FBI Warns Smartphone Users – QR Code Scams and How to Protect Yourself
The Federal Bureau of Investigation has issued a public warning to smartphone users about a growing wave of cyber threats targeting both iPhone and Android devices. The alert, released in late July 2025, centers on a sophisticated QR code scam involving unsolicited mystery packages mailed to households across the country.
Criminals are sending unmarked parcels containing nothing but a printed QR code, designed to spark curiosity and prompt recipients into scanning. Once scanned, the codes direct users to fraudulent websites or trigger malware installation—a technique known as quishing or QR code phishing. The scheme has already prompted warnings from multiple federal agencies, including the FTC in January 2025 and USPS in February 2025.
The FBI’s Internet Crime Complaint Center has received victim reports that include financial losses and unauthorized access to personal accounts. Authorities are urging anyone who receives an unexpected package with a QR code to discard it without scanning and to report suspicious activity through official channels.
What is the FBI warning to smartphone users?
The FBI warning addresses a multi-layered threat campaign targeting smartphone owners through physical mail and digital channels. At its core, the advisory warns against scanning QR codes from unknown or unsolicited sources, particularly those arriving without sender information or packaging labels. The alert applies equally to iPhone and Android users, as both platforms are vulnerable to the same attack vectors.
Various apps collect user data including location, contacts, and browsing habits.
Mystery packages with QR codes trick users into visiting malicious sites or installing malware.
Fake delivery texts and messages contain malicious QR links to steal credentials.
Personal information collected through fraudulent websites leads to identity theft.
Key risks identified by the FBI
- Immediate data theft or unauthorized financial transactions
- Malware installation enabling keystroke logging and account monitoring
- Cryptocurrency wallet theft through QR-linked wallet addresses
- Unauthorized access to personal accounts and login credentials
- Exposure of Social Security numbers, credit card details, and banking information
- Silent background surveillance of device activity
- Escalation of brushing scams into direct fraud schemes
| Threat Type | Target Platform | Attack Method | First Warning Date |
|---|---|---|---|
| QR Code Phishing | iPhone & Android | Mystery packages with QR codes | July 2025 |
| Brushing Scam Escalation | All smartphone users | Unsolicited items confirm addresses | January 2025 (FTC) |
| Quishing via Mail | iPhone & Android | QR codes in unsolicited mail | February 2025 (USPS) |
| Malware Installation | iPhone & Android | Camera-based QR scanning | July 2025 |
Why are iPhone and Android users specifically warned?
Both iPhone and Android platforms share a common vulnerability that makes them equally susceptible to QR code attacks. Modern smartphones on either operating system come equipped with built-in camera scanners that automatically process QR codes without prompting users to verify the destination. This convenience feature, while useful for legitimate transactions, creates an attack surface that criminals exploit by placing malicious codes in physical locations or mailings.
How the scam reaches smartphone users
Criminals mail unlabelled packages without sender information, often containing only a printed QR code. The package itself is designed to generate curiosity, prompting recipients to scan the code using their phone’s camera. Because the built-in scanner activates automatically when the camera is pointed at a QR code, users may not have the opportunity to inspect the destination URL before being redirected.
Once scanned, the QR code leads to fraudulent websites requesting personal information such as names, addresses, credit card details, Social Security numbers, and login credentials. In other cases, the code triggers automatic malware installation, a technique that Bitdefender researchers have documented enabling device access, keystroke logging, activity tracking, and cryptocurrency wallet theft.
Neither iPhone nor Android devices prompt users to preview QR code destinations before opening them. This means scanning an unknown code can immediately redirect users to malicious sites or trigger app installations without verification.
Why traditional security measures fall short
Standard mobile security apps often focus on app-based threats and may not scan QR codes proactively. The FBI advisory specifically notes that users should rely on built-in phone cameras rather than third-party QR scanner apps, as the latter may introduce additional risks. Antivirus software designed for mobile threat detection remains recommended as an additional layer of protection.
What scams are involved in the FBI smartphone warnings?
