FBI Warns Against Scanning QR Codes on Mystery Doorstep Packages

The FBI is issuing a stark warning to consumers about a new wave of doorstep fraud involving mystery packages containing malicious QR codes. Instead of a harmless shipping error or a simple marketing ploy, these unsolicited deliveries are explicitly designed to trick recipients into downloading malware or handing over sensitive financial data. For anyone receiving an unexpected box, understanding this dangerous evolution of physical mail scams is critical to preventing severe identity theft and device compromise.

According to the public service announcement, criminals are leaving boxes on random doorsteps with no return address and no sender information. Inside, recipients typically find a single item or a note prompting them to scan an included QR code to "find out who sent you a gift." Scanning this code immediately redirects the victim's smartphone to a sophisticated phishing website built to harvest banking details and login credentials. In more severe cases, the QR code triggers a silent download of malware capable of tracking user data and monitoring device activity.

This physical delivery tactic is a malicious twist on the traditional "brushing scam." Historically, brushing involved online sellers shipping cheap, unsolicited products to strangers so they could use the recipient's name to post verified, fake reviews on platforms like Amazon. While the US Postal Inspection Service has actively battled these fake review schemes, threat actors have now realized that the physical package itself can be weaponized for direct financial fraud.

The FBI notes that while this specific QR code angle is newer and less frequent than purely digital phishing, it is highly effective. The tactic is not isolated to the United States; Canadian authorities in Red Deer, Alberta, flagged similar operations as early as August 2024, citing instances where victims received counterfeit luxury goods accompanied by malicious scanning prompts.

The success of this scam relies heavily on the normalization of QR technology and the inherent "curiosity gap" it creates. Unlike a suspicious URL in a text message, a QR code obscures its final destination until the user has already initiated the scan. A report from Malwarebytes in August 2025 highlighted that 66% of people have scanned a QR code to make a purchase, making the action feel routine and inherently safe to the average consumer. Scammers are exploiting this misplaced trust, similar to how they have previously pasted fraudulent QR codes over legitimate parking meters.

If you receive a mystery package, the FBI's directive is simple: do not scan the code. Legally, you are permitted to keep the contents of the unsolicited package, but the QR code should be immediately destroyed. If you have already scanned a suspicious code, security agencies recommend taking the following immediate actions:

• Change the passwords for your primary email and banking accounts immediately.
• Enable two-factor authentication (2FA) across all critical accounts to block unauthorized access.
• Request a free credit report from AnnualCreditReport.com, as recommended by the FTC, to monitor for unauthorized accounts or inquiries.
• File a detailed report with the FBI's Internet Crime Complaint Center (IC3).
• If the victim is 60 years of age or older, contact the DOJ Elder Justice Hotline at 833-372-8311 for specialized assistance.

Can I legally keep the items sent in a mystery package?
Yes. Under consumer protection laws, you are legally allowed to keep any unsolicited items sent to your home. However, you must discard any included QR codes or digital media.

How does a QR code install malware?
Scanning the code directs your mobile browser to a malicious domain. This site can exploit unpatched browser vulnerabilities to initiate a drive-by download, silently installing tracking software or credential-harvesting malware on your device.

The weaponization of physical mail with digital payloads highlights a fascinating shift in cybercriminal strategy. As digital spam filters, email security gateways, and SMS blocking tools become increasingly sophisticated, threat actors are pivoting back to physical vectors where users' guards are significantly lower. The fact that 66% of consumers routinely scan QR codes for purchases proves that the technology has bypassed our natural skepticism. Moving forward, I expect to see this tactic merge with AI-generated, highly personalized physical notes - perhaps referencing public data scraped from social media - to increase the scan rate even further. Consumers must start treating physical QR codes with the exact same zero-trust mentality they apply to unsolicited email attachments.