ScamWatch

If you feel you're being scammed in United States: Contact the Federal Trade Commission (FTC) at 1-877-382-4357 or report online at reportfraud.ftc.gov

Brushing + QR‑Code Attacks (2026): How Unsolicited Parcels Turn into Account Takeovers

Side profile of a man in a hoodie, surrounded by red code, depicting cybersecurity theme.

Introduction — The New Physical‑to‑Digital Scam Chain

What looks like a curiosity — a small, unsolicited package at your door — can be the first link in a modern takeover chain. Brushing (the practice of sending unsolicited merchandise to create “verified” orders and fake reviews) has been widely reported by consumer agencies, while QR‑code phishing ("quishing") has surged as attackers weaponize the physical world to deliver malicious URLs. These two tactics are increasingly combined: attackers mail parcels that include a QR code, instruction card, or tampered delivery notice designed to get you to scan, visit a credential‑harvesting page, or install software that steals credentials and session tokens.

This article explains how brushing and QR‑code attacks can lead to account takeover, who’s been warning consumers, immediate steps for people who receive unexpected packages, and practical protections for individuals and businesses.

How the Combined Attack Works — A Typical Kill Chain

Attackers chain simple actions into a powerful scam. Typical stages include:

  • Brushing delivery: The attacker ships a small item to your name or to a target list so there is an authentic shipping record. This confirms an address and can be used to justify later contact or to anchor a fake purchase history.
  • Physical lure: The parcel contains a printed QR code, business card, or a tampered delivery notice instructing the recipient to "confirm delivery," "claim a gift," or "activate a warranty." Attackers rely on curiosity and the trust people place in physical mail.
  • Quishing flow: When scanned, the QR redirects to a cloned login or payment page, a fake delivery portal that asks for account credentials, or a page that triggers a malicious APK/download. Modern quishing flows can use reverse‑proxy tools (capture proxies) to harvest credentials and one‑time codes in real time.
  • Account takeover: With credentials, session cookies, or intercepted 2FA codes, attackers can reset passwords, change recovery options, port phone numbers, add payment methods, or perform fraudulent transactions.

Public agencies and security vendors have documented both the brushing problem and a sharp rise in QR‑based phishing. The FBI and other agencies have issued warnings about quishing; Microsoft and media reporting show large increases in QR phishing detections in 2025–2026.

What To Do Right Now — For Consumers Who Receive an Unsolicited Parcel

If you receive a package you didn’t order, follow these practical, safety‑first steps:

  1. Don’t scan any QR codes or click links in the package materials. A QR code is just an encoded link — treat it like a suspicious email link until verified.
  2. Keep the package and check order history. In many brushing cases you are not required to return unordered merchandise; check your e‑commerce account order history to confirm whether an order exists. If no order exists, treat the parcel as unsolicited. (FTC guidance: you are not required to pay for or return unordered merchandise.)
  3. Verify via official channels. If the card claims to be from a retailer, don’t use the phone number or QR on the card. Go to the retailer’s official website or app and use the verified support contact or your account menu to check delivery status. If in doubt, call the company number listed on their official site.
  4. Change exposed credentials & secure your recovery options. If you scanned a code or entered credentials, immediately change your password, revoke active sessions, and check recovery email/phone methods. Where available, enable stronger MFA methods (authenticator apps or hardware keys).
  5. Report the incident. File complaints with the FTC (ReportFraud.ftc.gov) and, if the parcel relates to a delivery service, report to the USPS Inspection Service; local law enforcement can help if you suffered a financial loss.

If you suspect malware was installed on your phone, disconnect it from networks, run a reputable mobile AV/anti‑malware scan, and consider a device factory reset after backing up important data.

Quick red flags to watch for: pressure to act now, requests for credentials or OTPs, messages that the parcel needs "confirmation" via an external link or QR, or unexpected "support" phone numbers and SMS asking for codes.

Related Articles

Close-up of a smartphone with Chrome browser logo on screen placed on a red notebook.

Malicious Browser Extensions: How Fake Chrome & Edge Add‑Ons Steal Data and What to Audit Now

Hands exchanging cash at a local market vendor, with fresh vegetables in focus.

Small Business Alert: Prevent QR‑Overlay, Fake Invoices & Payment Redirects

Laptop showing a financial document with a potted plant on a desk in a well-lit office.

Business Email Compromise 2025: Gift‑Card Cashouts, Crypto Laundering & Invoice‑Fraud Playbook