By Michael V. Cusenza
The Federal Bureau of Investigation on Thursday warned the public about a scam variation in which criminals send unsolicited packages containing a QR code1 that prompts the recipient to provide personal and financial information or unwittingly download malicious software that steals data from their phone. To encourage the victim to scan the QR code, the criminals often ship the packages without sender information to entice the victim to scan the QR code. While this scam is not as widespread as other fraud schemes, the public should be aware of this criminal activity.
This is a variation of a “brushing scam,” which is used by online vendors to increase ratings of their products. In a traditional brushing scam, online vendors send merchandise to an unsolicited recipient and then use the recipient’s information to post a positive review of the product. In this variation, scam actors have incorporated the use of QR codes on packages to facilitate financial fraud activities.
A QR code is a square barcode with information that can be scanned and read with a smartphone camera. An individual can scan the QR code of an intended recipient to auto-populate the recipient field making it easier to send cryptocurrency to the correct destination. QR codes can be used at cryptocurrency ATMs to direct payment to an intended recipient. While many businesses have legitimately used QR code payment in the last year because of the COVID-19 pandemic, QR codes also play a role in malicious use of cryptocurrency payments.
Criminals continue to evolve their tactics to target unsuspecting victims. Precautions should be taken prior to scanning any QR codes received through unsolicited communications or packages.
- Beware of unsolicited packages containing merchandise you did not order.
- Beware of packages that do not include sender information.
- Take precautions before authorizing phone permissions and access to websites and applications.
- Do not scan QR codes from unknown origins.
- If you believe you are the target of a brushing scam, secure your online presence by changing account profiles and request a free credit report from one or all the national credit reporting agencies (Equifax, Experian, and TransUnion) to identify possible fraudulent activity.
The FBI requests the public report these fraudulent or suspicious activities to the FBI IC3 at ic3.gov. Be sure to include as much information as possible:
- The name of the person or company that contacted you.
- Methods of communication used, including websites, emails, and telephone numbers.
- Any applications you may have downloaded or provided permissions to on your electronic device.
Individuals aged 60 or over that need assistance with filing an IC3 complaint can contact the DOJ Elder Justice Hotline, 1-833-FRAUD-11 (or 833-372-8311).
In 2021, the FBI warned the country about fraud schemes leveraging cryptocurrency and QR codes to facilitate payment. Such schemes include online impersonation schemes (scammer falsely identifies as a familiar entity such as the government, law enforcement, a legal office, or a utility company), romance schemes (scammer establishes an online relationship with a victim by creating a false sense of intimacy and dependency), and lottery schemes (scammer falsely convinces a victim that they have won an award and consequently demands the victim to pay lottery fees).
