Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    FBI Report: Attackers Are Sending Physical Packages with Malicious QR Codes

    KnowBe4 Team | Aug 7, 2025

    QR Code QishingThe FBI has issued an advisory warning that scammers are distributing QR code phishing (quishing) links via unsolicited packages sent by snail mail.

    Recipients may scan the code to find out where the package came from, which will land them on a phishing page.

    This is a variation of a “brushing scam,” where unscrupulous vendors send packages designed to harvest information that can be used in phony positive reviews. In this case, the attackers are tricking victims into visiting malicious links designed to steal their information or deliver malware.

    “The FBI warns the public about a scam variation in which criminals send unsolicited packages containing a QR code that prompts the recipient to provide personal and financial information or unwittingly download malicious software that steals data from their phone,” the advisory says.

    “To encourage the victim to scan the QR code, the criminals often ship the packages without sender information to entice the victim to scan the QR code. While this scam is not as widespread as other fraud schemes, the public should be aware of this criminal activity.”

    The Bureau offers the following advice to help people avoid falling for these attacks:

    • “Beware of unsolicited packages containing merchandise you did not order.
    • Beware of packages that do not include sender information.
    • Take precautions before authorizing phone permissions and access to websites and applications.
    • Do not scan QR codes from unknown origins.
    • If you believe you are the target of a brushing scam, secure your online presence by changing account profiles and request a free credit report from one or all the national credit reporting agencies (Equifax, Experian, and TransUnion) to identify possible fraudulent activity.”

    AI-powered security awareness training can give your organization an essential layer of defense against social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

    The FBI has the story.

     

    Return To KnowBe4 Security Blog

    Free QR Code Phishing Security Test

    Did you know dynamic QR code scans increased 433% globally from 2021 to 2022? Try our free QR Code Phishing Security Test to identify users that are most susceptible to these types of attacks so you can train them to think twice before scanning QR codes and build a stronger security culture.

    Monitor-QRT-2Here's how it works:

    • Immediately start your test for up to 100 users (no need to talk to a person)
    • Select from 35 languages and choose one of 3 templates
    • Choose from a “red flags missed” or a “404 error” landing page
    • Get a PDF emailed to you in 24 hours with your Phish-prone Percentage

    Go Phishing Now!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/qr-code-phishing-security-test

    Topics: Human Risk Management, Quishing

    KnowBe4 Team

    ABOUT KNOWBE4 TEAM

    The KnowBe4 Team delivers timely, expert-driven insights on cybersecurity trends, emerging threat intelligence, human risk best practices, compliance strategies and industry research to help organizations strengthen their human defense layer and stay informed, resilient, and secure.

    Read more from KnowBe4 »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Gartner Magic Quadrant
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest insights, trends and security news. Subscribe to CyberheistNews.