Owning a smartphone has become second nature, but it also makes people vulnerable to a growing range of scams. The latest warning from the Federal Bureau of Investigation (FBI) highlights a scheme that blends old tactics with new digital tricks: scammers are sending unsolicited packages containing malicious QR codes.
The FBI says this scam is a dangerous variation of the long-running “brushing” scheme. Traditionally, brushing scams were a nuisance that boosted fake product reviews. Now, criminals are using them to steal personal information, financial credentials, and even install malware on victims’ devices.
How Brushing Scams Have Evolved
A brushing scam typically works by sending someone a product they never ordered. Once the package arrives, the scammer uses the recipient’s name and address to post glowing but fake reviews online, making their product appear more popular than it really is.
While that was inconvenient, the new version is far more damaging. Instead of just manipulating e-commerce reviews, these packages now include QR codes designed to trick people into scanning them. The simple act of pointing a phone’s camera at the code can open the door to fraud.
The Danger Behind the QR Codes
The packages often arrive without a return address or any sender information. That absence makes people curious—exactly what scammers are counting on. Inside, a QR code may be accompanied by vague instructions such as “scan to learn more” or “claim your gift.”
Once scanned, the code can redirect the user to a malicious website or trigger the download of malware onto the device. This software can secretly gather data such as:
- Credit card details
- Online banking logins
- Stock trading credentials
- Cryptocurrency wallet access
Victims may not notice anything is wrong until their accounts are compromised or their money disappears.
Why People Fall for It
Experts say the scam exploits a simple human trait—curiosity. When an unexpected package arrives, many people want to know where it came from or what it means. Without a return label, scanning the code feels like the easiest way to find out.
That brief lapse in judgment is all scammers need. In just seconds, the code can connect their malware to a person’s phone and begin siphoning off sensitive information.
Steps to Stay Safe
The FBI has laid out several precautions that can help people avoid falling victim:
- Treat surprise packages with caution – If you didn’t order it, be suspicious.
- Look for missing sender information – A legitimate delivery should have a return address.
- Be mindful of app and site permissions – Don’t grant unnecessary access to your device.
- Avoid scanning QR codes from unknown sources – Especially if they arrive unexpectedly.
- Keep an eye on your accounts – If you think you scanned a bad code, change logins immediately and request a credit report to check for fraud.
The FBI also urges people to report scams through its Internet Crime Complaint Center (IC3), providing details like names, phone numbers, websites, and apps involved. This information helps investigators track patterns and shut down criminal networks.
Extra Protection Against Identity Theft
Beyond basic caution, identity theft protection services can be another layer of defense. These services monitor for suspicious activity, alert users when their data appears on the dark web, and help recover stolen funds. Many also offer features similar to antivirus programs, giving users a stronger security net.
While not foolproof, combining these protections with vigilance can make it harder for scammers to succeed.
Blurring the Line Between Online and Offline Scams
Most people think of scams as something that happens online—like phishing emails or suspicious social media links. But this scheme shows that criminals are increasingly mixing real-world tactics with digital crime. A package left at the doorstep can now be the starting point for a cyberattack.
That crossover makes everyday caution more important. As the FBI stresses, scams are no longer confined to inboxes or web browsers—they can show up right at your front door.
What To Do If You’ve Been Targeted
If you’ve already scanned one of these codes or think you’ve been exposed, act quickly:
- Stop using the device until it can be checked for malware.
- Change your passwords, starting with financial and email accounts.
- Contact your bank or financial institutions to flag possible fraud.
- Request a credit report to catch suspicious activity early.
- File a complaint with the FBI’s IC3 portal.
The faster victims respond, the more damage they can prevent.
