The FBI has issued a warning about a new scam in which cybercriminals send unsolicited packages containing a QR code to people’s homes, aiming to steal personal and financial information or install malware on their devices. These packages often lack sender information, making them seem mysterious and tempting to open.
Modus operandi
Scammers mail unexpected packages without sender information, deliberately creating curiosity that encourages recipients to scan the included QR code. Once scanned, the code either:
- Redirects users to fake websites requesting personal and financial information.
- Automatically downloads malicious software that steals data from phones.
- Attempts to gain unauthorized access to device permissions.
This strategy is based on old "brushing scams," in which unscrupulous vendors send unsolicited products in order to generate fake positive feedback. The new variation uses QR codes to permit more serious financial theft, rather than simple review manipulation.
Who is at risk?
Anyone who receives a surprise package—especially one without clear sender details—could be targeted. The scam exploits curiosity and the widespread, trusting use of QR codes for payments, menus, and other daily activities.
Safety tips
- Do not scan QR codes from unknown or unsolicited packages.
- Be cautious of packages you didn’t order, especially those without sender information.
- Inspect links carefully if you do scan a QR code—look for suspicious URLs before proceeding.
- Secure your online accounts and consider requesting a free credit report if you suspect you’ve been targeted.
- Stay vigilant in public places, as scammers also place fake QR codes on parking meters and in stores.
This warning comes amid a broader rise in sophisticated scams, including voice message attacks where criminals impersonate recognizable figures to encourage victim interaction. The FBI emphasizes that while QR codes may appear harmless, they can pose significant security risks when used maliciously.