The FBI warning encompasses several distinct but related scams that have emerged over the past year. The primary threat involves the QR code package scam, which represents an evolution of brushing scams where unsolicited items were previously used to confirm addresses for fake reviews. Criminals have now escalated this tactic by including QR codes that lead directly to fraudulent websites or malware download pages.
The QR code package scam explained
The scheme begins when recipients receive an unexpected package with no return address or identifying information. The package contains only a printed QR code with instructions or marketing material prompting the user to scan. According to reporting by AOL and Fox News, scanning these codes can lead to phishing websites designed to harvest personal and financial data, or trigger malware installation capable of monitoring device activity and stealing cryptocurrency.
If you receive an unexpected package with a QR code, discard the entire package without scanning. Do not scan the code, even out of curiosity, and do not follow any instructions printed on the packaging.
Fake delivery texts and chat phishing
Related tactics involve fraudulent text messages and chat communications claiming to be from delivery services. These messages contain QR codes or links to malicious sites. The FBI has warned that such communications frequently accompany the physical package scams, creating multiple touchpoints for potential victims.
Reports documented by Bitdefender indicate that threat actors increasingly abuse QR code usage following the COVID-19 pandemic, when touchless interactions became normalized. Criminals have adapted this convenience behavior to their advantage, embedding malicious codes in physical mail and digital communications alike.
Timeline of FBI and agency warnings on smartphone threats
Multiple federal agencies have issued warnings about smartphone-related scams over the past year and a half. The following timeline documents the major alerts that preceded and followed the FBI’s July 2025 warning.
- January 2025 — The Federal Trade Commission issued an initial warning about unexpected packages containing QR code notes, alerting consumers to the emerging threat.
- February 2025 — The United States Postal Inspection Service warned about QR codes appearing in unsolicited mail, highlighting the risks of quishing.
- Late July 2025 — The FBI issued its most comprehensive public warning about the QR code package scam, urging smartphone users not to scan codes from unknown sources.
- Ongoing — The FBI Internet Crime Complaint Center continues to receive victim reports, including complaints involving financial losses from iPhone and Android users.
Authorities note that the threat landscape continues to evolve as criminals develop new tactics combining physical mail fraud with digital attack vectors. The FBI has emphasized that anyone who believes they may have been victimized should file a report through the IC3 website immediately.
What the FBI warnings confirm versus what remains unclear
The available evidence allows for a clear distinction between established facts and areas where uncertainty persists. The following comparison summarizes what authorities have confirmed and what remains under investigation or unclear.
| Established Information | Unconfirmed or Unclear Details |
|---|---|
| FBI issued QR code package scam warning in late July 2025 | Total number of victims nationwide is not publicly disclosed |
| Both iPhone and Android users are targeted | Exact geographic distribution of affected households |
| QR codes lead to phishing websites and malware installation | Specific malware families identified in campaign |
| FTC and USPS issued preceding warnings (January and February 2025) | Whether the same criminal groups are responsible for all campaigns |
| IC3 accepts victim reports including financial losses | Total dollar amount of reported losses |
| Scammers use brushing scam infrastructure to deliver packages | Specific shipping methods or platforms exploited |
Background on smartphone security threats and QR code abuse
The proliferation of QR codes during and after the COVID-19 pandemic created new opportunities for cybercriminals. Touchless interactions became normalized, with businesses and organizations adopting QR codes for payments, menus, and information sharing. This behavioral shift lowered user resistance to scanning codes, making smartphone users increasingly susceptible to malicious variations.
The current campaign represents an evolution of these risks into direct financial fraud. Unlike earlier brushing scams that primarily served to establish addresses for fake reviews, the QR code package scheme aims to extract personal information, install surveillance malware, and steal cryptocurrency directly from victims. Security researchers have documented how these attacks chain together multiple platforms—physical mail delivery, mobile browsing, and fraudulent websites—to maximize victim impact.
The FBI warning reflects growing concern within federal law enforcement about the convergence of physical and digital attack vectors. Smartphone users, regardless of platform choice, face similar risks when interacting with unknown QR codes, making public awareness and preventive measures essential for personal security.
