Received a Mysterious Package With a QR Code? Don't Scan It
The FBI is warning about an emerging scam that uses QR codes on unwanted packages to trick users into submitting their personal information or downloading malware.
By Michael Kan
The FBI is warning the public to watch out for unexpected packages featuring QR codes.
On Friday, the FBI published an alert about packages that arrive without any sender information but include QR codes used to facilitate “financial fraud activities.” The agency says the codes can trick a user into providing their personal or financial information. In other cases, they can dupe the victim into downloading “malicious software that steals data from their phone.”
“To encourage the victim to scan the QR code, the criminals often ship the packages without sender information to entice the victim to scan the QR code. While this scam is not as widespread as other fraud schemes, the public should be aware of this criminal activity,” the FBI says.
A QR code is essentially a barcode that stores a URL your phone’s browser can easily open. Scanning one won’t automatically infect your device or expose personal data, despite common misconceptions. Instead, malicious QR codes redirect users to dangerous websites—often disguised as legitimate brands—where further user interaction is typically required to trigger a scam or malware download.
As a result, it’s never a good idea to scan a random QR code, since you’re essentially causing your phone to visit a website you know nothing about. Last year, cyber authorities in Switzerland warned about a similar scheme involving letters that pretended to be a federal meteorology office. The letters contained a QR code to download a weather app, but in reality it was a ruse to spread malware.
As a result, it’s never a good idea to scan a random QR code, since you’re essentially causing your phone to visit a website you know nothing about. Last year, cyber authorities in Switzerland warned about a similar scheme involving letters that pretended to be a federal meteorology office. The letters contained a QR code to download a weather app, but in reality it was a ruse to spread malware.
The scheme also builds off another fraud activity known as “brushing,” or a way shady vendors can write fake reviews for their products. To pull this off, a vendor will uncover a consumer’s mailing address and make an order in their name, resulting in an unexpected package.
“The intention is to give the impression that the recipient is a verified buyer who has written positive online reviews of the merchandise, meaning: they write a fake review in your name,” USPIS added. “These fake reviews help to fraudulently boost or inflate the products’ ratings and sales numbers, which they hope results in an increase of actual sales in the long-run. Since the merchandise is usually cheap and low-cost to ship, the scammers perceive this as a profitable pay-off.”