Last year, I received a package with an electronic cat fountain I didn’t order – and I don’t even have a cat. At the time, I chalked it up to a common “brushing” scam, where a seller sends you an unsolicited item just so they can post a fake review under your name.
But now the FBI is sounding the alarm about a much more dangerous version of this scam – one that uses QR codes to launch phishing attacks, steal personal information, or install malware on your device.
According to the FBI’s Internet Crime Complaint Center (IC3), scammers are slipping QR codes into anonymous packages, prompting you to scan them to “learn more” about the delivery. The page might look like it belongs to FedEx, UPS, USPS, Amazon, or another familiar name. But in reality, it’s a trap designed to harvest your login credentials, credit card number, or other sensitive data.
This is a step up from what the FTC warned about earlier this year. The FTC flagged similar QR code scams back in January – but the FBI’s latest bulletin emphasizes how widespread and convincing the scam pages have become. They're not just faking retail and shipping sites. In some cases, the fake websites prompt victims to download tracking apps that are actually malware in disguise.
Why QR Codes Make It Easier for Scammers
With a traditional phishing email or link, you can usually hover over the URL to see where it goes before clicking. QR codes strip away that visibility. You don’t know what you’re scanning until the damage is done.
If you feel compelled to check where the QR code leads, don’t just scan blindly. I recommend using the Google app on iPhone or the Google search bar on Android to scan the code. Both will preview the URL – just don’t tap the search icon unless you're sure the link is safe.
How Did They Get Your Info?
If you’ve received an unsolicited package, chances are your personal data – like your name and address – is already circulating out there. Scammers often tap into leaked data from previous breaches or purchase it in bulk from shady sources.
At this point, it’s safe to assume that most of us have had some part of our data exposed.
What to Do If You Receive a Suspicious Package with a QR Code
- Don’t scan the QR code. If you’re tempted, inspect the package for tracking numbers or other identifiers you can verify through official websites.
- If you already scanned it:
- Don’t enter any personal or payment information.
- If you did, immediately change your passwords – especially if you reuse them across sites.
- Monitor your credit reports for unauthorized activity. Consider placing a fraud alert or credit freeze.
- Report it: Go to IC3.gov to file a complaint with the FBI. You can also report to the FTC at ReportFraud.ftc.gov.
Read more: The Best Way to Prevent Identity Theft
The packaging scam may look harmless, but QR codes are an easy way for criminals to bypass your usual security instincts. If a surprise delivery shows up at your door with a QR code inside, your best move is to ignore it and move on.
[Image credit: Open AI/DALL-E]
