FBI Warns of QR Code Scam Delivered in Mystery Packages
Criminals are mailing unsolicited boxes containing QR codes that can phish for personal data or install malware when scanned, federal authorities say.
The FBI issued a public warning this week about a rising scam in which criminals mail unsolicited packages that contain only a printed QR code designed to trick recipients into revealing sensitive information or installing malware.
According to the agency, the packages often arrive with no sender information to prompt curiosity and encourage recipients to scan the code. Once scanned, the QR code can redirect users to fraudulent websites that request banking, credit card or login credentials, or it can trigger downloads of malicious software that runs silently on the device and harvests data.
Federal officials described the scheme as a variation of the so-called brushing scam. Traditionally, brushing involved sellers sending unsolicited products to strangers and then using recipients' details to post fake reviews. Law enforcement says the approach has evolved from a nuisance into a deliberate fraud technique that seeks financial gain and identity theft.
The FBI's notice warned that scammers ship the packages without sender information to entice recipients to scan the code, and that some codes will prompt victims to provide personal and financial information or enable the download of software that steals data from phones. Victims often do not notice suspicious activity immediately; unauthorized charges, account takeovers or drained bank accounts may be the first visible sign of compromise.
QR codes have become ubiquitous in everyday life — used at restaurants, transit hubs and for payments — and that ubiquity is part of their appeal to criminals. Because a QR code conceals its destination until scanned, it can hide a malicious URL that would otherwise look suspicious in plain text. Industry surveys have found that many people scan QR codes without checking the underlying link, a behavior that security experts say scammers exploit.
Security specialists recommend caution when encountering unsolicited QR codes. They advise users not to scan codes found in mystery deliveries, random flyers or stickers on public signs. If a recipient is curious about a delivery, experts say to verify the sender through official channels — such as checking order histories in retailer accounts or contacting the retailer directly — rather than scanning an unverified code.
Other recommended protections include previewing URLs before opening them when the phone offers that option, keeping mobile operating systems and apps up to date, using reputable mobile security software, and enabling two-factor authentication on important accounts to reduce the chance of unauthorized access even when credentials are compromised. Law enforcement also encourages people to report suspicious packages and any resulting fraud to local authorities and to the FBI's Internet Crime Complaint Center.
The FBI did not quantify how widespread the packaged-QR-code scam is in its public notice, but its alert follows broader reporting by security researchers of increased abuse of QR codes and other digital shortcuts by fraudsters. Law enforcement officials said reporting such incidents helps investigators identify patterns, link cases and notify potential targets.
As QR codes remain a common convenience in payments, travel and commerce, authorities and security firms say the safest responses to unsolicited codes are skepticism and verification. Officials emphasized that consumers should treat an unexpected package with a QR code as a potential red flag rather than a puzzle to solve, and that resisting the urge to scan can prevent immediate exposure to phishing or malware threats.