Most Americans say they scan QR codes without checking their source — but the FTC warns that could be a costly mistake, thanks to this growing scam

According to NordVPN, 73% of Americans report scanning QR codes without verifying their source, with 26 million having already been directed to malicious sites that aim to steal their information or take control of their devices.

How does this QR scam work?

This scheme is essentially a high-tech twist on the old brushing scam, where scammers or sellers of knock-off goods send you unsolicited packages — often containing low-value items or random trinkets — so that they can use your personal information to create fake online reviews. These fake reviews can potentially boost sales for the product(s) that the package recipient received.

The QR scam takes it one step further by adding a malicious code into the mix. Here’s the play-by-play:

• The package: A random package shows up at your door. You didn’t order it, but it looks legitimate enough — complete with shipping labels and packaging that mimics major retailers
• The “mystery gift” note: Inside, there’s often a vague note claiming the package is a gift from a secret admirer, or instructions saying you need to scan the included QR code to “confirm delivery” or “return the item”
• The bait: Scammers are banking on your curiosity or desire to send the item back. And as we learned above, many Americans have admitted to scanning mysterious QR codes
• The switch: Instead of sending you to a legitimate retailer’s website, the QR code takes you to a fake website designed to steal personal information — like credit card info or login credentials. In some cases, simply scanning the QR code can trigger a malware download, allowing criminals to access your phone’s data, email, contacts and stored passwords

Essentially, the scammers are betting on you being curious enough to scan the QR code, allowing them to wreak havoc on your life — and maybe even your finances.

How to protect yourself from becoming a victim

If you receive a package that you didn't order, especially one without a clear sender, you’d be wise to exercise extreme caution. Here's how to protect yourself in this situation:

• Look for sender info: Legitimate packages should have a clearly listed sender on the outside or a packing slip on the inside. If that is missing or looks suspicious, it could be a red flag that something is off
• Don't scan mystery QR codes: If you don't know where a QR code is from, don't scan it — no matter how curious you might be
• Stop before you provide info: If you do scan the QR code, don't blindly give out your information or give access to your camera, photos or location
• Disconnect your device from the Internet: If you scan the code and suspect you’ve been scammed, turn your device's internet connection off. This can stop the malware from sending information back to the scammers
• Lock down your accounts: If you suspect it's a scam, change the passwords for all of your major accounts — such as your email, as well as your banking accounts — and set up two-factor authentication on any account that offers it. If you notice any suspicious purchases on your banking accounts, contact your bank or credit card company immediately
• Report the scam: If you've been scammed, file a complaint with the Internet Crime Complaint Center and contact your local consumer protection agency

The best way to protect yourself from this type of scam is simple — be very cautious before scanning QR codes. Sometimes, satisfying your curiosity just isn't worth the risk.