We see QR codes everywhere; on restaurant tables, real estate signs, packages boxes, and most of the time, they’re harmless. But the FBI is warning about a scam that hides behind these little black-and-white squares, and it could land right on your doorstep.
It starts with non solicited packages… a box you never ordered showing up out of nowhere. Normally, this is part of something called a brushing scam, where scammers send random packages just so they can post fake reviews in your name. Annoying? Yes. Dangerous? Not always.
But now, there’s another risk that comes with it: the package has a fake QR code. if you scan it, you could end up on a scam website asking for your details, or it might quietly install malware on your phone. once that’s done, thieves can get into everything, like your contacts, messages, even your bank accounts.
The FBI says this updated scam, called “phishing,” is designed to trick you into lowering your guard. And once you scan, it’s too late.
Brushing scam-and how scammers pull it off with QR codes
Here’s how the phishing play works:
-
A package shows up with no sender details.
-
On the box, you see a fraudulent QR code telling you to “claim your reward,” “confirm delivery,” or “track your order.”
-
If you scan it, you might land on a site that asks for passwords, bank numbers, or other sensitive info.
-
In some cases, the scan instantly installs malware that can steal passwords, logins, and other personal info from your device.
With a regular brushing scam, the worst outcome is your name being linked to fake reviews. But with phishing, you’re risking identity theft and financial fraud. And because unsolicited packages catch people off guard, curiosity is exactly what the scammers are counting on.
Protecting yourself from Phishing
The FBI has shared a few easy steps to boost your consumer protection:
-
Don’t scan QR codes from packages you didn’t order.
-
Treat any package with no return address as suspicious.
-
Never approve phone permissions or app access unless you’re 100% sure where it came from.
-
If you do get an unexpected package, dispose of it safely, don’t interact with it.
-
Change your account passwords immediately if you think you’ve been targeted.
-
Request a free credit report from Equifax, Experian, or TransUnion to check for unauthorized activity.
The main idea? Don’t let your phone camera become an open door for hackers.
Staying aware is staying in control of your personal information
Getting a random package might feel like a small mystery, but in this case, it’s one you don’t want to solve by scanning anything. These scams are clever because they use something we see every day — QR codes — and turn it into a trap.
Most of us are curious, even when were are sure we didn’t ordered or buy anything at all, we still want to have a look at what’s inside. The scammers know this very well and that’s why they do it this way.
But is up to you to put in a balance is that curious doubt is worth the risk of having all your live put in evidence by a brushing or phishing scam.
The best way to protect your personal data is to slow down and question anything unexpected. If you didn’t order it, if you don’t know who sent it, and especially if it has a fraudulent QR, keep your phone camera far away.
Scammers only need one quick scan to start causing problems. Being a little caution and acting fast when something feels wrong, can stop the fraud and keep your devices and information safe.