Official sources and reporting channels for smartphone scam victims
The FBI has directed smartphone users who encounter QR code scams or believe they may have been victimized to report incidents through official channels. The Internet Crime Complaint Center serves as the primary reporting mechanism for cyber-enabled crimes, accepting complaints that include financial losses and unauthorized account access.
The FBI urges anyone who receives an unexpected package with a QR code, or who has scanned such a code, to report the incident through the Internet Crime Complaint Center. Victims should also monitor their accounts and credit reports for unauthorized activity.
Additional resources include the FTC’s IdentityTheft.gov recovery guide for those who have submitted personal information to fraudulent websites, and the Department of Justice Elder Justice Hotline at 1-833-FRAUD-11 for senior citizens who may require additional assistance navigating the reporting process.
Users who wish to verify legitimate services or confirm whether a communication is authentic should contact purported senders through separate, independently verified channels rather than relying on contact information provided in suspicious messages or packaging.
How smartphone users can protect themselves from FBI-identified threats
The FBI advisory provides clear guidance for smartphone users seeking to avoid QR code scams and related threats. These measures apply to both iPhone and Android users and represent practical steps that can significantly reduce exposure to the documented attack vectors.
Users should discard any mystery package received without sender information and should not scan QR codes from unknown or unsolicited sources. When scanning codes from legitimate businesses, users should verify the destination by long-pressing the code to preview the URL before proceeding. Suspicious domains or unexpected requests for personal information should be declined immediately.
If you have already scanned a suspicious QR code but have not entered any information, close the page immediately, change compromised passwords, and monitor your financial accounts for unauthorized transactions.
For broader protection, smartphone users should consider installing mobile antivirus software capable of detecting malicious apps and links. Users can also limit their online personal data exposure by utilizing data removal services, reducing the amount of information available to criminals if a breach does occur. Additionally, reviewing app permissions and regularly auditing installed applications helps identify potential data harvesting before it leads to compromise.
Frequently Asked Questions
What should smartphone users do about the FBI QR code warning?
Discard any unexpected package containing a QR code without scanning it. Do not follow instructions on the packaging, and report the incident to the IC3 if you have already scanned the code.
Is the FBI warning only for Android or iPhone users?
No. The FBI warning applies equally to both iPhone and Android users, as both platforms are vulnerable to the same QR code scanning exploits and malware installation techniques.
How common are these smartphone QR code scams?
The FBI has confirmed that complaints have been received by the IC3, including reports of financial losses. The exact scope nationwide is not publicly disclosed, but the escalation from brushing scams to direct fraud indicates a growing threat.
What happens if I accidentally scan a malicious QR code?
If you scanned but entered no information, close the page immediately. If you entered personal data, change passwords, review bank statements, freeze credit, and report to the IC3 and FTC’s IdentityTheft.gov.
Are QR codes on legitimate business materials also dangerous?
QR codes from trusted businesses with verified sources remain generally safe. The risk arises from codes in unsolicited mail, unexpected packages, or messages from unknown senders. Always preview the URL before scanning.
Where can I report a QR code scam incident?
Report incidents to the FBI’s Internet Crime Complaint Center at ic3.gov. Seniors can use the DOJ Elder Justice Hotline at 1-833-FRAUD-11. Follow up with the FTC’s recovery resources at IdentityTheft.gov.
Do these threats affect other devices besides smartphones?
While the FBI warning specifically addresses smartphone users, the underlying QR code mechanics can affect any device with a camera and QR scanning capability. Desktop users with scanning accessories face similar risks if they interact with malicious codes.
More related posts
NHL Trade Deadline 2025 – Date, Key Trades, Rules and Analysis
Is Coffee Good for You? Benefits, Risks & Daily Facts
Edmonton to Calgary Bus: Schedules, Prices & Tips
Work From Home Jobs Ontario: 2107+ Remote Openings
Vancouver Whitecaps FC vs Inter Miami Stats – Final Score Goals Lineups Insights
Zach Bryan I Remember Everything Lyrics – Full Text, Meaning & Chords
Shoppers Drug Mart Ajax: Locations, Hours & Services
Book Lab Appointment Online – Step-by-Step Guide
