Unexpected Snail Mail Packages are Being Sent with Scammy QR Codes, Warns FBI

Unless, of course, they’re hoping curiosity will do the heavy lifting for them. The FBI is now warning about a sneaky new trick that turns your mailbox into a cyber trap.

In this publication, we’re unpacking (pun intended) a scam that blends old-school brushing tactics with modern QR code fraud—and it could land your personal data right in a criminal’s hands.

Unsolicited packages are arriving with nothing but a QR code inside. Scan it, and you could end up on a malicious website designed to steal your info or infect your device with malware.


How It Works

  1. The Bait: A package shows up at your door—no sender info, no receipt, just a QR code.
  2. The Hook: Curiosity kicks in. You scan it using your phone.
  3. The Catch: The code takes you to a fake site that either requests personal/financial info or silently downloads malware to your device.
  4. The Bonus Scam: Some scammers also use your name and address to post fake positive reviews (classic “brushing” tactic) to boost their own products online.


Who’s Targeted

  • Everyday consumers across all age groups.
  • More likely to catch those familiar with scanning QR codes for payments, menus, or promotions.
  • People with less mobile device security in place.


Recent Case

The FBI’s Internet Crime Complaint Center (IC3) reports a rise in these “QR brushing” incidents. In many cases, recipients didn’t recognize any purchase and were puzzled by the package—until they scanned the code and noticed strange bank charges or suspicious account logins.


Why You Should Care

This scam bypasses your email inbox and social feeds—going straight to your home. Since QR codes hide their destination, you can’t easily check where you’re going before you get there. Combine that with under-protected mobile devices, and it’s the perfect recipe for identity theft, drained accounts, or compromised phones.


How to Protect Yourself

  • Don’t Scan Mystery Codes: If you didn’t order something, treat any QR code like a suspicious link.
  • Look for a Return Address: Legit businesses almost always include one.
  • Use a QR Scanner with Preview: Choose an app that shows the URL before opening it.
  • Keep Devices Updated: Install security patches regularly.
  • Enable Mobile Security & 2FA: Guard against malware and make it harder for criminals to access your accounts.


Quick Tips

  • Did You Know? Scanning a QR code is just like clicking a link—you just can’t see it first.
  • Pro Tip: If you must scan a code, use a secure scanning app that warns you about unsafe sites.


Stay safe, stay informed.


Keyword Definitions

  • Brushing Scam: A fraudulent tactic where sellers send unsolicited packages to people so they can post fake positive reviews under those recipients’ names.
  • QR Code (Quick Response Code): A machine-readable code that stores website links, text, or other data, which is accessed by scanning it with a smartphone camera.
  • Malware: Malicious software designed to damage, disrupt, or gain unauthorized access to a computer or mobile device.
  • 2FA (Two-Factor Authentication): An extra layer of account security requiring two forms of verification before access is granted.
  • IC3 (Internet Crime Complaint Center): An FBI division that collects and investigates reports of cybercrime.

To read more, kindly find source article here


15,000 Fake TikTok Shop Domains Deliver Malware, Steal Crypto via AI-Driven Scam Campaign