its own warning about QR codes appearing in unsolicited packages. The FBI explains that the QR code scam is part of a category of fraud called “brushing scams.” Some online vendors may send unsolicited products to recipients and then use that person’s information to generate a review of the product.
The FBI’s warning concerns a variation of brushing in which attackers place QR codes in packages to convince recipients to scan them to perform additional tasks. The QR code may direct the user to a website that prompts them to enter personal information or financial details. QR codes can also be used to install malicious software on phones to steal data from users in a scam the USPS calls quishing, or QR code phishing.
What to do if you scanned the QR code?
The FBI warns users not to scan QR codes from unknown origins, and to avoid granting permissions on their phones to load websites and install applications. The agency also notes that users should be cautious with packages that do not contain sender information, especially packages that contain products the recipient hasn’t ordered. The FBI also says that victims should report suspicious activity on the Internet Crime Complaint Center (IC3). People who may need assistance, including adults over 60, can use the DOJ Elder Justice Hotline instead: 1-833-FRAUD-11 (or 833-372-8311).
The thing to keep in mind if you’ve received a mysterious package containing a QR code is that the attackers already know your name and address. They may be looking to obtain other information, like credit card details, social security numbers, usernames, and passwords, from their victim. That’s why it’s important not to fill in such details on any websites or apps you may open or download via the potentially malicious QR codes. The FBI advises users to change account profiles and obtain free credit reports if they’re targets of brushing scams.
If you’ve already scanned a QR code but didn’t type or install anything, you should close that page. If you’ve entered your credentials in a form, you should change your password and username for that website. If you’ve used payment information in a potentially fraudulent form, you should review your bank statements and check for unauthorized transactions. You may need to take additional steps, like a credit freeze, to protect your accounts. Also, you may be the victim of identity theft. The FTC advises users to get a personal recovery plan at IdentityTheft.gov.
What should you do with the packages?
It’s unclear how many people have been receiving unsolicited mail with QR codes attached, or whether authorities have been able to catch any criminals. The FBI warns that the QR code scam isn’t as widespread as other scams. But it’s not just the QR code to worry about. You still have a package containing products you did not order, and you may receive others, as unknown attackers have your name and address. The USPS has a help page for brushing scams that offers tips on how to deal with unsolicited packages.
If you like the products you did not order, you can keep them, and you don’t have to pay for them. You can also throw the products away if it’s safe to throw them out. Another option is keeping the package unopened and having the USPS return it to the sender for free, assuming it has a return address. The USPS also advises users to monitor their credit and change account passwords. If the package comes from a well-known retailer, like Amazon, eBay, or others, recipients can file fraud reports.
Unsolicited packages can also contain potentially dangerous content, like seeds, foods, plants, and other liquids and substances. Users can inform authorities. The USPS also has a different portal for suspicious mail that recipients can use, which includes a phone number for postal inspectors (1-877-876-2455).
