The Package at Your Door Could Be a $100,000 Scam: FBI Warns of Dangerous QR Code Attacks

You come home to find a package on your doorstep. You didn't order anything, and there's no return address; just your name and a mysterious QR code with a note saying "Scan to learn more about your delivery" or "Scan to claim your gift."

Your curiosity gets the better of you. You pull out your phone, scan the code, and within seconds, you've just handed cybercriminals the keys to your digital life.

This isn't a hypothetical scenario. It's the latest scam sweeping the nation, and the FBI is warning everyone to be on high alert. Welcome to the world of "quishing", where a simple scan can cost you everything.

What's Happening: The $100,000+ Scam

The FBI has issued an urgent warning about a new type of "brushing scam" that's evolved far beyond fake product reviews. Criminals are now sending unsolicited packages containing QR codes that prompt recipients to provide personal and financial information or unwittingly download malicious software that steals data from their phones.

But the scope of this problem is staggering. According to recent research:

// QR code phishing incidents increased by 587% in 2023

// Over $100,000 was stolen through QR code scams between January and September 2020 alone

// 26+ million Americans have already been directed to malicious sites via QR codes

// 66% of people have scanned a QR code to purchase something, making this attack vector incredibly effective

Scam Breakdown: How Criminals Exploit Your Trust

The Traditional "Brushing" Setup

In a traditional brushing scam, online vendors send merchandise to an unsolicited recipient and then use the recipient's information to post a positive review of the product on their behalf. Annoying, but relatively harmless.

The Dangerous Evolution

Now, scam actors have incorporated the use of QR codes on packages to facilitate financial fraud activities. Here's how it works:

1. The Mystery Package: Criminals often ship packages without sender information to entice the victim to scan the QR code

2. The Curious Scan: You scan the code, hoping to learn who sent the package

3. The Digital Trap: The QR code collects personal and financial information about the victim while also downloading malicious software onto their phone

4. The Silent Theft: Attackers have used this method to quietly siphon credit card numbers as well as credentials for bank accounts, securities trading accounts, and crypto accounts

   
   

Why QR Codes Are Perfect for Criminals

Bypassing Traditional Security

One of the main reasons why threat actors choose the QR Code is that it's the simplest way to force a user to move from a desktop or laptop to a mobile device, which usually doesn't have the same robust security protections.

Scammers incorporate QR codes into their phishing attacks, a practice known as "quishing." They do this mainly so that they can bypass traditional security solutions that can flag malicious URLs when they appear in emails, but not when they're linked to (or hidden behind) QR codes.

Mobile Vulnerabilities

Mobile devices, which are typically used for QR scanning, often lack the robust protection installed on desktops or laptops. Even worse, many mobile users don't use URL preview apps when scanning QR codes, making it easy for harmful sites to load without warning.

The Trust Factor

QR code use has skyrocketed recently, with 66% of users having scanned one to make a purchase. The familiarity of this action is exactly what scammers exploit. We've become so comfortable scanning codes for restaurant menus and parking payments that we don't think twice about potential dangers.

Real-World Attacks: It's Already Happening

The Holiday Package Scam

During the 2024 holiday season, individuals across the U.S. and U.K. reported receiving unsolicited packages containing QR codes. These packages often included a note prompting recipients to scan a QR code to identify the sender or claim a gift. Several recipients reported identity theft and unauthorized access to their devices after scanning the malicious QR codes.

The Parking Meter Hack

There are reports of scammers covering up QR codes on parking meters with a QR code of their own. The appeal to cybercriminals lies in the relative ease with which the scam operates: slap a fake QR code sticker on a parking meter or a utility bill payment warning and rely on urgency to do the rest.

The Banking Trojan Campaign

Hackers created fake QR code scanning apps that, once installed, requested updates, leading to the download of malware like the TeaBot banking trojan, compromising device security and leading to unauthorized access to users' banking and personal data.

