This post is also available in:
עברית (Hebrew)
The FBI has issued a public service announcement about a growing scam involving physical packages sent to individuals without explanation. Inside these packages, recipients are finding printed QR codes—codes that, when scanned, can lead to phishing websites or malware downloads.
According to the agency, these scams are a recent variation of what’s known as a “brushing scam.” Traditionally, brushing scams involve sending unsolicited goods to boost online product reviews using the recipient’s name. In this newer version, the packages serve as delivery mechanisms for fraudulent QR codes.
Once scanned, some of the codes redirect users to fake websites that ask for personal or financial information. In other instances, they initiate the download of malware designed to steal data from the device.
The packages typically contain no identifying information about the sender, which increases the chances that recipients may become curious and interact with the QR code. The FBI notes that although the scale of this scam is currently limited, the tactic is serious enough to warrant national attention.
To protect themselves, individuals are advised to be cautious with unexpected deliveries, especially those lacking sender details. Scanning unknown QR codes should be avoided altogether unless the source can be verified.
Additionally, the FBI recommends that users decline any requests for permissions from pop-up notifications on mobile devices, particularly if prompted after scanning a code. Allowing access to apps, contacts, or camera functions without verifying the source could expose sensitive information.
The FBI encourages victims or those who receive suspicious packages to report the incident to the Internet Crime Complaint Center (IC3). If someone suspects they’ve been targeted, they should take immediate steps to secure their accounts, including changing login credentials and reviewing account activity. It is also recommended to check for unusual activity on credit reports.
