As the holiday season approaches, many individuals are already purchasing gifts, while others are unexpectedly receiving packages with no clue about the sender. This trend exploded on social media in late September 2024 when the Akron Police Department highlighted a recent brushing scam in a Facebook post.
On September 17th, the post detailed the concept of brushing and the types of packages victims might encounter. These packages contained QR codes but lacked sender information. When scanned, these codes were supposed to reveal the package’s origin. According to the post, several states have seen an uptick in brushing scams recently.
The police department warned users about the risks associated with scanning unknown QR codes, stating:
“Once scanned, all information from that phone will be transmitted to scammers. They gain complete access to the device, allowing them to obtain all personal and financial data, often resulting in drained bank accounts.”
The post concluded with a call for individuals to inform their families and refrain from scanning unfamiliar QR codes.
QR Code Gifts: Who Are They For?
It’s important to note that brushing scams are not a new phenomenon. While there has been a recent spike across various states, instances of brushing scams can be traced back to 2020. In July of that year, numerous Americans received mysterious Amazon packages filled with plant seeds.
Amazon reported that seeds from at least 14 plant species were sent to unsuspecting recipients, primarily sourced from China. This prompted Amazon to prohibit the sale of foreign plants in the U.S. by September of that year.
Other nations, particularly Scotland, have encountered similar brushing scams, leading agricultural leaders to warn against planting unsolicited seeds.
So, what’s the reason behind these mysterious packages?
According to the United States Postal Inspection Service, brushing occurs when individuals receive parcels they did not order. These packages are typically addressed to the recipient but lack the sender’s return address.
Despite the absence of a return address, the sender is usually an international third-party seller aiming to enhance their ratings and artificially boost sales. They achieve this by posting positive yet fictitious reviews using the names of their victims.
The scammers often obtain their victims’ addresses through publicly available information or data breaches.
Recently, scammers seem to have evolved their tactics, adding QR codes to their packages for an extra layer of deceit. While the specific purpose of these QR codes remains ambiguous, the Akron Police Department claims they are designed to extract all information from the scanning device.
Can a QR Code Scan Actually Compromise Your Data?
QR Code Safety and Security
While QR codes serve as effective gateways to information, can they truly steal data when scanned? Similar to other seemingly harmless technologies that can be exploited, malicious actors can create QR codes intended to deceive unsuspecting individuals.
While fake QR codes pose a real threat and shouldn’t be ignored, they cannot extract information independently. Instead, they facilitate scammers and hackers in acquiring your data through alternative methods.
For instance, in a 2021 scam in Singapore, a 60-year-old woman scanned a QR code at a bubble tea shop, mistakenly believing it was a promotion for a complimentary drink. She downloaded a third-party app and completed a survey, allowing scammers to gain control of her device and steal $20,000 from her bank account.
It’s crucial to remember that businesses and reputable brands typically utilize trusted QR code generators to create their codes. Nevertheless, many experts recommend avoiding the scanning of unknown QR codes.
Jason Meza, Senior Director of Media Relations at the Better Business Bureau, advised in an interview with KCEN: “Do not scan the code; avoid taking immediate action.” He added, “You’re following instructions from an unknown source, which may likely be from a scammer.”
In response to this scam, both the Federal Trade Commission and the American Association of Retired Persons have urged the public not to scan unexpected QR codes.
Legitimacy vs. Malice: Challenges in QR Code Adoption
As QR codes gain popularity, the prevalence of fake QR codes has also increased. Fortunately, there are several methods to determine whether a QR code is safe.
One way is to examine the URL encoded in the QR code prior to visiting it. Most QR code scanners have this capability, enabling users to verify the link’s authenticity before deciding whether to access it.
It’s worth noting that trustworthy brands consistently utilize secure QR code platforms that include data encryption.
These platforms comply with regulations and standards, such as ISO-27001 and the California Consumer Privacy Act, to protect user information.
Ultimately, while legitimate QR code users are likely to continue encountering QR code scammers and cybercriminals, employing the right tools and practices can help mitigate the risks associated with these 2D barcodes.