Ever wondered why seemingly harmless Amazon packages are suddenly landing on your doorstep with no sender name, no return address—just a mysterious QR code tucked inside, inviting you to scan it? While it may feel like a stroke of luck, police and consumer protection agencies warn that this “gift” could actually be a high-stakes trap designed to bypass your security and drain your bank account in minutes. It’s an evolution of the so-called “brushing scam,” where a single curious scan can hand hackers the keys to your financial life. Read on to learn how this scam works, why it’s spreading, and how to protect yourself before it’s too late.
How the Amazon QR code scam unfolds
As mentioned above, this scheme is a sophisticated evolution of the “brushing scam,” a tactic traditionally used by unscrupulous sellers to create fake verified reviews. However, this new version has a much more predatory goal: total financial access.
The scam begins when a package arrives at your home that you never ordered. To lower your guard, the parcel is often professionally labeled with your correct name and shipping address, making it appear as a legitimate Amazon delivery. The red flag? The sender’s information is usually anonymous, missing, or linked to a non-existent business.
The true “payload” isn’t the item inside, but the message attached to it. Whether it’s a printed note tucked inside or a sticker on the box, you’ll find an urgent invitation to scan a QR code. The bait varies to pique your curiosity:
- The “secret admirer” angle: Claims the scan will reveal who sent the gift.
- The review reward: Promises a gift card or cash in exchange for a five-star rating.
- The shipping correction: Claims you must scan to report the “mis-delivery.”
Once you scan that code, the scam moves from your doorstep to your smartphone. Depending on the attacker’s goal, one of two things usually happens:
- Phishing portals: You are directed to a counterfeit website that perfectly mimics an Amazon or bank login page. Any credentials you enter are captured instantly by the scammers.
- Silent malware: The scan triggers an invisible download of “spyware.” Once installed, this malicious software can intercept your text messages (including two-factor authentication codes), scrape your saved passwords, and mirror your banking activity.
Mystery deliveries leave Arizona couple frustrated and confused
For one Scottsdale, Arizona couple, what started as a few unexpected deliveries quickly turned into a flood of mystery packages. Jeffrey and Judy Marshall say they began receiving Amazon boxes filled with random household items they never ordered, including an oven shelf liner, dog nail clippers, a candle warmer, curtains, a lighted makeup mirror, and even an ice cream scoop.
“There was no rhyme or reason to anything,” Jeffrey said.
Although the shipments were sent to their home address, the name listed on each package didn’t belong to them. When the Marshalls looked into it, they discovered the names appeared to be fabricated. What seemed odd at first soon became a recurring and unwelcome disruption.
Judy said the ongoing deliveries created unnecessary stress and inconvenience.
“My point to them was, you’re inconveniencing us. I mean, we have nothing to do with this process. We’re just receiving all these packages, and now you’re telling us it’s our responsibility to take care of these packages and I don’t agree,” she said.
The couple reported each suspicious package to Amazon, but said the shipments kept coming and they received little response.
“Very frustrating. And the fact that you’re dealing with some enormous corporation where they basically just allow this to happen and no real recourse, no meaningful recourse,” Jeffrey Marshall said.
Amazon has since said it is investigating where the packages sent to the Marshalls originated, as similar complaints continue surfacing from consumers across the country.
Tips to avoid falling for the latest Amazon QR code scam
Protecting yourself from a “brushing” or QR code scam requires a mix of digital hygiene and healthy skepticism. If an unexpected box lands on your porch, follow these expert-backed steps to secure your information.
1. Don’t scan the bait
The most critical line of defense is restraint. Authorities are urging the public to never scan a QR code found in an unsolicited package. If you see one, delete any digital photos of it and dispose of the physical copy without interacting with the link.
2. Audit your financials
Security experts suggest that the arrival of these packages is often a sign that your data is already in circulation. Travis Taylor, co-host of the What the Hack podcast, advises victims to meticulously review their bank and credit card statements for even the smallest unauthorized charges. As a preemptive strike, Taylor also recommends changing your primary account passwords to lock out potential intruders.
3. Understand your rights
If you’re wondering what to do with the physical items cluttering your home, the Federal Trade Commission (FTC) has a clear stance: You are legally allowed to keep them. Whether you decide to use the items, toss them, or donate them to charity, you are under no obligation to pay for or return them.
4. Report the pattern
While you can keep the goods, you should still report the delivery. The FTC and local law enforcement use these reports to track fraud patterns and shut down scam rings.
Reporting to Amazon is also vital, as the company has a zero-tolerance policy for this behavior. Amazon strictly forbids third-party sellers from sending out “surprise” packages to boost rankings or facilitate scams. According to the company, sellers caught violating this policy face severe penalties, including immediate withholding of payments, permanent suspension of selling privileges, and direct referral to law enforcement for criminal prosecution.