Getting a random package you didn’t order used to be either a shipping mistake or a mildly annoying marketing ploy. Now it might be something worse, the FBI has warned in a public service announcement. In a July 2025 announcement, the FBI explains how criminals are sending unsolicited packages to random doorsteps. Inside these packages is a QR code, usually with nothing else. The boxes themselves don’t even have a return address printed on them, and no sender info, either. At best, they have a note stamped on them asking you to scan it to find out who sent you a gift.
But of course, it’s not a gift. If you scan that QR code, you could end up on a phishing website designed to steal your banking details or login credentials. Some of these codes go even further and actually install malware on your phone, which can then track your data.
The whole thing is sort of a twist on something called a brushing scam. Normally, the online sellers involved in the scam ship cheap products to strangers and then use the recipient’s name to post fake reviews, which is something Amazon has been battling for a while now. The U.S. Postal Inspection Service has a whole page dedicated to these scams. But the QR code angle is newer. Instead of just boosting product ratings, scammers are now using the packages as a method for straight-up fraud.
The FBI noted that while it doesn’t happen as frequently as other types of scams, it’s still worth knowing about. And they’re not the only agency raising alarms. Canadian authorities in Red Deer, Alberta, flagged similar QR code scams as far back as August 2024. They cited an example where someone received a package of luxury goods with a note directing them to scan an attached code.
Why it’s so convincing
The reason the scam works so well has to do with how common QR codes have become. Unlike a sketchy-looking link in a text message, a QR code doesn’t reveal where it’s actually taking you until after you’ve scanned it. It makes you curious, so you want to scan it– and that’s exactly what scammers are banking on. Criminals are already sticking QR codes on parking meters for nefarious purposes. Moreover, considering 66% of people have scanned a QR code to purchase something at some point — as Malwarebytes noted in its August 2025 coverage — the action itself feels routine and safe.
Of course, you should be doing the exact opposite. The FBI has a simple warning for those who’ve been treated to a mystery box: Don’t scan it. But if you’ve already given in to the temptation and scanned one recently — or even a while back — change your passwords immediately. Also, turn on two-factor authentication on your accounts for an additional layer of security. The FTC also recommends grabbing your free credit report at AnnualCreditReport.com to check for any suspicious activity.
If you notice anything suspicious, you can report it to the FBI’s Internet Crime Complaint Center. If you’re 60 or older and need help filing a complaint, there’s the DOJ Elder Justice Hotline at 833-372-8311. As for the package itself, well, you can legally keep it. But that QR code inside should go straight into the bin.
