Overview

• The FBI says criminals are mailing packages with QR codes that drive recipients to phishing sites or install data-stealing malware.
• The tactic borrows from brushing schemes by sending unrequested parcels with no sender details to coax a scan.
• Authorities advise scanning only trusted codes, checking destination URLs, updating devices, enabling two-factor authentication, and reporting incidents to the FBI’s IC3.
• UK reporting shows 784 quishing cases and nearly £3.5 million lost between April 2024 and April 2025, with car parks frequently hit by fake stickers on payment machines.
• Security experts note QR codes conceal links used in phishing, victims have suffered identity theft and loans taken in their names, and totals are likely underreported.