Post

FBI Warns of Scam QR Codes in Unexpected Mail Packages

FBI Warns of Scam QR Codes in Unexpected Mail Packages

TL;DR

The FBI has issued a warning about unsolicited mail packages containing scam QR codes that lead to malicious websites. These packages, often lacking sender information, are part of a modern brushing scam tactic. Protect yourself by avoiding scanning unknown QR codes, verifying sender information, and keeping your devices updated with security software.

FBI Alert: Scam QR Codes in Unexpected Mail Packages

Receiving an unexpected package in the mail isn’t always a pleasant surprise. The FBI has issued a warning about unsolicited packages containing QR codes that lead to malicious websites designed to steal personal data or install malware on victims’ devices 1.

The Tactics of Cybercriminals

These packages often arrive without any sender information, featuring only a QR code. This deliberate omission of sender details is a tactic used by cybercriminals to pique curiosity and encourage recipients to scan the code. This scam is a modern twist on traditional brushing scams, where vendors send unsolicited merchandise to recipients and then use their information to post fake positive reviews 2.

The Role of QR Codes in Scams

The use of QR codes in these scams offers several advantages to cybercriminals:

  1. Unexpected Threat Vector: People typically don’t expect physical mail to pose a cybersecurity threat, making them more likely to scan the QR code without suspicion.
  2. Mobile Device Targeting: QR codes are usually scanned with mobile devices, which often lack the same level of security software as computers.
  3. Increased Familiarity: With 66% of people having scanned a QR code for purchases, the practice has become commonplace, reducing vigilance 3.

The Risks of Scanning Unknown QR Codes

Scanning a QR code without proper safety measures is akin to clicking an unknown link, but with an added risk: while links can be inspected before clicking, QR codes obscure their destinations. This makes it impossible for most people to distinguish between malicious and legitimate codes.

How to Protect Yourself from Brushing Scams

To safeguard against these scams, follow these precautions:

  • Avoid Scanning Unknown QR Codes: If you receive an unexpected package with a QR code, do not scan it. Scanning could lead to fake websites designed to steal your personal or financial information or install malware on your device.
  • Verify Sender Information: Legitimate businesses typically include a return address. Treat any mystery package without sender or return information with extra caution.
  • Do Not Enter Personal Information: If you end up on a site asking for personal or financial information after scanning a QR code, do not enter any details. Scammers can use this information to defraud you.
  • Keep Devices Updated: Ensure your device is running the most up-to-date software. Cybercriminals exploit recently discovered vulnerabilities that users may not have patched yet.
  • Use Secure QR Code Scanners: When scanning QR codes, use an app that displays the URL before opening the link. This helps you determine if the link is safe to follow.
  • Install Mobile Protection: Use up-to-date and active mobile protection software, preferably one that includes web protection.
  • Enable Two-Factor Authentication (2FA): Use 2FA wherever possible to make it harder for scammers to access your accounts if they obtain your login details.
  • Secure Your Identity: If your information appears to have been used for a scam, consider freezing your credit, changing passwords, and monitoring bank and online accounts for suspicious activity. Identity theft protection services can also be beneficial.
  • Report Scams: Report any brushing scams to the FBI at ic3.gov. Include as much information as possible, such as the name of the person or company that contacted you, the methods of communication used, and any applications you may have downloaded or provided permissions to on your device.

Conclusion

Staying informed and cautious is key to protecting yourself from these evolving scams. Always verify the source of unexpected packages and avoid scanning unknown QR codes. By taking these precautions, you can help safeguard your personal information and devices from cyber threats.

Additional Resources

For more information on protecting yourself from scams, visit:

  1. FBI. (2025). “PSA: Unexpected Packages with QR Codes”. Retrieved 2025-08-05. ↩︎

  2. Malwarebytes. (2024). “What is a QR code?”. Retrieved 2025-08-05. ↩︎

  3. Malwarebytes. (2024). “Tap. Swipe. Scam. Mobile Scam Report”. Retrieved 2025-08-05. ↩︎

This post is licensed under CC BY 4.0 by the author.