New wave of “quisling” turns surprise deliveries into phishing traps. The FBI’s message is simple: don’t scan codes you didn’t request.
QR codes are everywhere—from restaurant menus to real estate signs—but not on mystery boxes at your door. Some packages arrive with printed codes that link to fake portals or download malicious software. Who’s at risk? Anyone who scans before thinking.
How the brushing and quisling package scams use QR codes to trick you
Brushing happens when a seller sends you an unsolicited item, then posts a fake review in your name to boost sales. An unexpected package is a red flag that your address—and possibly other info—was misused.
Quishing is the new twist. The box displays a QR code; scanning prompts you to enter personal or payment details, or silently installs malware. Many boxes lack sender information, nudging you to scan “to learn more.” Got a package you didn’t order? Here’s a quick comparison to help you spot the difference:
| Scam type | How it works | Main risk | Typical red flags |
|---|---|---|---|
| Brushing | Unsolicited item; seller posts fake review using your name | Identity misuse and privacy exposure | Package you didn’t order; missing or vague sender details |
| Quishing | Unsolicited package includes a QR code that leads to phishing or malware | Account takeover or data theft | Code urges immediate action, payment, or login to “verify” |
Both schemes rely on curiosity and urgency—two reasons to pause before you scan.
Practical FBI-backed steps to stay safe when unexpected packages arrive
The FBI urges caution with any code you didn’t request. When in doubt, skip the scan and move on.
FBI tips to protect yourself
- Be wary of unsolicited packages containing merchandise you did not order.
- Beware of packages that do not include sender information.
- Be careful before authorizing phone permissions and access to websites or apps.
- Do not scan QR codes from unknown origins.
- If you suspect brushing or quishing, change your account profiles and request a free credit report from Equifax, Experian, or TransUnion.
These moves reduce the odds of identity theft and help you catch problems early. Not sure whether to scan that code? Don’t.
What to do next if you already scanned a suspicious QR code
Act quickly. Change your account profiles, secure your information, and request your free credit report to identify possible fraudulent activity. The safest choice going forward is simple: ignore unsolicited codes and treat surprise deliveries as potential fraud.
Bottom line: treat every unsolicited delivery as a potential scam. Skip the scan, safeguard your accounts, and check your credit if anything looks off.