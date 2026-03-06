Getting a random package you didn't order used to be either a shipping mistake or a mildly annoying marketing ploy. Now it might be something worse, the FBI has warned in a public service announcement. In a July 2025 announcement, the FBI explains how criminals are sending unsolicited packages to random doorsteps. Inside these packages is a QR code, usually with nothing else. The boxes themselves don't even have a return address printed on them, and no sender info, either. At best, they have a note stamped on them asking you to scan it to find out who sent you a gift.

But of course, it's not a gift. If you scan that QR code, you could end up on a phishing website designed to steal your banking details or login credentials. Some of these codes go even further and actually install malware on your phone, which can then track your data.

The whole thing is sort of a twist on something called a brushing scam. Normally, the online sellers involved in the scam ship cheap products to strangers and then use the recipient's name to post fake reviews, which is something Amazon has been battling for a while now. The U.S. Postal Inspection Service has a whole page dedicated to these scams. But the QR code angle is newer. Instead of just boosting product ratings, scammers are now using the packages as a method for straight-up fraud.

The FBI noted that while it doesn't happen as frequently as other types of scams, it's still worth knowing about. And they're not the only agency raising alarms. Canadian authorities in Red Deer, Alberta, flagged similar QR code scams as far back as August 2024. They cited an example where someone received a package of luxury goods with a note directing them to scan an attached code.