Consumers across multiple states are being warned about a new variation of the “brushing” scam that uses unsolicited gifts and malicious QR codes to steal personal and financial information. This scam involves recipients receiving unexpected packages containing items they did not order, often from online retailers like Amazon or other similar companies.
The packages typically contain items like jewelry (rings, bracelets, necklaces), Bluetooth speakers, or other small gifts. While the package correctly displays the recipient’s address, it lacks sender information or any clear indication of the item’s origin. This ambiguity is a key element of the scam.
Inside the package, a QR code is included, often with the implication that scanning it will reveal the sender’s identity. This is the trap. Scanning the QR code does not reveal a friendly sender; instead, it installs malicious software on the victim’s phone, granting scammers access to a wealth of personal data.
Experts warn that once the QR code is scanned, scammers can access everything on the compromised device, including personal contacts, photos, emails, and, most critically, financial information. In many cases, victims have reported having their bank accounts drained after falling prey to this scam.
Authorities emphasize that the physical gift itself is not the threat. The danger lies entirely within the QR code. Whether the recipient chooses to keep or discard the unsolicited item is irrelevant; the crucial advice is to never scan the QR code.
QR code scams are not a new phenomenon. They have been observed in various contexts, including on parking meters and other public spaces. This latest iteration, however, is particularly insidious due to the element of surprise and the lure of a “gift.”
Law enforcement agencies are urging the public to share this information with family and friends, especially those who may be less tech-savvy. The best defense against this scam is awareness and vigilance. Remember: never scan QR codes from unknown or unsolicited sources. If you receive a package you did not order, simply discard it without scanning the code. If you suspect you may have been a victim of this scam, contact your bank and local authorities immediately.