Since ordering and receiving packages has become commonplace for most people, cybercriminals are trying to take advantage of this practice. One of the ways they do this is by sending you a package with an item from a common online retailer, like Amazon, that you never ordered.
This is also known as a Brushing Scam. But the new twist on this scam is that inside your package you will find a QR Code with instructions on how to return the item or to find out more details about the order. Because this item was something that you didn’t actually order, they are hoping that you will scan the QR code that is included in the package.
These QR codes typically take you to a phony website that may load malware on your phone, which could compromise your device, or even steal your information.
For any package return or to get more information about an order, a safer solution would be to go to the vendor’s website yourself by typing in the actual address, rather than trusting a QR coded link. Once you are on the actual vendor’s website, you can check for details on the order or how to legitimately return an item if needed.
But if this was not an item you ordered yourself, then you are not obligated to return it. And you can simply keep it or throw it away.
Here are some tips to help avoid falling for this scam:
- Preview the URL for any QR Code before doing anything
When you scan a QR code with your phone’s camera, it will display the website URL from the QR code. You should look carefully at the URL to see if it matches the official website. And beware of any tricky or misleading letter substitutions in the URL, which may make it similar to the real website address. - Never download a QR Code Scanning App
You should only use your phone’s camera to scan a QR code. If you are prompted to download any other tool to view the QR Code, this could be another way that scammers can infect your phone with malware. - If you follow the URL from the QR Code, look for any suspicious signs on the website
Verify that the URL is an HTTPS address and not just an HTTP address. Look for things like low-resolution graphics, misspellings, grammar errors, or anything that looks out of place. Also, be extra cautious if the website asks for any personal information, account login and password data, or credit card information.
