FBI Report: Attackers Are Sending Physical Packages with Malicious QR Codes
KnowBe4, Thursday, August 7th, 2025
The FBI has issued an advisory warning that scammers are distributing QR code phishing (quishing) links via unsolicited packages sent by snail mail.
Recipients may scan the code to find out where the package came from, which will land them on a phishing page.
This is a variation of a 'brushing scam,' where unscrupulous vendors send packages designed to harvest information that can be used in phony positive reviews. In this case, the attackers are tricking victims into visiting malicious links designed to steal their information or deliver malware.
'The FBI warns the public about a scam variation in which criminals send unsolicited packages containing a QR code that prompts the recipient to provide personal and financial information or unwittingly download malicious software that steals data from their phone,' the advisory says.