X
CNET logo Why You Can Trust CNET

Our expert, award-winning staff selects the products we cover and rigorously researches and tests our top picks. If you buy through our links, we may get a commission. Reviews ethics statement

  • Home
  • Home Security

Don't Fall for This Sneaky QR Code Scam if You Get a Surprise Package

This round of package scams is using QR codes for malware, identity theft and other crimes.

Headshot of Tyler Lacoma
Headshot of Tyler Lacoma
Tyler Lacoma Editor / Home Security and Smart Home
Tyler has worked on, lived with and tested all types of smart home and security technology for over a dozen years, explaining the latest features, privacy tricks, and top recommendations. With degrees in Business Management, Literature and Technical Writing, Tyler takes every opportunity to play with the latest AI technology, push smart devices to their limits and occasionally throw cameras off his roof, all to find the best devices to trust in your life. He always checks with the renters (and pets) in his life to see what smart products can work for everyone, in every living situation. Living in beautiful Bend, Oregon gives Tyler plenty of opportunities to test the latest tech in every kind of weather and temperature. But when not at work, he can be found hiking the trails, trying out a new food recipe for his loved ones, keeping up on his favorite reading, or gaming with good friends.
Expertise Smart home | Smart security | Home tech | Energy savings | A/V
Tyler Lacoma
3 min read
A worried man on a sofa makes a phone call while holding an open box.

A new version of package scams aims to steal your information. 

 Liubomyr Vorona via Getty

A new package scam started this summer, and it's likely to gain momentum as people start ordering their iPhone Airs and buying gifts for the holidays.

I've discussed package scams before, especially "brushing" or padding out products with fake reviews, but this version is much more dangerous for the unsuspecting receiver. Here's how it works and what to do if you think you've been targeted.

Read more: 4 Common Package Scams to Watch For

Don't miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.

The QR code scam and how it works

A man holds up his phone to scan a QR code on a brown delivered package.

Don't scan QR codes that are on physical packages, even if you were expecting a delivery. 

 Antonio_Diaz via Getty

Picture getting a package delivered to your front door. You may vaguely be expecting something or not even be sure why it's there. The label doesn't have obvious sender information, which makes it hard to tell what it is. What it does have is a prominent QR code with instructions to scan it to learn more.

That would be a big mistake. These codes can easily take you to any URL with a quick tap, and that's a dangerous access point for all types of cybercrime. It could lead to an automatic download of malware that seeks out sensitive personal data to steal, or malware that locks down your phone, followed by threats and extortion.

Or even more devious, the QR code may link to a normal-looking site that asks you to enter account information -- like, say, your Amazon login -- so you can find out more about the package and who sent it. That page is designed to steal your login info for online identify theft, but that's not always easy to remember in the moment.

Read more: Promptware Threatens to Take Over AI and Smart Homes: Here's How to Protect Yourself

What to do if you get a mysterious package without sender details

A man holds his phone to scan a package in his other hand.

Beware strange packages at your door -- it's not always a wrong delivery.

 Karl Tapales via Getty

If you get a mysterious package without sender details, don't scan the QR code to learn more, and don't open it. Instead, look for any kind of tracking number or package ID number with the carrier that delivered it. If you were expecting a package, check with your seller to see if they've updated the package status to delivered, or if they give you a tracking number to follow.

If you don't recognize the package at all, you can try to contact the carrier and report a misdelivered item. In brushing scams, someone already has your address, so this may not work, but there are ways to start removing your home address from the internet. If a seller is identified on the package, like Amazon, visit your account right away and change your email and password login.

The shipped items themselves probably aren't dangerous, and in brushing scams, it's usually innocuous junk you can throw away if the carrier refuses to pick the package up again.

Best Video Doorbells of 2025: Check Who's at Your Front Door From Anywhere See at Cnet

What if you already scanned a QR code?

A man holds his face while sitting in front of an open cardboard box.

Take action fast if you used a mystery QR code.

 Prostock-Studio via Getty

If you already scanned the QR code, change the account logins and passwords that you use for shipping or that you may have entered on the QR code website. If the code downloaded something onto your phone, immediately go into Airplane Mode or turn off your Wi-Fi. If your phone lets you go into Safe Mode, try to find out what was downloaded and remove it.

If problems persist, factory reset your phone entirely from the settings screen. You should also change the passwords on any accounts associated with your phone. Finally, consider ordering your free credit reports from one of the big credit agencies: Equifax, Experian or TransUnion.

Best Cheap Video Doorbells for 2025 See at Cnet

For more, check out my guide on smart home devices to prevent package theft, how package delivery boxes are making a big return and how to stop porch pirates in general.