| schema:text
| - The Facebook posts legitimately warn consumers of so-called "brushing scams," which are real and potentially dangerous.
However, specific claims made in some of these warnings exaggerate the capabilities of QR codes. The mere act of scanning a QR code does not by itself trigger immediate consequences such as compromised phones, stolen personal and financial information or drained bank accounts. Typically, scammers require further steps from their victims to acquire personal and sensitive information.
A rumor virally shared on Facebook in late 2024 warned consumers to beware of "brushing scams" — a ruse in which a scammer sends a package to an unsuspecting recipient containing an item they did not order, with the goal of publishing a positive "verified review" in the recipient's name. Specifically, these Facebook posts posited that the mere act of scanning a QR code found inside such a package poses an immediate and significant privacy risk to the recipient.
Snopes received inquiries from readers asking whether these warnings were legitimate and accurate. What we found was that in many cases they were indeed posted by legitimate sources — such as police departments — but were not entirely accurate. Therefore, we have rated the claim as a mixture of truth and falsehood.
For example, on Dec. 15, the Facebook page of the Johnstown, Ohio, Police Department shared (archived) a warning posted in previous months by other Ohio-based police departments. The post quoted below received more than 250,000 shares in less than 24 hours:
Beware of Brushing Scam!
A recent scam has been showing up in many states. We have not had any local reports, but want to make residents aware before you are victimized.
A "brushing" scam is when someone receives an unexpected gift or item not ordered in the mail from a place like Amazon or other company. Examples of gifts include, rings, bracelets, necklaces, Bluetooth speaker, etc. The gift will have the recipient's address, but not include the sender's information or be from a known retailer. When the recipient opens the package to see what it is and possibly who sent it, there is a QR code to scan to find out who sent the gift.
Once the code is scanned, all the information from that phone will be sent to scammers. They receive all access to the phone. All personal and financial information is accessible to the scammers and often the victim's bank accounts are drained. The gift can be kept or thrown away, but the QR code should NOT be scanned for any reason. QR code scams are nothing new. These scams show up in all places, including parking meters.
Inform your family members about the scam and avoid scanning any unknown QR codes included in the package.
While it's true brushing scams are real and potentially pose some dangers, these copied-and-pasted posts exaggerated the threat posed by the QR codes. The mere act of scanning a QR code doesn't necessarily trigger immediate consequences such as a compromised phone, stolen personal and financial information or drained bank accounts.
QR codes — "QR" being short for "quick response" — often simply contain a website link. One common example of QR code usage is in restaurants, which sometimes provide customers with codes that allow them to open menus on their smartphones.
Still, in some cases, QR code-linked website URLs offered in restaurants, parking garages and other places can lead to malicious login pages designed by scammers to mimic authentic websites. The goal of this sort of scam, known as QR code phishing, or Quishing, is to interact with consumers to get login details or other personal information from them — for example, for banking, digital payment methods or shopping (e.g., Bank of America, PayPal and Amazon). In other words, in order for the scam to succeed, they require more participation from potential victims than simply scanning a QR code.
We contacted the U.S. Postal Inspection Service's office of public affairs to ask how many reports it had received from consumers about packages involving brushing scams with QR codes inside. We also invited general comments about the matter and will update this story if we receive responses.
What QR Codes Can and Can't Do
According to the Kaspersky cybersecurity company's website, consumers commonly scan QR codes with the camera app on their mobile phones. The creators of QR codes can include website URLs, phone numbers or up to 4,000 characters of text. Other possible features include linking to download an app, authenticating online accounts and verifying login details, accessing Wi-Fi by storing encryption details such as SSID, password and encryption type, and sending and receiving payment information.
As for the specific claim made in the brushing scam Facebook posts, Kaspersky advised: "QR code-generating software does not collect personally identifiable information. The data it does collect — and which is visible to the code's creators — includes location, the number of times the code has been scanned and at what times, plus the operating system of the device which scanned the code (i.e., iPhone or Android)."
In other words, QR codes themselves collect very little data. The true danger of QR codes — or any online activity, for that matter — involves the act of a credulous consumer manually submitting data; for example, typing out private login information on a malicious website.
Explaining Brushing Scams
The U.S. Postal Inspection Service published a page about brushing scams that educates consumers about how they work and why the purported "victimless crime" might be worse than it appears:
This is how it works.
A person receives packages or parcels containing various sorts of items which were not ordered or requested by the recipient. While the package may be addressed to the recipient, there is not a return address, or the return address could be that of a retailer. The sender of the item(s) is usually an international, third-party seller who has found the recipient's address online. The intention is to give the impression that the recipient is a verified buyer who has written positive online reviews of the merchandise, meaning: they write a fake review in your name. These fake reviews help to fraudulently boost or inflate the products' ratings and sales numbers, which they hope results in an increase of actual sales in the long-run. Since the merchandise is usually cheap and low-cost to ship, the scammers perceive this as a profitable pay-off.
This is why it's bad.
While it may appear to be a victimless crime — you did after all get some free stuff — the reality is that your personal information may be compromised. Often scammers obtain personal information through nefarious means and with ill-intentions, and use it for a number of scams and other illicit activities in the future.
Your fake review may prompt people to purchase worthless stuff.
In other instances, bad actors are using a person's address and account information to receive merchandise then steal it from the home before the resident is able to intercept it.
The USPIS also advised consumers about what to do if they receive an unsolicited package. For example, it recommended that consumers not pay for the unsolicited goods, that they change passwords for important online accounts to be safe and that they closely monitor credit reports, among other tips.
On the subject of brushing scams, we previously reported on another popular Facebook post telling the story of a package containing a purple hair tie.
|
![[RDF Data]](/fct/images/sw-rdf-blue.png)
![[cxml]](/fct/images/cxml_doc.png)
![[csv]](/fct/images/csv_doc.png)
![[text]](/fct/images/ntriples_doc.png)
![[turtle]](/fct/images/n3turtle_doc.png)
![[ld+json]](/fct/images/jsonld_doc.png)
![[rdf+json]](/fct/images/json_doc.png)
![[rdf+xml]](/fct/images/xml_doc.png)
![[atom+xml]](/fct/images/atom_doc.png)
![[html]](/fct/images/html_doc.png)