Morning Overview

The FBI says scammers are now mailing packages with QR codes that drain your accounts.

Criminals are sending unsolicited packages to homes across the country, each containing a QR code designed to steal personal data or install malware on the recipient’s phone. The FBI published Alert Number I-073125-PSA warning that these packages often arrive with no sender information and instruct recipients to scan the code to find out who sent the item. The scheme is a modern twist on the brushing scam, but instead of simply inflating fake product reviews, the enclosed QR code funnels victims toward credential theft and financial fraud.

Why physical QR-code scams bypass digital defenses

Email phishing has trained millions of people to distrust suspicious links in their inbox. Spam filters catch a large share of those messages before they ever reach a user. A cardboard box on the doorstep, however, sidesteps every one of those digital guardrails. The package feels real, and the enclosed card telling the recipient to scan a QR code to “identify the sender” or “arrange a return” creates a plausible reason to act.

Academic research on QR-code phishing, sometimes called “quishing,” helps explain why the tactic works. A field study published on arXiv found that QR codes are high-risk compared with visible URLs because users cannot easily preview the destination before their phone opens it. With a traditional link, a careful reader can hover or inspect the address. A QR code offers no such preview, which means the victim’s first glimpse of the fraudulent site comes only after the phone has already loaded it.

That gap between physical trust and digital risk is exactly what these scammers exploit. Recipients who would never click an unknown email link will readily point their phone camera at a printed square inside a package sitting on their kitchen counter. The social cues are all inverted: a plain cardboard box seems mundane, while a random email looks suspicious. Criminals are betting that the familiarity of home delivery will override whatever caution people have learned from years of online safety warnings.

FBI and postal authorities document the QR-code package threat

The FBI’s Internet Crime Complaint Center published its alert stating that scanning the enclosed QR code can lead to credential harvesting or malware download. The agency described the packages as arriving without return-address details, a deliberate choice that entices recipients to scan the code for answers. Once scanned, victims are prompted to enter personal or financial information on pages that mimic legitimate banks or government agencies, or they are silently redirected to malicious downloads.

The U.S. Postal Inspection Service has separately documented the same pattern, calling it a new variation of the brushing scam. According to the USPIS advisory, QR-code cards inside these packages claim the recipient must scan to identify the sender or confirm delivery. The sites behind the codes can impersonate bank login pages or government portals, harvesting usernames, passwords, and credit card numbers in seconds. In some cases, the QR code may simply confirm that the address is active, adding the household to lists for future fraud attempts.

The threat is not limited to consumers. A separate FBI alert, designated I-030625b-PSA, described scammers mailing physical letters with QR codes to corporate executives. Those letters posed as ransomware demands and included payment requests between $250,000 and $500,000, with the QR code linking directly to a Bitcoin wallet. The executive-targeting campaign shows that the same physical-mail vector is being adapted for high-value fraud, not just mass consumer schemes, and that QR codes can be used to route victims straight into cryptocurrency payment flows that are difficult to reverse.

The Federal Trade Commission has also flagged the tactic, warning that the QR code on an unexpected package can lead to phishing for credentials and credit card numbers or trigger a malware download. The FTC reminded consumers that under federal law, recipients do not have to pay for or return unordered merchandise, a protection that removes any legitimate reason to follow instructions in the box that pressure them to “verify” or “confirm” a shipment they never requested.

Gaps in the data and what to do if a package arrives

Neither the FBI nor the FTC has released figures on how many of these QR-code packages have been reported or how many victims have lost money. The IC3 alert does not include complaint totals, and no confirmed malware samples tied to the packages have been publicly identified by law enforcement. That absence of hard numbers makes it difficult to measure the scale of the campaign or compare its success rate against traditional email phishing or text-message scams.

The arXiv quishing study provides controlled evidence that users are susceptible to QR-code phishing, but it was conducted in a lab setting and does not measure real-world compromise rates from mailed packages specifically. No law-enforcement dataset currently bridges that gap between academic susceptibility findings and confirmed losses from physical-mail QR scams. For now, the strongest signal comes from overlapping warnings by federal agencies rather than from detailed public statistics.

For anyone who receives an unexpected package with a QR code inside, the first step is simple: do not scan it. The FBI guidance advises reporting the incident to law enforcement and to the delivery carrier. Recipients can photograph the label and contents, keep the packaging, and contact local police or postal inspectors if they suspect a broader mail-fraud pattern in their neighborhood.

If someone has already scanned a suspicious code and entered information, changing passwords immediately and enabling multi-factor authentication on financial accounts are the most direct ways to limit damage. Banks and card issuers should be notified at once so they can monitor for unauthorized charges or issue replacement cards. Victims can file complaints through the FBI’s IC3 portal and report fraud to the FTC, creating a record that may support future investigations and help agencies refine their public warnings.

For businesses, especially those with executives who receive large volumes of physical mail, security teams can include QR-code fraud in regular awareness training. That means teaching employees to treat QR codes on letters, invoices, or packages as untrusted links, verify requests for payment or credentials through known channels, and involve IT or security staff before scanning any code tied to financial or account-access actions. Mailroom procedures can also be updated so that suspicious items are logged and escalated rather than casually passed along.

The key development to watch is whether law enforcement begins publishing complaint volumes or identifying specific malware strains linked to these packages. More granular data would clarify whether criminals are primarily using QR codes to phish for credentials, install remote-access tools, or simply confirm active addresses for resale. Until that information becomes available, the clearest takeaway is that a QR code inside an unexpected delivery should be treated with the same suspicion as an unsolicited link in an email, regardless of how legitimate the box looks or how urgent the printed message sounds.

More from Morning Overview

*This article was researched with the help of AI, with human editors creating the final content.