The FBI issued a public service announcement on July 31, 2025, warning consumers not to scan QR codes found inside unsolicited packages delivered to their homes. The alert describes a fraud scheme in which criminals mail mystery parcels, often with no return address, containing cards that urge recipients to scan a QR code for tracking details or return instructions. Scanning those codes can route victims to phishing websites designed to steal personal and financial data, or trigger malware downloads that compromise their devices.
How the Package QR Code Scam Works
The scheme follows a simple but effective playbook. A package arrives at someone’s doorstep from an unknown sender, sometimes labeled as a gift. Inside, a card or insert encourages the recipient to scan a QR code, typically under the pretense of identifying who sent it or learning how to return it. The FBI’s Internet Crime Complaint Center, in its July 2025 bulletin, notes that these parcels frequently lack sender information, making the QR code appear to be the only way to learn more.
That is precisely the trap. The QR code directs the scanner’s phone browser to a fraudulent website that mimics a legitimate retailer or shipping company. From there, the site may request login credentials, payment card numbers, or other sensitive details under the guise of confirming an order or issuing a refund. In other cases, the link may attempt to install malicious software onto the device, potentially giving criminals access to saved passwords, email accounts, or banking apps.
Cybersecurity researchers have documented how a single unsafe QR code scan can be enough to compromise a device, particularly when a victim is tricked into approving permissions or entering credentials on a spoofed site. Because QR codes hide the destination URL until after scanning, victims have little visual warning that anything is amiss. The combination of curiosity, the apparent legitimacy of a physical package, and the promise of a free gift or easy return makes this approach unusually persuasive.
A Dangerous Twist on Brushing Scams
Federal agencies classify this tactic as a variation of so-called brushing scams, a long-running e-commerce fraud in which sellers ship cheap, unrequested merchandise to random addresses so they can post fake verified-purchase reviews under those recipients’ names. The FBI’s cyber division explicitly ties the QR code packages to this broader brushing category, but with a key escalation. Instead of merely gaming product reviews, the scammers are now actively harvesting credentials and deploying malware.
The U.S. Postal Inspection Service has tracked this evolution as well. In its guidance on mail-based brushing, the agency describes how cards or inserts may be sent under the pretext of identifying the sender, claiming a reward, or getting return instructions. U.S. Postal Inspector Andrea Avery, featured in an earlier USPIS public service announcement, explained that traditional brushing scams involved unsolicited merchandise sent to create the illusion of a legitimate customer review. The QR code twist converts what was once largely a nuisance into a direct theft vector.
Most coverage of brushing scams has treated them as oddities, packages people did not order but get to keep for free. That framing misses the real danger now. The addition of QR codes means opening an unexpected parcel and scanning its contents out of curiosity can lead to identity theft, drained bank accounts, or a compromised phone. The gap between “weird but free stuff” and “active fraud” has effectively closed.
Federal Agencies Have Been Tracking QR Code Fraud for Years
The July 2025 alert is not the FBI’s first warning about QR codes being weaponized for fraud. In November 2021, the IC3 published an advisory detailing schemes in which scammers provided QR codes tied to their cryptocurrency wallets and directed victims to use cryptocurrency ATMs to send payments. That earlier warning, documented in a cryptocurrency fraud notice, focused on payment diversion rather than data theft, but the underlying mechanic is the same: criminals exploit the fact that QR codes obscure their destination until after a user scans them.
The Federal Trade Commission has issued its own parallel warnings about malicious QR codes in emails, text messages, and public posters, emphasizing that attackers often impersonate delivery companies, banks, and government agencies. A January 2025 consumer alert from the FTC described the same pattern seen in the FBI’s July notice: an unexpected package, an unknown sender, a note claiming it is a gift, and a QR code that supposedly reveals more information or enables a return.
Taken together, these advisories show that QR code fraud is not a single campaign but a growing category of attack that keeps finding new delivery channels. Physical mail is simply the latest one, and in some ways the most effective, because people tend to trust tangible objects more than digital messages. A printed card in a sealed box can feel more legitimate than a random text, even though the underlying risk is identical.
What Recipients Should Do and Avoid
The FBI’s guidance is direct: do not scan QR codes from packages that arrive unexpectedly, especially when the parcel has no identifiable sender or tracking history you recognize. If someone receives such a package, the agency recommends contacting a local field office with questions or to file a report. For anyone who believes their information has already been compromised, the bureau points recipients toward its victim assistance resources, which outline steps for reporting and recovery.
Several practical steps can reduce exposure:
- Treat any QR code in an unsolicited package as suspicious by default, regardless of whether the accompanying note claims to be from a retailer, shipping company, or anonymous gift-giver.
- If a parcel prompts you to arrange a return, claim a reward, or “verify” delivery, navigate to the company’s official website by typing the address into your browser or using a trusted app, rather than scanning any enclosed code.
- Check bank and credit card statements for unauthorized charges if you have already scanned a questionable QR code or entered information on a site it opened.
- Update device operating systems and security software so that, if a malicious site attempts to deliver malware, you have at least some technical defenses in place.
- Preserve the packaging and any inserts if you suspect fraud; these materials can help investigators trace the source or pattern of the scam.
Consumers can also reduce their exposure by limiting how widely their shipping details are shared. Using strong, unique passwords for e-commerce accounts, enabling multi-factor authentication, and avoiding public posting of addresses can make it harder for scammers to build mailing lists. While that will not stop all unsolicited packages, it can narrow the attack surface.
Staying Ahead of Evolving QR Code Scams
Law enforcement officials emphasize that QR codes themselves are not inherently dangerous; the risk lies in where they lead and how criminals exploit trust. As attackers continue to adapt, the FBI encourages the public to stay informed about emerging tactics. One way to do that is by subscribing to email alerts that distribute new public service announcements and cybercrime updates as they are released.
The unsolicited package scam illustrates how quickly familiar technologies can be repurposed for fraud. QR codes were widely adopted because they are convenient and contactless; those same traits now make them ideal tools for criminals who want to hide malicious links in plain sight. By treating every unexpected code as a potential risk, especially when it arrives in a package you never ordered, consumers can blunt the impact of this latest twist on brushing scams and help deny scammers the easy wins they are counting on.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