The Bitcoin Wallet Scam

Nine fake Bitcoin-to-QR code generator websites were identified, misleading users to generate QR codes linked to scammers' Bitcoin wallets, causing direct financial loss to victims who thought they were generating QR codes for their own Bitcoin addresses.

Physical World Meets Digital Danger

What makes these scams particularly insidious is their physical-digital hybrid nature. "What's especially concerning is that legitimate flyers, posters, billboards, or official documents can be easily compromised. Attackers can simply print their own QR code and paste it physically or digitally over a genuine one, making it nearly impossible for the average user to detect the deception," said cybersecurity expert Brewer.

Unlike URLs, where users can preview the destination, QR codes disguise the threat behind a digital veil—you scan, you trust, and sometimes, you pay the price.

Who's Most at Risk: The Surprising Answer

iPhone users may be slightly more likely to fall victim to the crime, according to a study completed earlier this year by Malwarebytes. Users of iPhones expressed more trust in their devices than Android owners, and that, researchers say, could cause them to let down their guard. For example, 70% of iPhone users have scanned a QR code to begin or complete a purchase, versus 63% of Android users.

How Organized This Really Is

This isn't just random criminals—it's organized cybercrime. Cybercriminals trade malicious QR templates, infected landing pages, and even guides on social engineering tactics. These kits make it easy for even low-level scammers to launch campaigns with little technical knowledge.

Because these packages arrive without return addresses or identifiable senders, tracing their origin is incredibly difficult, making it easy for scammers to operate internationally and anonymously.

What Happens When You Fall Victim

The consequences go far beyond simple data theft:

Immediate Threats:

// Once a user scans a malicious QR code, their phone allows a Trojan download, which is back-end malware that reports information back to the hackers' servers

// The QR code could install malware that steals your information before you realize it

// Nation-state attackers have even used QR codes to distribute remote access trojans (RATs), a type of malware designed to operate without a device owner's consent or knowledge, enabling hackers to gain full access to targeted devices and networks

Long-term Damage:

// Reports are surfacing of users losing access to bank accounts, falling victim to crypto wallet drains, or having their personal information sold online, all because they scanned a single QR code

How to Protect Yourself: The Defense Strategy

Based on FBI recommendations:

1. Beware of unsolicited packages containing merchandise you did not order

2. Beware of packages that do not include sender information

3. Take precautions before authorizing phone permissions and access to websites and applications

4. Do not scan QR codes from unknown origins

If You've Been Targeted: What to Do Now

If you believe you are the target of a brushing scam, secure your online presence by changing account profiles and requesting a free credit report from one or all the national credit reporting agencies (Equifax, Experian, and TransUnion) to identify possible fraudulent activity.

Report the Crime: The FBI requests that the public report these fraudulent or suspicious activities to the FBI IC3 at www.ic3.gov. Be sure to include as much information as possible:

The name of the person or company that contacted you. Methods of communication used, including websites, emails, and telephone numbers. Any applications you may have downloaded or provided permissions to on your electronic device.

The Future of QR Code Security

The cybersecurity community is fighting back. Gaurav Sharma, a professor in the department of electrical and computer engineering at the University of Rochester, is working to develop a "smart" QR code called an SDMQR (Self-Authenticating Dual-Modulated QR) that has built-in security to prevent scams.

The Bottom Line: Trust But Verify

The old advice of "don't talk to strangers" now extends to "don't scan strange codes." Your curiosity isn't worth the cost of your privacy or security.

We live in a world where 73 percent of Americans scan QR codes without verification, and more than 26 million have already been directed to malicious sites. The convenience of QR codes has made them appear everywhere, but that same convenience is exactly what criminals are exploiting.

The next time a mysterious package shows up at your door with a QR code, remember:

You scan, You trust, and sometimes, You pay the price. In this case, that price could be everything in your bank account.

This blog is based on official FBI warnings, cybersecurity research, and documented case studies. For the latest updates on QR code scams, visit the FBI's Internet Crime Complaint Center at ic3.gov.