Unsolicited Packages with QR Codes Pose Serious Fraud Risk, FBI Warns
The FBI has issued a stark warning to the public about a sophisticated scam involving unsolicited packages containing QR codes, which criminals use to steal personal and financial information or install malware on victims’ devices. This emerging threat, detailed in a July 31, 2025, public service announcement from the Internet Crime Complaint Center (IC3), represents a dangerous evolution of the traditional “brushing scam” and could lead to identity theft, drained bank accounts, or unauthorized access to sensitive data.
The Scam: How Unsolicited Packages with QR Codes Work
In this scam variation, fraudsters send unexpected packages to unsuspecting recipients, often without a return address or sender information to pique curiosity. Inside, victims find small items like jewelry, trinkets, or even just a printed QR code with a note urging them to scan it for “more information about the sender,” “product registration,” or to “claim your gift.” Once scanned, the QR code redirects users to fraudulent websites that mimic legitimate services, prompting them to enter login credentials, credit card details, or banking information.
Worse, some QR codes can trigger the download of malicious software, such as spyware or ransomware, that steals data directly from the device. The FBI notes that this tactic exploits the convenience of QR codes, which bypass traditional URL filters and security warnings on smartphones. “Criminals continue to evolve their tactics to target unsuspecting victims,” the agency stated, emphasizing that while not as widespread as other schemes, the public must remain vigilant.
This builds on the classic brushing scam, where scammers send unordered merchandise to post fake positive reviews under the recipient’s name, boosting their online ratings. The QR code addition turns it into “quishing” (QR code phishing), adding a layer of financial fraud.
FBI’s Urgent Advice: Precautions and Reporting Steps
To protect yourself, the FBI recommends the following key steps:
- Beware of Unsolicited Packages: Do not accept or open packages containing merchandise you did not order, especially if they lack sender details.
- Avoid Scanning Unknown QR Codes: Never scan QR codes from unsolicited sources, as they can lead to phishing sites or malware. If you must scan one, use a dedicated QR reader app that previews the URL first.
- Secure Your Online Presence: If you suspect involvement in a brushing or quishing scam, immediately change passwords, enable two-factor authentication, and review app permissions on your devices.
- Monitor Your Credit: Request a free credit report from Equifax, Experian, and TransUnion to check for fraudulent activity. Freeze your credit if needed to prevent identity theft.
- Report Incidents: File a complaint with the FBI’s IC3 at www.ic3.gov, including details like the sender’s name (if any), communication methods, websites visited, or apps downloaded. For seniors (60+), call the DOJ’s Elder Justice Hotline at 833-FRAUD-11.
The FBI stresses that these scams prey on curiosity and the element of surprise, but awareness is the best defense. “Precautions should be taken prior to scanning any QR codes received through unsolicited communications or packages.”
Background: Rise of QR Code Phishing and Brushing Scams
QR code phishing, or quishing, has surged since 2023, with dynamic QR scans increasing 433% globally from 2021 to 2022, according to cybersecurity firm Proofpoint. Scammers exploit the codes’ popularity for contactless payments and menus, but in this case, they blend physical mail with digital deception for added legitimacy. The U.S. Postal Inspection Service (USPIS) and Federal Trade Commission (FTC) have echoed the FBI’s warnings, noting that victims often receive packages from overseas vendors on platforms like Amazon or eBay.
Traditional brushing scams aim to inflate seller ratings, but the QR twist escalates the risk by targeting financial data. The FBI’s alert follows a spike in related complaints, with over 4 million QR-based attacks observed in the first half of 2025 alone. Cybersecurity experts like those at KnowBe4 and Malwarebytes highlight how these physical-digital hybrids evade email filters, urging AI-powered training to combat social engineering.
While not yet epidemic, the scam’s low cost and high reward make it appealing to criminals, particularly in an era of rising e-commerce fraud.
Expert Insights and Public Reactions: Awareness Campaigns and Vigilance Calls
Cybersecurity professionals applaud the FBI’s timely alert, with Proofpoint’s analysis showing QR scams as “socially engineered to hack human nature.” Dr. Giovanni Rossi, a digital forensics expert, notes that “QR codes remove the victim from enterprise detection pipelines, bypassing URL scanners.” Recommendations include using antivirus apps with QR blocking and educating users on previewing links.
Public reaction on social media has been one of alarm and sharing, with #QRScam and #FBIWarning trending on X. Users posted personal stories of near-misses, like receiving mystery packages from China, and urged friends to spread the word. Forums like Reddit’s r/cybersecurity buzzed with discussions on prevention, with one thread garnering 10,000 upvotes: “Finally, a warning before I scan something stupid!” Advocacy groups like the National Cyber Security Alliance praised the FBI but called for broader education on physical phishing tactics.
No major backlash against the warning, but some users expressed frustration over the Postal Service’s role in delivery, prompting calls for better screening.
Impact on U.S. Readers: Everyday Risks and Broader Implications
For everyday Americans, this scam heightens the paranoia around mail, especially with e-commerce booming—U.S. online sales hit $1.1 trillion in 2024. Economically, victims face drained accounts or identity theft costs averaging $1,343 per incident, per FTC data, straining households amid inflation. If widespread, it could erode trust in delivery services like USPS and UPS, affecting the $200 billion logistics sector.
Lifestyle-wise, it advises caution with all unsolicited items, from packages to flyers, impacting routines like checking mail. Politically neutral, it ties into rising cyber threats, with the FBI reporting 800,000+ complaints in 2024. Technologically, it underscores smartphone vulnerabilities—iOS and Android users should update apps and use secure scanners. Sports fans receiving promo packages or event tickets might double-check QR codes, while families are urged to discuss scam awareness.
Overall, the warning empowers consumers but highlights evolving fraud sophistication.
Conclusion: Stay Alert—Don’t Let Curiosity Cost You
The FBI’s September 2025 warning about unsolicited packages with QR codes is a crucial alert in the fight against quishing and brushing scams, where fraudsters exploit physical deliveries to launch digital attacks. By avoiding scans from unknown sources and reporting suspicious activity, you can safeguard your data and finances.
As scams grow more creative, vigilance remains key—remember, if it seems too good (or mysterious) to be true, it probably is. For more resources, visit the IC3 website or consult cybersecurity tools. Stay safe, and report to help protect others.