If you have a smartphone, you're a target. That's the thinking behind the latest scam going viral, where hackers use malicious text messages and packages you didn't order in a bid to steal your personal information and wipe out your financial accounts.
The Federal Bureau of Investigation issued a warning this week about a new type of "brushing" scam. "In a traditional brushing scam, online vendors send merchandise to an unsolicited recipient and then use the recipient's information to post a positive review of the product," reads a statement the FBI's Pittsburgh field office posted on X.
As annoying as fake reviews can be, now bad actors are taking things one step further, using this setup to siphon data from unsuspecting victims in a particularly insidious way. The difference boils down to the QR code in these packages, and it's a fresh reminder for why we could all stand to be more careful about how we use our phones to interact with the world around us.
"In this variation, criminals send unsolicited packages containing a QR code that prompts the recipient to provide personal and financial information or unwittingly download malicious software that steals data from their phone," the FBI said.
Ever heard of a "brushing scam?" There's a new version of it happening, and the FBI is warning the public. Criminals are sending unsolicited packages containing a QR code, and once scanned, victims provide personal and financial information while unknowingly downloading malicious… pic.twitter.com/3A1tQNIuW3August 11, 2025
The scammers often don't include a return address or any information about the name of the sender, which entices people to scan the QR code. They're betting on people being curious to learn more when a random package arrives at their doorstep.
Once scanned, the QR code collects personal and financial information about the victim while also downloading malicious software onto their phone. Attackers have used this method to quietly siphon credit card numbers as well as credentials for bank accounts, securities trading accounts, and crypto accounts.
How to say safe from scammers
In its warning to smartphone users, the FBI offered several ways to avoid falling for this new type of brushing scam:
- Beware of unsolicited packages containing merchandise you did not order.
- Beware of packages that do not include sender information.
- Take precautions before authorizing phone permissions and access to websites and applications.
- Do not scan QR codes from unknown origins.
If you believe you've been the target of this kind of scam, you're urged to change your account profiles and request a credit report from a national credit reporting agency to identify possible fraudulent activity. You can report fraudulent or suspicious activities to the FBI via its IC3 portal, just be sure to include as much information as possible, including: the name of the person or company that contacted you; methods of communication used, including websites, emails, and telephone numbers; and any applications you may have downloaded or provided permissions to on your device.
Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
More from Tom's Guide
- AT&T could pay $7,500 to customers in data breach settlement — how to get yours
- Over 190 million hit in UnitedHealth data breach — confirmed largest in history
- Booking.com phishing scam is infecting users with malware by using lookalike URLs — don't fall for this
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
