Postal Service: Latest “Brushing Scam” Includes QR Code Fraud

Summary

• According to the United States Postal Inspection Service (USPIS), scammers are incorporating quishing – short for QR code phishing – into a new variation of the brushing scam. Quishing uses a QR code to send you to a fake website once you scan it.
• People are receiving packages they did not expect, containing items they did not order. Inside the packages, there are cards with QR codes under the guise that you need to scan them to find out who sent you the gift or to obtain more information about the company that sent it.
• The websites appear to be legitimate and from official sources. However, they are fake sites used by criminals to steal your personal information. Criminals may proceed to use it for several other scams and identity crimes in the future.
• To avoid quishing in a brushing scam, do not scan a QR code or visit a website link in an unknown package. Also, report the package to the retailer’s customer service and monitor your financial accounts and online profiles for suspicious activity.
• If you have additional questions about quishing, a brushing scam, or believe you were the victim of an identity crime, contact the Identity Theft Resource Center. You can reach us toll-free by text or phone at 888.400.5530 or through live chat on our company website, idtheftcenter.org.

The brushing scam has been around for a long time. Many people have opened their doors to find a package they did not expect to receive. Now, some of those packages may include cards with QR codes saying you need to scan them to find out who sent you the gift or more about the company that sent it. However, it’s a scam.

Who Are the Targets?

Anyone

What is the Scam?

According to the United States Postal Inspection Service (USPIS), criminals are incorporating quishing into the latest version of the “brushing scam.” Quishing is short for QR code phishing, and it uses a QR code to send you to a fake website once you scan it. People are receiving packages they did not expect, containing items they did not order – the classic definition of a brushing scam.

Inside the packages, there are cards with QR codes that link to websites that appear to be genuine and seem to be from official sources. However, they are fake sites used by criminals to steal your personal information.

What they Want

Identity criminals use fake QR codes in quishing scams so that you will visit their malicious websites and voluntarily give up personal information. The thieves may use it for other scams and identity crimes in the future.

How to Avoid Quishing in a Brushing Scam

• Avoid scanning any QR codes or clicking on the provided links. Always verify the validity of QR codes or websites directly with the legitimate source.
• Report the package to the real retailer’s customer service.
• Monitor your financial accounts and online profiles for suspicious activity.
• If you accessed one of these websites, run a security scan on your devices and update your passwords (use passkeys, if possible, and 12+-character passphrases if not) if any links were accessed.

Contact the ITRC

If you have additional questions about quishing, this variation of the brushing scam, or believe you were the victim of an identity crime, contact us. You can speak with an Identity Theft Resource Center expert advisor toll-free by text or phone (888.400.5530) or live chat on the company website. You can visit www.idtheftcenter.org to get started.