At this point in your Internet journey, you’ve probably heard of—but hopefully managed to avoid—”phishing” scams, where criminals lure victims to what look like legitimate websites, aiming to steal sensitive info or install malware. However, you may have missed the rise of a recent offshoot using QR codes to achieve similar results. It’s a frightening idea, given that we scan these codes all the time—from restaurant menus to street parking payment systems. But the FBI warns that this latest scam could be headed to your doorstep.
In July 2025, the Bureau issued a public service announcement warning against a variation of a “brushing scam.” In its original form, vendors “send merchandise to an unsolicited recipient and then use the recipient’s information to post a positive review of the product.” But in this new update, which the FBI notes is “not as widespread as other fraud schemes,” scammers are using QR codes in order to “facilitate financial fraud activities.” In other words, victims receive a package—often without sender information, creating confusion that entices them to scan the QR code and then “provide personal and financial information or unwittingly download malicious software that steals data from their phone.”
What is the new QR code package scam?
The FBI says to proceed with caution around any unsolicited package. Does it contain a product you didn’t order? Does it not include sender information? They recommend taking precaution “before authorizing phone permissions and access to website and applications.” And, of course, they stress to not scan QR codes of unknown origin. If you think you’ve been targeted by a scammer, you can take online security measures like “changing account profiles” and requesting a free credit report from a national credit reporting agency (Equifax, Experian, or TransUnion) to check for possible fraud. You can also file a report through the FBI’s IC3 website or, if you’re over age 60 and need assistance via phone, through the DOJ Elder Justice Hotline (1-833-FRAUD-11).
You might be thinking to yourself, “I would never fall for that kind of scam,” but as experts note, it’s only human nature to let your guard down every once in a while. Gaurav Sharma, a professor in the Electrical and Computing Engineering department at The University of Rochester, told CNBC, “The crooks are relying on you being in a hurry and you needing to do something.”
Norton, the popular antivirus software company, posted a guide to “quishing” (QR code phishing), explaining other methods of how scammers can target people. After using free tools to generate QR codes, they can then disseminate them in everyday places: on menus, parking meters, ATMs, public transport spots, social media feeds, pop-up ads, flyers, and even emails and texts. These scams have become so prevalent that they’ve also prompted warnings from the United States Postal Inspection Service and the Federal Trade Commission. Incredibly, as CNBC notes, the cybersecurity company KeepNet Labs found in a study that 26 percent “of all malicious links were embedded in phishing QR code.”
Remember when QR codes were just a quirky and fun technology? Sigh. Anyway, just remember to stay vigilant with your packages—just like you do with your emails and texts.
