WTF?! A new twist on package-related scams is drawing concern from federal authorities, as the FBI warns Americans to be vigilant when receiving unexpected parcels containing QR codes. According to a recent alert, criminals have begun exploiting the ubiquity of QR codes as a tool for financial fraud and identity theft.
The scheme unfolds when an individual receives a package that's addressed to them, but with no clear sender. The inside may include a note and a QR code, inviting the recipient to scan it for details about the package, instructions on returning it, or even to supposedly claim a prize. While cases of this scam are not yet as widespread as other forms of fraud, the FBI emphasizes the need for public awareness, citing the rapidly evolving tactics of cybercriminals.
When scanned, a fraudulent QR code does not automatically infect a device, but the real danger lies in where the code leads.
Often, these codes redirect unsuspecting individuals to phishing sites cleverly masked as legitimate companies' websites. There, visitors may be prompted to enter personal or financial information, such as credit card details, login credentials, or home addresses.
The #IC3 is warning the public to beware of unsolicited packages containing a QR code that prompts the recipient to provide personal and financial information or unwittingly download malicious software that steals data from their phone. Learn more here: https://t.co/IICCJ2yo1R pic.twitter.com/N9H6OyeSJa
– FBI Los Angeles (@FBILosAngeles) July 31, 2025
In some reported incidents, scanning the code resulted in malware being downloaded onto the victim's device, opening the door to data theft and unauthorized access to apps, contacts, and even online bank accounts.
This trend takes advantage of consumers' increasing familiarity with QR codes, whose use accelerated during the pandemic, and are now commonly used for payments, information, and authentication.
Many people still underestimate the potential threat posed by scanning codes from unknown origins, according to NordVPN research, 73 percent of Americans scan QR codes without verification, and more than 26 million have already been directed to malicious sites.
Authorities have connected this QR code scam to a broader fraudulent practice known as brushing, in which unscrupulous e-commerce vendors boost their ratings and the visibility of their products by sending unsolicited, low-cost goods to random individuals.
These illegitimate shipments allow vendors to post fake "verified" reviews in the recipient's name, inflating sales numbers and enhancing the product's perceived reliability online. With the addition of QR codes, brushing scams now carry the risk of exposing recipients to phishing or malware attacks, further endangering their privacy and security.
Consumer protection agencies are urging vigilance with unexpected deliveries. They recommend not scanning QR codes from unknown senders or in unsolicited packages, and verifying web addresses that appear after scanning a code.