FBI warns of a particular scam involving QR codes

By Trevor Mogg Published August 3, 2025

Scammers are increasingly exploiting QR codes to trick people into revealing financial information or installing malicious software on their devices.

The FBI has recently issued a warning about a particular type of scam involving QR codes on packages delivered to people who didn’t order them.

The scammers are clearly playing on our curious nature, with the appearance of an innocent-looking QR code likely to tempt at least some people to scan it to find out more about the mystery package they’ve just received. But this could take you on a journey where you end up being tricked into handing over personal details such as financial information, or downloading malware that could pull data from your phone.

“While this scam is not as widespread as other fraud schemes, the public should be aware of this criminal activity,” the FBI said.

The agency said the activity is a variation of the so-called “brushing scam” where online sellers send you unordered items so that it can use your name to post fake reviews to boost the product’s rating.

“In a traditional brushing scam, online vendors send merchandise to an unsolicited recipient and then use the recipient’s information to post a positive review of the product,” the FBI explained, adding that in this latest variation, “scam actors have incorporated the use of QR codes on packages to facilitate financial fraud activities.”

The FBI is imploring people to beware of delivered packages that they didn’t order, and to avoid scanning QR codes from unknown origins.

The agency’s warning comes at a time when QR codes are being increasingly used in scams besides those involving unsolicited packages. 

QR codes are being used increasingly by criminals, mainly because of their growing presence in everyday life. It means scammers are even sticking fake codes over legitimate ones, so you need to be on your guard when you hold your phone over one, especially when you’re out and about. 

The New York Department of Transportation, for example, recently alerted drivers to a scam where criminals were sticking QR codes on parking meters. The code directed anyone who scanned it to a third-party webpage asking for credit card information.

These days, most phone cameras automatically recognize QR codes and, unless you’ve turned off the setting, show you the web address that you’ll land on if you tap it to proceed. So even with codes that you think you can trust, take a moment to read that address before going ahead. As for QR codes stuck on packages that you didn’t order, just ignore them entirely.