Have you ever received a surprise package you didn’t order? It might feel exciting at first, but the FBI is warning that some of these deliveries are actually part of a dangerous new scam. Criminals are now using a form of a Brushing Scam by using QR codes hidden in unsolicited packages to trick people into giving away personal information or even installing malware on their phones.

Here’s what you need to know to stay safe.

First, What Is a Brushing Scam?

A brushing scam happens when scammers send packages to people who never ordered them. The items are usually cheap (like keychains, phone accessories, or household gadgets).

The reason? Scammers want to:

• Create fake sales records that let them post “verified” reviews online.
• Boost their seller ratings to make their store look more trustworthy.
• Sometimes, harvest personal data such as your name, phone number, or address.

In most cases, brushing scams are more annoying than dangerous. You end up with a package you didn’t ask for, and the scammer gets better product visibility.

But recently, scammers have added a dangerous twist.

What Is a QR Code Scam?

A QR code can be useful for things like menus, tickets, or secure logins. But scammers are now taking advantage of our trust in them.

Here’s how the scheme works:

• You receive a package at your door — often with no return address or sender listed.
• Inside is a note or product with a QR code that says something like “Scan to learn more” or “See who sent this gift.”
• If you scan it, you could be directed to:
  • A phishing website that steals your login or banking details.
  • A malware download that infects your device and collects data.

Now, the scam is far more dangerous, because it involves your smartphone and your personal information.

Why This Is Dangerous

At first glance, these packages look harmless, maybe even fun. But scanning the wrong QR code could:

• Give criminals access to your financial accounts.
• Install spyware that tracks your texts, emails, or passwords.
• Compromise your identity by stealing sensitive information.

In short, one quick scan could open the door to months or years of problems.

How to Protect Yourself

The FBI recommends taking these steps if you get an unexpected package with a QR code:

1: Do not scan QR codes from unknown packages.
2: Keep or dispose of the package safely. (Legally, it’s yours, but the code is not worth the risk.)
3: Check your accounts for unusual activity if you think you may have already scanned one.
4: Change your passwords and update your phone’s security settings.
5: Report the incident to the FBI’s Internet Crime Complaint Center (IC3) or the U.S. Postal Inspection Service.

The Bottom Line

Scammers are clever... they count on curiosity to trick people. But remember: if a package arrives that you didn’t order and it asks you to scan a code, it’s safest to ignore it and report it.