top of page
Search

Brushing - Beware of QR Code Package Scams: The New Cybercrime Trick You Need to Know

  • Writer: NFT_Noobie
    NFT_Noobie
  • Aug 18
  • 3 min read

It starts so innocently. You hear a knock on the door, and a courier hands you a small package. There’s no sender name, no note inside, and you don’t even remember ordering anything. Curious, you open the box and find only one thing—a QR code, inviting you to scan it to “learn more.”


At first glance, it looks harmless. Maybe a shipping mistake. Maybe a forgotten online order. But behind this mysterious package hides one of the newest and most dangerous cyber scams making its way across Europe and beyond.

Hacker in shadow holding a glowing QR code on a package
Hacker Tempting You

The Trap Behind the QR Code Package Scam


Police have warned that these QR code package scams are on the rise. Unlike traditional frauds that ask you to click suspicious links, these scams exploit the trust we place in online shopping and the everyday nature of delivery services.

Once the QR code is scanned, it doesn’t lead to delivery details. Instead, it installs malicious software onto your smartphone. From there, cybercriminals can quietly access your credit cards, bank accounts, crypto wallets, or even stock trading apps—without you noticing a thing.

This very scenario is becoming increasingly common, warns the police, which has issued an official alert due to the frequent cases of fraud across the country. It involves a devious variant of the so-called brushing scam, which is now not being used for fake reviews, but rather for stealing sensitive user data directly through their phones.




Why People Fall for It


What makes this scam so effective is its simplicity. People are used to constant deliveries. We order online so often that it’s easy to forget about one or two small packages. And when curiosity kicks in, scanning a QR code feels like the most natural way to “solve the mystery.”

The police warn that many victims don’t even report these incidents. Instead, they assume it’s a minor shipping error or a tech glitch. This silence gives criminals the upper hand, allowing them to repeat the scheme over and over again.

Diagram showing a suspicious package leading to a QR code scan on a phone, causing data theft on a laptop, and resulting in financial loss.
Suspicious Package → QR Code Scan → Malware → Data Theft → Financial Loss

The Red Flags


So, how can you spot a suspicious package? Look out for these warning signs:

  • Deliveries you never ordered

  • Packages with no sender or return address

  • QR codes with no instructions or explanations


If you see any of these, treat the package as a red alert.


Protecting Yourself Against QR Code Scams


The best defense is skepticism. If a package feels wrong, trust your instincts. Police and cybersecurity experts recommend a few simple but powerful steps:

  • Never scan QR codes from unknown sources.

  • Don’t open or keep deliveries you didn’t order.

  • Regularly check app permissions on your phone.

  • Change passwords immediately if you suspect compromise.

  • Review your credit report to check for fraud.

  • Report the package to the police with as many details as possible.


Woman shopping safely online with laptop, card; man looks worried, holding phone with QR code and package. Text: Safe Online Shopping, Suspicious QR Code.
Safe vs QR Scam

Brushing - What Is It?


We mentioned Brushing earlier in the text. Brushing is a type of e-commerce scam where people receive unsolicited packages they never ordered, often containing cheap or low-value items (like socks, phone accessories, or small gadgets).


It works like this:

  1. A seller (usually on large online marketplaces) ships items to random addresses.

  2. Because the packages were “delivered,” the seller can create fake positive reviews on their store/product, boosting rankings and credibility.

  3. The recipient is confused because they never placed an order — but their name and address were used.


⚠️ Why it’s a problem

  • Personal data misuse: It means your name, phone, and address were obtained somehow (often through data leaks).

  • Legitimizes shady sellers: Fake reviews trick real customers into buying from unreliable vendors.

  • Potential financial fraud: While brushing itself doesn’t directly charge you, it could be a warning sign that your data is floating around on the dark web.


✅ What to do if you receive a brushing package

  • Don’t pay for it — it’s free, and you’re not responsible.

  • Report it to the marketplace (e.g., Amazon, AliExpress) so they can investigate.

  • Check your accounts — ensure your online shopping accounts, payment cards, and bank statements haven’t been compromised.

  • Be cautious — if packages keep coming, it may be part of a larger fraud scheme.


👉 In short: Brushing = fake deliveries to boost fake reviews.It doesn’t usually harm you directly, but it’s a red flag about your data security.



A Global Problem


This trend isn’t limited to one country. Similar fraud attempts have been seen around the world, with criminals sticking fake QR codes on posters, placing them in phishing emails, and even adding them to public places to lure in unsuspecting victims.

The message is clear: think before you scan. A single QR code can open the door to financial disaster.

Do's and Don'ts of QR code safety graphic. Do: scan trusted sources, install security, check authenticity. Don't: scan unknown, install unverified, download files.
Do’s & Don’ts of QR Code Safety

Stay alert, stay skeptical, and help spread awareness. By talking about scams like this, we make it harder for cybercriminals to succeed.

Comments

bottom of page