A new package scam started this summer, and it’s likely to gain momentum as people start ordering their iPhone Airs and buying gifts for the holidays.
I’ve discussed package scams before, especially “brushing” or padding out products with fake reviews, but this version is much more dangerous for the unsuspecting receiver. Here’s how it works and what to do if you think you’ve been targeted.
Read more: 4 Common Package Scams to Watch For
Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.
The QR code scam and how it works
Picture getting a package delivered to your front door. You may vaguely be expecting something or not even be sure why it’s there. The label doesn’t have obvious sender information, which makes it hard to tell what it is. What it does have is a prominent QR code with instructions to scan it to learn more.
That would be a big mistake. These codes can easily take you to any URL with a quick tap, and that’s a dangerous access point for all types of cybercrime. It could lead to an automatic download of malware that seeks out sensitive personal data to steal, or malware that locks down your phone, followed by threats and extortion.
Or even more devious, the QR code may link to a normal-looking site that asks you to enter account information — like, say, your Amazon login — so you can find out more about the package and who sent it. That page is designed to steal your login info for online identify theft, but that’s not always easy to remember in the moment.
Read more: Promptware Threatens to Take Over AI and Smart Homes: Here’s How to Protect Yourself
What to do if you get a mysterious package without sender details
If you get a mysterious package without sender details, don’t scan the QR code to learn more, and don’t open it. Instead, look for any kind of tracking number or package ID number with the carrier that delivered it. If you were expecting a package, check with your seller to see if they’ve updated the package status to delivered, or if they give you a tracking number to follow.
If you don’t recognize the package at all, you can try to contact the carrier and report a misdelivered item. In brushing scams, someone already has your address, so this may not work, but there are ways to start removing your home address from the internet. If a seller is identified on the package, like Amazon, visit your account right away and change your email and password login.
The shipped items themselves probably aren’t dangerous, and in brushing scams, it’s usually innocuous junk you can throw away if the carrier refuses to pick the package up again.
What if you already scanned a QR code?
If you already scanned the QR code, change the account logins and passwords that you use for shipping or that you may have entered on the QR code website. If the code downloaded something onto your phone, immediately go into Airplane Mode or turn off your Wi-Fi. If your phone lets you go into Safe Mode, try to find out what was downloaded and remove it.
If problems persist, factory reset your phone entirely from the settings screen. You should also change the passwords on any accounts associated with your phone. Finally, consider ordering your free credit reports from one of the big credit agencies: Equifax, Experian or TransUnion.
For more, check out my guide on smart home devices to prevent package theft, how package delivery boxes are making a big return and how to stop porch pirates in general.
Read the full article here
